2.0 Chapter 2: Securing Linux

Previous page
Table of content
Next page

2.1 INSTALLATION GUIDELINES

2.1.1 Partitioning

Partitioning is probably the most widely discussed and debated topic when it comes to Linux configuration. There are many different opinions on how systems should be partitioned. Within Linux you can have many different partition types. The most popular of these types are:

  • /boot = Contains all files necessary for the boot process. This includes the kernel and any bootstrap files.

  • /home = Contains each individual users home directory

  • /usr = Contains those files which are shared across a system by multiple users

  • /var = Contains those files which are variable and dynamic by nature. This includes log files, spool files, scheduler files, and temporary files

  • / = Contains those files necessary for system management when no other partitions are available.

  • /tmp = Contains temporary files.

  • swap = Contains the paging file for memory management

By default, Red Hat 7.3 partitions systems as follows :

Table 2-1: Red Hat 7.3 Partitioning Defaults

Workstation

Server

Laptop

Custom 

 swap = 2 X physical memory /boot = 50 MB / = depends on disk space 
 swap = 2 X physical memory /boot = 50 MB / = 384 MB /var = 256 MB /usr = depends on disk space /home = depends on disk space 
 swap = 2 X physical memory /boot = 50 MB / = depends on disk space 
 swap = 2 X physical memory /boot = 50 MB / = depends on disk space

Partitioning will mitigate one specific type of attack, denial of service. There are attacks designed to fill up a temp directory or a spool directory. If your system files are on the same partition as the directory under attack, your system could be rendered unusable. A good partitioning strategy is to partition off those directories that are most likely to be filled up by an attacker. Typically this includes /var and / home. If you have a server being used for a specific purpose such as web, ftp, or e-mail, you may want to consider creating separate partitions for the application specific files as well.

2.1.2 GRUB/LILO

GRUB is the boot-loader of choice in Red Hat 7.3. One of the many advantages that GRUB has is that it simplifies the dual-boot process between Windows and Linux. Refer to Appendix C for more information on securing GRUB in a dual boot environment. As with LILO, there are many different kernel level commands that can be passed to GRUB and you want to make sure that only authorized users are able to perform those commands. This is accomplished by password protecting GRUB. During installation you will be presented with the opportunity to password protect GRUB. When you create a password for GRUB, make sure you do not use the same password that you use for the root account.

Note  

GRUB stores the password in clear text by default. Once Red Hat is installed, you can modify the /etc/grub.conf file to store the password in MD5 format by performing the following steps.

Convert the GRUB password to MD5 Format. 

 $ /sbin/grub-md5-crypt     Password: (At this prompt enter the GRUB Password you created at installation and press enter)     $m0tLR/$HbgQzWuPw3pdgGeRFSPH8 (This is the MD5 hash of the password)

Edit the /etc/grub.conf file and replace the clear text password with the MD5 hash. (It is important for you to use the “MD5 option so that grub knows that the password entered in an MD5 format. If you do not use the “MD5 option, the password will actually be the MD5 Hash.) 

 $ su     # vi /etc/grub.conf     /etc/grub.conf     # grub.conf generated by anaconda     #     # Note that you do not have to rerun grub after making changes to this file     # NOTICE: You have a /boot partition. This means that     #   all kernel and initrd paths are relative to /boot/, eg.     #   root (hd0,0)     #   kernel /vmlinuz-version ro root=/dev/hda7     #   initrd /initrd-version.img     #boot=/dev/hda     default=0     timeout=10     splashimage=(hd0,1)/grub/splash.xpm.gz  password --md5 $m0tLR/$HbgQzWuPw3pdgGeRFSPH8  title Red Hat Linux (2.4.18-3)         root (hd0,0)         kernel /vmlinuz-2.4.18-3 ro root=/dev/hda7         initrd /initrd-2.4.18-3.img

2.1.3 Firewall Configuration

At this point in the installation you are asked what you want your firewall configuration to be. There are three different options for a firewall configuration out of the box.

  • No Firewall “ This option allows complete access to your system and performs no security checking whatsoever. Only use this option if you are not connected to a network and plan to configure your own firewall setting before you connect to a network.

  • Medium “ This setting restricts access to certain services on the system. Those services are:

    • Services that utilize ports lower than 1023

    • The NFS Server Port (2049)

    • The local X Windows system display for remote X clients

    • The X-font server port

  • High “ This setting is the most restrictive and denies all access except DNS, DHCP and anything else explicitly allowed by you.

All of these settings can and should be customized further to fit your individual environment. If you are configuring your system while it is plugged into the network, you should use the High setting and customize it as necessary. You can refer to Section 2.2.6 in this guide for additional firewall configuration instructions.

2.1.4 Account/Authentication Configuration

During an installation, you need to create a root password and have an opportunity to add additional user accounts. At this point you need to make sure you select a secure root password. You should also add any additional management accounts you will need at this time. You should also ensure that you maintain the MD5 encryption on passwords as well as maintaining a shadow file to keep passwords in a separate file from the user names .

2.1.5 Package Installation

Package installation is another confusing topic when it comes to the installation of Linux. Most commercial Linux flavors, such as Red Hat, come with a large number of applications to choose from. Many of these applications perform the same functions but use different formats. When considering the security of a system, the most important thing to remember is, less is more. When selecting which packages to install, regardless of whether the system is a workstation or a server, avoid accepting the default. Take some time to go through all of the packages that are offered . Find out what those packages do and select only the packages needed and provide only the functionality needed. Do not install packages just because they are available. If you do not need a given package, do not install it.



Previous page
Table of content
Next page
Securing Linux. A Survival Guide for Linux Security
Securing Linux: A Survival Guide for Linux Security (Version 2.0)
ISBN: 0974372773
EAN: 2147483647
Year: 2002
Pages: 39
Authors: David Koconis, Jim Murray, Jos Purvis, Darrin Wassom
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Developing Tablet PC Applications (Charles River Media Programming)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Mastering Delphi 7
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Sap Bw: a Step By Step Guide for Bw 2.0
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy