System Security

System Security

System security is a way of thinking coupled with action. We put locks on our doors to prevent entry by uninvited people. For those locks to be effective, we must use them. Having an unlocked door is equivalent to having no locks.

Three prevalent mindsets exist in the security world. The first is security through obscurity. This mindset says "I'm too small, I won't advertise my presence, they will never find me." This thought process had some validity when there were very few machines on the Internet.

Today, with script kiddies abounding, security through obscurity never works. You must actively lock down your system, and keep it up-to-date with the latest packages that have been updated for security reasons.

GEEK SPEAK: Script kiddies is the name given to people who run automated tools that probe all possible addresses on the Internet. They usually download these tools and have no idea how they work. If the automated toolkit identifies an exploit, simple additional security measures usually stop the attack.

These tools identify systems that have not been updated properly, and automatically install root kits. These root kits allow crackers to take over your machine as root and do whatever they want. If this happens to you, you have been rooted.

Another mindset is permissive security. This security thought says "I will only deny people who have proven to be a problem." This is as bad as the obscurity mindset. Don't think this. The mindset of "Deny all, allow some" provides the best general security. You only allow people into your equipment who, in your opinion, are worthy of trust.

The tcp_wrappers package that is installed with Red Hat provides the locks needed to implement the deny all, allow some system security. We must do a few things to complete locking down a system in addition to enabling tcp_wrappers.

Initial Security Steps

The basic security for a Red Hat Linux server (or any server that uses the tcp_ wrappers package) is very simple. This package installs a daemon called inetd, which listens on the standard Internet service ports for a request. After a request comes in, it checks to see whether it is allowed to start a server for that request.

To determine whether a server, such as telnet or ftp, can be started for a request, the inetd server first looks in its /etc/inetd.conf file. If that service is not listed in that file, the service is not started. If the service is listed, it then checks the /etc/ hosts .allow file. If this file explicitly allows the service to be started for that client, it is. If no service is allowed at this point, the inetd program checks /etc/hosts.deny. Only if this file explicitly denies service for that client will the service not be started.

The easiest way to use this chain of logic is to allow services in your /etc/inetd.conf that you need to allow. You should not allow finger or rlogin.

Finger will give away usernames that are allowed to log in to your system or use system services. This is the first step in trying to crack a system.

Login, shell, and exec will give crackers remote access to your computer if your security fails. Very few administrators use these services today, and they can almost always be removed or tightly restricted.

The services I recommend you remove are as follows :

 shell login exec finger cfinger systat netstat 

To remove a service, put a # in front of the service name. Your /etc/inetd.conf file should now look something like this:

 # # inetd.conf   This file describes the services that will be available #              through the INETD TCP/IP super server.  To re-configure #              the running INETD process, edit this file, then send the #              INETD process a SIGHUP signal. # # Version: @(#)/etc/inetd.conf        3.10 05/27/93 # # Authors: Original taken from BSD UNIX 4.3/TAHOE. #              Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org> # # Modified for Debian Linux by Ian A. Murdock <imurdock@shell.portal.com> # # Modified for RHS Linux by Marc Ewing <marc@redhat.com> # # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # # Echo, discard, daytime, and chargen are used primarily for testing. # # To re-read this file after changes, just do a 'killall -HUP inetd' # #echo          stream  tcp     nowait  root  internal #echo          dgram   udp     wait    root  internal #discard       stream  tcp     nowait  root  internal #discard       dgram   udp     wait    root  internal #daytime       stream  tcp     nowait  root  internal #daytime       dgram   udp     wait    root  internal #chargen       stream  tcp     nowait  root  internal #chargen       dgram   udp     wait    root  internal #time          stream  tcp     nowait  root  internal #time          dgram   udp     wait    root  internal # # These are standard services. # ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols. # #shell  stream  tcp     nowait  root    /usr/sbin/tcpd      in.rshd #login  stream  tcp     nowait  root    /usr/sbin/tcpd      in.rlogind #exec   stream  tcp     nowait  root    /usr/sbin/tcpd      in.rexecd #comsat dgram   udp     wait    root    /usr/sbin/tcpd      in.comsat talk    dgram   udp     wait    nobody.tty /usr/sbin/tcpd   in.talkd ntalk   dgram   udp     wait    nobody.tty /usr/sbin/tcpd   in.ntalkd #dtalk  stream  tcp     wait    nobody.tty /usr/sbin/tcpd   in.dtalkd # # Pop and imap mail services et al # #pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd    ipop2d  #pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd    ipop3d #imap    stream  tcp     nowait  root    /usr/sbin/tcpd    imapd # # The Internet UUCP service. # #uucp   stream tcp     nowait  uucp    /usr/sbin/tcpd /usr/lib/uucp/uucico -l # # Tftp service is provided primarily for booting.  Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp   dgram   udp     wait    root    /usr/sbin/tcpd      in.tftpd #bootps dgram   udp     wait    root    /usr/sbin/tcpd      bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers."  Many sites choose to disable # some or all of these services to improve security. # #finger   stream  tcp     nowait  nobody  /usr/sbin/tcpd in.fingerd #cfinger  stream  tcp     nowait  root    /usr/sbin/tcpd in.cfingerd #systat   stream  tcp     nowait  guest   /usr/sbin/tcpd /bin/ps       -auwwx #netstat  stream  tcp     nowait  guest   /usr/sbin/tcpd /bin/netstat   -f inet # # Authentication # auth    stream  tcp     wait    root    /usr/sbin/in.identd in.identd -e -o # # End of inetd.conf linuxconf stream tcp wait root /bin/linuxconf linuxconf \http 

