Re: Locking Down a Linux Box

From: Jose Nazario (jose@biocserver.BIOC.cwru.edu)
Date: 01/08/02


Date: Tue, 8 Jan 2002 11:51:42 -0500 (EST)
From: Jose Nazario <jose@biocserver.BIOC.cwru.edu>
To: <focus-linux@securityfocus.com>

if we can get away from the 'no editors or software management tools'
subject for a bit and get back to the real question, i would like to offer
a good link and some general advice.

ISTR this being a RedHat box. as such, a great link to review is:

http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/

secondly, the advice. people often say "remove unneeded services" and the
like. ok, what's unneeded? what's needed? i want, say, a workstation. what
do i need to run a workstation? most users don't know where to get the
information on what's a service, what's needed and what's not. the quip
"remove unneeded services" is, while true, insufficient.

some ideas: use lsof or netstat -p to show you what processes are
listening on ports. in general, if you don't know what it does, remove it.
read the manpage, get an idea of what it does, and evaluate it in terms of
what you want the system to do.

as for setuid and setgid executables, a good rule of thumb is 'why the
heck does just anyone need to be able to do that?' su, for example. remove
world executable bits (chmod o-rwx) on those, including ping and the like.
you'll go a long way towards locking down a shell box with untrusted
users.

these are just some ideas to keep in mind, and i hope they help.

____________________________
jose nazario jose@cwru.edu
                           PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)