Securing Linux

Previous page
Table of content
Next page

This discussion of securing Linux assumes Red Hat 7.3, which is the latest version officially supported by Check Point. It should be similar for other versions of Red Hat.

Make sure you have the latest security fixes applied. The latest ones for Red Hat are available at http://www.redhat.com/apps/support/errata/.

Partitioning Your Hard Drive

A recommended partitioning scheme includes the following:

  • /boot : 256MB (should be first partition)

  • / (root filesystem): everything else

  • /var : 400MB (for logging)

  • swap : larger of 256MB or twice the physical RAM

  • /var/opt : 15GB or a separate drive (FireWall-1 logs and configuration files)

Choosing the Packages to Install

Using the graphics-based or text-based installer, choose which grouping of packages to install. Choose Custom, then choose the package groups Network and Router/Firewall. Also select Choose Packages to Install.

In the graphical installer, there is a flat view that shows all the packages to load outside of their normal grouping. Ensure only the following packages are selected (you will have to disable a few): 

 bind-utils ftp gmp gnupg libcap libpcap lsof lynx m4 make minicom mtr ncftp nmap ntp perl rdate rmt sash statserial strace stunnel sudo sysinit tcp_wrappers tcpdump telnet traceroute tripwire unzip vlock wget whois xinetd zip zebra (if you need dynamic routing)

Eliminating Services

If you follow my package recommendations above, there should be almost no unnecessary services. However, sendmail gets installed by default and there is no way to prevent it from installing by default. The command rpm “e sendmail should remove the package.

Logging and Tweaking

Tweaking involves some file administration. You should first secure your /etc/passwd file (this is the database file that holds your user accounts and passwords). Ensure that your system is using /etc/shadow , which securely stores all passwords as hashes in a file that only root can access. This protects your passwords from being easily accessed and cracked (one of the first exploits for which a hacker searches). The use of shadow passwords is the default as of Red Hat 6.0; however, it never hurts to be sure. All you have to do is type pwconv as root. This automatically converts your passwords to the /etc/shadow file.

Next, remove most of the default system accounts in /etc/passwd . Linux provides these accounts for various system activities that you may not need. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system. An example is the "news" account. If you are not running NNTP, a newsgroup server, you do not need the account (be sure to update /etc/cron.hourly because this looks for the user "news"). Also, make sure you remove the "FTP" account because this is the account used for anonymous FTP.

Create the file /etc/issue . This file is an ASCII text banner that appears for all Telnet logins.

It is recommended that you use TCP Wrappers. TCP Wrappers, although it does not encrypt, does log and control who can access your system. It is a binary that wraps itself around inetd services, such as Telnet or FTP. With TCP Wrappers, the system launches the wrapper for inetd connections, logs all attempts, and then verifies the attempt against an access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as Telnet. If the connection is rejected by the access control list, the connection is dropped.

Fortunately for Linux users, TCP Wrappers is already installed; you only need to edit the /etc/ hosts .allow and /etc/hosts.deny files. The syntax is relatively simple. Put the IP addresses or networks in the file /etc/hosts.allow that you want to permit connections from. Put IP addresses or networks in the file /etc/hosts.deny that you do not want to permit access from. By default, Linux allows connections from everyone, so you need to modify these files.

The following sample /etc/hosts.allow file allows a few services from specific hosts. 

 # Allow a few things sshd:ALL ALL:10.0.0.0/255.255.255.0 ALL:10.0.1.0/255.255.255.0 ALL:10.0.10.0/255.255.255.0 ALL:10.0.43.0/255.255.255.0 ALL:10.0.69.0/255.255.255.0 ALL:192.168.43.40/255.255.255.248 ALL:127.0.0.1/255.0.0.0

This /etc/hosts.deny file denies everything not allowed by /etc/hosts.allow . 

 ALL:ALL:DENY

Previous page
Table of content
Next page
Essential Check Point FireWall-1 NG
Essential Check Point FireWall-1 NG: An Installation, Configuration, and Troubleshooting Guide
ISBN: 0321180615
EAN: 2147483647
Year: 2004
Pages: 143
Authors: Dameon D. Welch-Abernathy
BUY ON AMAZON
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
What is Lean Six Sigma
Comparing, Designing, and Deploying VPNs
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy