Re: Locking Down a Linux Box

From: Ajai Khattri (ajai@bitblit.net)
Date: 12/21/01


Date: Fri, 21 Dec 2001 05:24:22 -0500 (EST)
From: "Ajai Khattri" <ajai@bitblit.net>
To: <kevin.robitaille@ergogroup.com>



Kevin Robitaille <kevin.robitaille@ergogroup.com> wrote:

> Any one out there know good reference for securing a
> Linux 7.2 Server OS. I'm new to using Linux and need
> to lock down a system for use as an IDS Sensor. Any
> help would be appreciated.

Having done all this myself, some suggestions:

1. Remove all unnecessary services from the /etc/rc?.d/ directories. The
normal runlevel is 3 so look in /etc/rc3.d (symbolic link
to /etc/rc.d/rc3.d). In RH, you can use:

     /sbin/chkconfig --del name

to remove the services from the current runlevel without messing with
symbolic links. The "name" of the service can be found by looking (i.e. ls)
in /etc/init.d/ at the script names. I would remove everything that isn't
needed, even NFS, rpc, etc. Reboot to test if they are removed totally.

2. Disable all xinetd services in /etc/xinet.d/*. These config files have a
line like:

         disable = no

Change the "no" to a "yes" to disable the service. I have switched
everything off this way. Here you will find a lot insecure services like
rlogin, rsh, etc.

3. After rebooting/restarting services (and indeed, after every thing you
switch off or disable stuff), test your box using nmap to see what ports
are open. (Download and install nmap if you don't have it - its damn
useful!) On my server, I have managed to get the number of open ports down
to just the minimal handful (< 10) that I need to get stuff done.

4. If you are running MySQL, make sure all logins are passworded and only
logins from valid machines are allowed. If you are using PHP locally for
example, then you only allow connections from localhost. Same goes for any
other database server software you may be using via PHP on the same box.

5. Encourage your users to use SSH and SCP instead of telnet and FTP. Or
IMAP over TLS instead of POP3. If you must run FTP make sure its the most
recent version or try ProFTP instead. If you are using sendmail, consider
replacing it with qmail. Make sure you have the most recent version of
named if you are using it. You can limit zone transfers in named to only
the secondaries you specify.

6. If you have the inclination, setup a firewall using ipchains or iptables.

7. Setup tripwire (or similar) if you are really paranoid ;-)

8. Look at log files periodically - don't worry too much if you see a lot
of script kiddies that think you are running NT... ;-)


Switching off anything not needed also has the nice side effect of freeing
up a lot of RAM oddly enough ;-) Also, switching to other server software
instead of the stock RH ones helps hide what type of servers you are
running. Qmail for example, gives out very little information when you
connect to it. After all this, I still see a *lot* of unwanted activity via
HTTP (Im using Apache), but I keep an eye on it. No box that is networked
can be 100% secure, but these steps go a long way towards helping you sleep
better ;-)




-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/