The next step is to default deny services to the world. This makes it very easy to control access to your computer because you only open it to machines you explicitly agree to. In the /etc/hosts.deny file, enter the following:

ALL: ALL

Be sure to press the Enter key after the end of the line. Some versions of inetd will not process the line unless it has an Enter at the end of it.

Finally, you allow machines that are acceptable to you. In /etc/hosts.allow, you can do global allows or allows by service. I like to do allows by service because it permits very tight control. The way to globally allow services for your new local network is to insert the following line:

ALL: 172.16.13.

Again, be sure to press Enter after the end of the line. This setting enables any computer on the local network previously set up to access any service your machine offers.

The best way to configure this file is to use the service name followed by the IP addresses of the machines that are allowed to access that service. If you trust your local network, you can also include the network addresses. To enable imap, telnet, pop3, imapd, and ftp access to the set of machines on your local network, you would end up with something similar to the following. Change your hosts.allow file to look like this.

 # # hosts.allow  This file describes the names of the hosts which are #              allowed to use the local INET services, as decided #              by the '/usr/sbin/tcpd' server. # imapd: localhost, lin.mydomain.com in.telnetd: 172.16.13. ipop3d: lin, win in.ftpd:  172.16.13. 

Note a few things in passing about this file. First, the telnet and ftp services are provided without restriction to all machines on the 172.16.13 network.

Only two machines on the network are allowed to access the ipop3d daemon: lin and win. No other machines can have access to the ipop3d service. The imapd daemon can only be accessed from the Linux machine.

Because the hosts.deny file has ALL: ALL in it, no other machines will have access to any service on your Linux server. It is important that you set your system up to have the previously mentioned entries in hosts.allow and hosts.deny.

One final note about system security. If you have Red Hat version 6.0 or greater, it enables shadow passwords by default. You know you have shadow passwords enabled if you have an /etc/shadow file. If you do not have an /etc/shadow file, you must run the command pwconv to enable shadow passwords. This is another security precaution you should take, especially if your machine is going to be on the Internet.

The shadow password system came about because the /etc/passwd file must be world readable because of the design of the login process. Some crackers were able to retrieve a copy of the passwd file and run a password-cracking program against it. They could usually decrypt a few passwords. This allowed them to impersonate users, or possibly gain root access to a machine.

The shadow password system stores all passwords in the shadow file. This file is readable only by the root user, and the login process during authentication. This generally prevents crackers from reading this file unless they already have root access.

Application Upgrades

No security is foolproof because fools are too ingenious. You must keep on your toes. New exploits are discovered on a regular basis. New packages are released as these exploits are fixed. You must keep up-to-date.

The Internet hosts several mailing lists regarding security. Red Hat hosts the Linux security mailing list. To join this mailing list, send an email to linux-security-request@redhat.com, with the subject line containing the word Subscribe. Another good mailing list for security updates is the Red Hat watch list. Send an email to redhat-watch-list-request@redhat.com, with the word Subscribe in the subject. You will receive confirmation replies with further instructions.

When you are informed a package is updated, get it. For updates to Red Hat software, use an ftp and log in to ftp.redhat.com. This site is usually very busy, and you might require several attempts before you are let in.

After you are connected, you will generally go to the /pub/redhat/updates directory. There you will find directories that correspond to the version you are using. For Red Hat 6.1, the directory name will be 6.1. Because that is the version I run, I change to the 6.1 directory and then choose the i386 directory. You might be running version 6.0. If so, choose that directory and then the i386 directory.

Now download the files that you need to update your system. When finished, run the rpm command with the -U option to upgrade those packages.