Linux Security for newbies

Box Examined: Linux RedHat 6.2
-----------------------------------------------
Welcome to another of my tutorials, now this is a subject which has
been covered many times before, although i havent read many other
linux security tutorials im going to try and write it with a twist.
So you understand it and not be puzzled. The system i have chosen
to write about is the redhat operating system as that is what most
newbies and kiddies are using these days, just so they can say they
run linux. I am going to rush through this tutorial and then flick
back and add more detail so if some parts seem to have bad english
or dont seem to follow on from one another then thats why.

Preparation
------------

The best place to begin in the security and integrity of your
system is in the installation. You should begin with a fresh
installation of the system and carry out all secuurity checks and
modifications while offline. If you wish to get updates then bung
the box on an isolated network away from script kiddies. So you can
download the files and transfer them through the network. An
unsecured box put online could be breached within any amount of
time during your time. The box could be picked up by services
scanners and other shit which kiddies use these days.

Installation
-------------
Alright we are moving on now to the installation. What sort of
installation shall we use ? Workstation, Server or custom? This
way we can be flexible in what we want to install and not have lots
of bloated rubbish like "gabber", audio servers and other things
which we dont need installed. Obviously the less stuff we have on
the system then the less potential security risks we have. If you
change your mind and need any of the software which you chose not
to install then you can always install this again at a later date,
by downloading the up to date version from the vendors website.

Custom - Partitioning.
----------------------
Now we have selected custom we will need to partition the system.
I wont try to dwell on this subject as its all fairly straight
forward. We will make a few partitions to make the system more
secure.

To do this we would create an extra /var partition and not have
/var on the root partition like you are able to. This would prevent
a system failure due to filling the root partition with log files,
this is a method of DoS because once the root partition has become
full then the system cannot operate due to it not being able to
create files or anything else, potentially crashing the system.

I find that around 300mb to 450mb will be suffice for the /var
partition where all the email and system logging and other log
related crap goes. This depends on what the system is used for if
there is going to be extensive logging or not and also if there is
going to be a lot of mail coming in. Below is what the partition
scheme will look like.

/ - Everything else.
/var - Around 350mb to 400mb or depending on how much mail you expect etc.
swap - I usually leave this at around 40mb, should probably be
made slightly larger, depending on amount of ram you have.

Now follow through and reboot when prompted.

System is installed.
--------------------

Now we need to patch the system for security vulnerabilities within
the software first of all. Because its redhat we will be using rpm
based files on the system. Remember the box should still be on the
network and not on a direct connection to the internet. I advise
you to download the files and patches to the main box connected to
the net and then rip them through the network connection to the
system we are currently patching up. An example of patching the
system is shown below using rpm.

$ rpm -Uvh <rpmfile>.rpm

Now if you have been vicious and confident and put the box online or
you are upgrading software on a system which is connected to the
net then you can use the following command. As shown below.

$ rpm -Uvh ftp://<ftp path to the patch goes here>.rpm

Then again if your feeling slightly lazy which should be a complete
"no no" with security as thats where over 90% of security
compromises come from wether it be lazy programmers or
administrators. Then you can use a utility called "up2date".
This is a much faster alternative as you dont have to go poking
around your system looking for files and everything which needs
updates because this will search them all out and check the mirror
for new updates and then you can update them all at once. Now
Reboot the system and we will concentrate on shutting down services.

Shutting down services
-----------------------

How do we know what services are uncommented and thus running ?
Well a simple way to do this is by typing the command which i will
show you below, using the grep cmd.

$ grep -v "^#" /etc/inetd.conf

To edit the file we can use one of our favourite text editors like
vi, open the file in one of these and begin to add comments to the
services which you do not want to be running. To do this we add a #
to the beginning of all the services which we dont want. I chose to
shut down ftp, finger, telnet and opted to use ssh to login to my
box remotely. Now we have edited what services should be running we
need to restart the inetd, we do this by sending the following to
restart the inetd.

$ kill -HUP <pid of inetd>

Startup Scripts
----------------
Now we need to get rid of all the unneeded startup scripts which we
have on the system, to make it more secure. Where you find these
scripts depends on wether you are automatically booting into a user
interface, we only need to keep the start up scripts active which are
totally needed for system operation. Otherwise off they go. Below i
am going to list quite a few default start up scripts which are
usually enabled on a fresh install.

