[techtalk] Tightening Security

Raven Alder damask0 at yahoo.com
Tue Feb 20 00:23:23 EST 2001


Heya --

> Recently i've gotten a few complaints about probes/scans from one of
> my computers (a Cobalt Linux server.)  I've looked at my logs and i 
> can see no one was logged into it at the time that the scans were 
> reported.  Does that mean someone is spoofing me?

     Possibly . . . but there are a lot of other potential
explanations, too.  Are you using the box as a proxy server (running
Squid or one of the other similar packages), or as a firewall with IP
masquerading?  If so, any queries/packets from your internal network
heading out are going to appear to the rest of the internet as if they
came from that server.

> I'd like to make sure all the ports i'm not using are closed, and
> generally tighten security ... how do it do it?

     Several points, depending on how much time you have to devote to
this and how much you trust your users.

1) Make sure that you're not running any services that you don't need. 
Check your rc scripts and make sure you're only starting the services
you intend to offer.  Take a look at your inetd configuration in
particular (rc.inet2).

2) Make sure that there aren't any ports listening that you don't need.
 Go through /etc/services and comment out all the lines that are
unnecessary.  (Careful what you lose, though.  For example, some MTA
need identd.) Use
$ netstat -l
to check what ports are listening.
As root, you can use
$ netstat -lp
to see the ports and what program is responsible for each.

3) Make sure that your file permissions are sensible.  Things owned by
root should be locked down as much as possible.  Users should be
separated into groups that reflect the files that they'll need access
to.  Check your users' umasks, root's umask, and the default user umask
for sensibleness.  There are automated tools that will scan your server
for permission stupidities and other security issues.  They're the same
tools the hackers use to find vulnerable systems.  Check out SATAN and
its newer incarnation SAINT.  Again, make sure you don't shut off too
much.  For example, if you set a Web page to 600, almost nobody will be
able to access it.

4) Install your software to run as a non-root user whenever you can. 
Apache does this by default, running as "nobody".  You can make bind do
it.  That way, if one service is compromised, it doesn't automatically
give your intruder root.

5) Check out Bugtraq or the CERT advisories to make sure that the
versions of software that you're running don't have huge holes (widely
known exploits) in them.  Sendmail and bind are notorious for this, and
need to be patched or upgraded fairly often.  Apply patches as
necessary.  If you're really concerned and have a lot of time on your
hands, switch over to qmail and djbdns (a mail transfer agent and DNS
server, respectively, designed with security in mind --
http://cr.yo.to).  The good side of these programs is that they're far,
far less hackable.  The bad side is that (IMHO) the documentation isn't
all it should be and so they can be harder to properly configure and
install.  Help for these is harder to find. That said, qmail doesn't
need nearly as much documentation as Sendmail does.

     That ought to keep you busy.  [grin]

> Also, i've heard that there's no point in installing a firewall on a 
> Linux server -- is that true?

     It totally depends on where you place the firewall.  The reason
that you often hear this is that a machine only has so much processing
time.  If your firewall is getting hammered with traffic, it's going to
affect the performance of your server adversely.  Personally, I'd
recommend getting a cheapo machine and installing ipchains on it, and
then placing that firewall between you and the Internet.

Cheers,
Raven

=====
"And baby, when we're load-balancing coast to coast,
 I'll route your packets, if you'll switch my host."
 -- the Technology Torch Song, by the deeply disturbed Crayola

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/




More information about the Techtalk mailing list