Script List
-----------

S72amd - AutoMount daemon,
S75gated - used to run other routing protocols, such as OSPF
S80sendmail - the sendmail pop3 daemon.
S85httpd - Usually the apache web server.
S87ypbind - Use only if your an NIS client.
S90xfs - Xfont server
S95innd - A basic news server.
S99linuxconf - Remote administration of the system via browser
S50snmpd - SNMP daemon.
S55named - DNS server.
S55routed - RIP, don't run this unless you REALLY need it
S60lpd - Printer services, not much need.
S60mars-nwe - Netware file and print server
S60nfs - Use for NFS server
S05apmd - You only need this for laptops
S10xntpd - Network time protocol
S11portmap - Required if you have any rpc services,
S15sound - Sound card related, no use on a server.
S15netfs - This is the nfs client.
S20rstatd - r services are a risk, they provide info about the Sys
S20rusersd - not much need.
S20rwhod - not much need
S20rwalld - again not much need.
S20bootparamd - Used for diskless clients.
S25squid - A gay little Proxy server
S34yppasswdd - Required if you are a NIS server.
S35ypserv - Required if you are a NIS server.
S35dhcpd - Starts dhcp server daemon
S40atd - Used for the at service, similar to cron.
S45pcmcia - You only need this script for laptops.

So how do we turn these off ?
------------------------------

OK so you have now decided which you really need and which you dont
need, to turn these off we simply cd into the rc directory which
holds all these files and turn the large S into a small s this will
prevent the script from starting at boot time.

Alternatively you can check before you do this to see which scripts
are actually set to run at boot time by typing the following command

# ps aux | wc -l

Logging should i or not?
-------------------------

Well personally i run low spec systems for my servers ranging from
SPARC 2's to SPARC 5's so system performance and memory usage is
very important for me so i tend to turn off every service which i see
as a waste of system resources.

Obviously if you are a company concerned highly about monitoring
what users do what to the system and if any breaches happen then to
find the culprit then i would highly recomend running logging daemons
But if you are a home users and / or a home user who has his own
basic server in his room then there is not much need to run these.
Lets admit, logs take up space and how many of us actually spend time
reading them everyday? ITs just one less service and one less security
risk.


User Accounts
--------------

First things first we should cat the passwd file and see what accounts
are lurking within this. we do this by typing the following:

# cat /etc/passwd

The output should be similar to the one below:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
ntfx:x:500:500:ntfx:/home/ntfx:/bin/bash


now to remove all default and unneeded accounts we simply type:

# userdel -r <username>

This will remove the username and the home dir of the user.
Once we have got rid of all the unneeded usernames we can begin to
sort out who we want access to su'ing up to root. To secure this
method we must put the users into group "wheel" After this we can
then chmod the following items to secure the system even more.

# /bin/chgrp wheel /bin/su
# /bin/chmod 4750 /bin/su

Now su will be only permissed to those whom is in group wheel.
You should also do this for all the files you wish to restrict to
authorised users. This prevents abuse of available programs.

now we will lock down the rhost files. .rhosts, .netrc, and /etc/hosts.equiv.
The r commands use these files to access systems. To lock them down,
touch the files, then change the permissions to zero, locking them
down. This way no one can create or alter the files. For example,

/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv

Now lets get on with the services again
---------------------------------------

So you want to run the following....

HTTPD
FTPD
SSHD
TELNETD

Well at the moment your probably running default apache and wu-ftpd
an old opensshd and an old telnetd version.

Why put up with being shipped with old out of date and exploitable goods? Shipping you with wu-ftpd and old opensshd and other items is like they are saying they want you to be compromised. Just so you go back and get more of there goods, yeah i know its free but thats besides the point, its more hassle. So lets get rid of this shit.

The bad stuff:

wu-ftpd - exploitable with every release within weeks. Slow and buggy.
Avoid this shit.

openssh - generally ok, but switch to the commercial one its still
free for private use.

TelnetD - sniffed and all the usual, not usually exploitable unless
you run gay freebsd. Keep this up to date though. I have never heard
of a lintel telnetd exploit.

The Alternatives:

PureFTPD - hasnt any exploits released in its entire project.
Obviously one to consider, its what we use.

thttpd - Very Secure and flexible httpd, hardly any exploits found
within this httpd, More secure than apache anyway.

SSHD - More secure than openssh, yet rpm distro's tend to get hit
by exploitable ssh daemons.

TelnetD - This is usually fine keep it up to date, avoid rpm
installs of the telnetd if given the choice.

Why add telnetd to both? it has its advantages and disadvantages so
you decide

Extra Security?
---------------

You may want to choose from a variety of things. Other things i
tend to impliment certain modules and tripwire or whatever else you
way want to include. Ill give a list of certain modules you may want
to include below and there purpose.

StJude LKM module - this can search and prevent remote and local root exploits. I havent used this one but
By the description it seems worth its while to
add that bit of extra security.

DTK - The deception toolkit, Set of perl scripts to
Harden security on a system based on attacks.

WINDOG-DTK - This was something i found, although wasnt the
official windog it was a replacement. I have
continued on this project to make more daemons
and other certain deception stuff.

Conclusion:

I will update this text soon with more indepth security measures.
these are just the basics for now so you can feel slightly more
seure than you would if you was a sitting duck practically with
an unsecure install.


Credits

Author: NTFX 19/02/02
Contact: NTX@SpyModem.Com
Website: www.legion2000.tk -=- www.spymodem.com
Legion2000 Security Research 1996 - 2002
Greets: opt1k, IL, EazyMoney, SpyModem, fubar, kod