Introduction to Linux security guidelines
Author: dawar Naqvi, Information System Coordinator/Linux Admin & senior Oracle DBA, Los Angeles County Department of Health Services
Date: January 2006
This technical note is designed to assist users of Linux in securing workstations and servers against local and remote intrusion, exploitation, and malicious activity, based on my experiences at the Los Angeles County Department of Health Services.
Any user who has the ability to perform administrative actions by switching to root has full control over the system and cocould either by accident or deliberately undermine the security of your system. in this technical note, you will learn some preliminary steps toward grouping that risk. this note will also be helpful for Oracle DBAs interested in an introduction to Linux security.
Note: this technical note is far from exhaustive; it is intended to serve as an introduction only.
Partitioning
Generally, there are using different options for partitioning filesystems depending on the project at hand, but here are the most popular ones:
- /Boot = contains all files necessary for the Boot Process
- /Home = contains each individual user's home directory
- /Usr = contains those files that are shared across ss a system by multiple users
- /Var = contains those files that are dynamic in nature
- /= Contains those files necessary for system management when no other partitions are available
- /Tmp = contains temporary files
- Swap = contains the paging file for Memory Management
Boot Loader
To add a password directive, do the following:
- Decide on a password.
- Open a shell prompt, log in as root, and then type:
/sbin/grub-md5-crypt
- When prompted, type the GRUB Password and press [enter]. This returns an MD5 hash of the password.
- Next, edit the grub configuration file/boot/GRUB/grub. conf by doing the following:
- Open the file and below the timeout line in the main section of the document, add the following line:
password --md5 <password-hash>
- Replace <password-Hash> with the value returned/Sbin/grub-md5-crypt.
Note: grub also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.
The next time the system boots, the GRUB menu does not allow access to the editor or command interface without first pressing [p] followed by the GRUB Password.
Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment. for this approach, a different part of the/boot/GRUB/grub. CONF file must be edited.
Root Password
There are some general rules for creating the root password.
- Use a mixture of upper and lower-case letters.
- Use a password between 8 and 13 characters long.
- Use a combination of numbers, letters, and special characters.
- Do not use any dictionary words.
- Make the password expire in 60 days.
- Do not set automatic password disabling.
Package Installation
Install all recommended packages for Oracle.
Remove compiler packages with the following:
# /bin/rpm -e
Linux support recommends against removing Perl or Python packages. While these are not strictly "compiled" ages, they are necessary for the system to run smoothly.
Be careful to not remove any "devel" or "lib" packages.
If you do remove packages, please make a complete list and do not remove anything that is not recommended by support. k eep a record of the package names that you removed so they can be installed again if you need to patch the Oracle environment.
For example, when applying patches to Oracle Home, the C compiler wocould be needed. unfortunately, Oracle uses GCC for linking and also for compiling some small. c files. oracle wocould not use the compiler while the database is running, so it's OK to remove those files.
Network Security
You can configure/etc/sysctl. conf file to make any necessary changes. Create a backup first.
Enable tcp syn Cookie Protection
A "Syn Attack" is a denial of service attack that consumes all resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable tcp syn Cookie protection, edit the/etc/sysctl. conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source routing is used to specify a path or route through the network from source to destination. this feature can be used by network admins for diagnosing problems. however, if an intruder were able to send a source-routed packet into the network, he cocould intercept the replies and your server might not know that it's not communicating with a trusted server.
To enable source route verification, edit the/etc/sysctl. conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
Disable ICMP redirect acceptance
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. however, an intruder cocould potentially use ICMP redirect packets to alter the hosts 'routing table by causing traffic to use a path you did' t intend.
To Disable ICMP redirect acceptance, edit the/etc/sysctl. conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets that claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.
To enable IP Spoofing Protection, turn on source address verification. Edit the/etc/sysctl. conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
Enable logging of spoofed packets, source routed packets, and redirect packets
To turn on logging for spoofed packets, source routed packets, and redirect packets, edit the/etc/sysctl. conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
Secure SSH
The Linux default configuration for SSH meets the security requirements for most environments. In this configuration, a subset of users are permitted to use SSH.
To limit who can login to SSH, edit the file/etc/ssh/sshd_config and add a line at the bottom of the file that says:
AllowUsers dnssh test
Disallow remote root login
Under normal operating parameters, there shoshould never be a need for the root account to log onto a server remotely. any actions requiring a direct logon to the system via root shoshould be restricted to the local console.
$ ls -ltr securetty-rw------- 1 root root 122 Feb 17 2003 securetty
Edit the file/etc/security to reflect the following changes
tty1tty2tty3tty4tty5tty6
Disable CTRL-ALT-DELETE
It is important to disable the CTRL-ALT-DELETE function that allows an attacker to shutdown the machine.
Edit/etc/inittab to comment out the following line:
# ca::ctrlaltdel:/sbin/shutdown -t3 -r now
And add the following code to disable CTRL-ALT-DELETE:
CA: ctrlaltdel:/bin/true(This will prevent CTRL-ALT-DELETE from shutting down the machine)
Save the changes and restart the service as below
[root@abc etc]# /sbin/init q
Display login banner
Here is the login banner that will display when user logs on to console or SSH:
"Access to this device is restricted to authorized persons only ."
Edit/etc/motd,/etc/issue, and/etc/issue.net.
Disable ftp, enable SFTP
Use SFTP instead of FTP for transferring files.
Password protect single-user mode
Linux provides a mechanic for system maintenance via the "single user mode," which is typically started when the system is booting. this allows an attacker at the console to bypass any system protection and move into run level 1 as root. the ramifications are serous and it is necessary to password-protect the single user mode.
ID: 5: initdefault:
~~:S:wait:/sbin/sulogin
Take the following steps to increase the security of user accounts on the system.
Password aging
Here is the default password aging controls from/etc/login. defs
# Password aging controls:## PASS_MAX_DAYS Maximum number of days a password may be used.# PASS_MIN_DAYS Minimum number of days allowed between password changes.# PASS_MIN_LEN Minimum acceptable password length.# PASS_WARN_AGE Number of days warning given before a password expires.#PASS_MAX_DAYS 60PASS_MIN_DAYS 0PASS_MIN_LEN 5PASS_WARN_AGE 7
All passwords will expire in 60 days.
Purging unnecessary accounts
See/etc/passwd file to see all accounts.
Locking system accounts
Do not lock any system accounts.
Verify no accounts have empty passwords
Accounts with empty passwords pose a grave security risk to the system because all that is needed to login to such an account is knowledge of the login name. these accounts can be easily detected by checking to see if the second field of the/etc/shadow file is blank. issue the following command:
[root@abc1 etc]# awk -F: '($2 == "") {print $1}' /etc/shadow
Set Password restrictions
It is important to restrict people from using simple passwords that can be cracked easily.
Enforce the following password rules:
- Minimum length of password must be 8
- Minimum number of lower case letters must be 1
- Minimum number of upper case letters must be 1
- Minimum number of digits must be 1
- Minimum number of other characters must be 1
Make sure that you are using pam-0.75-62 or higher.
[dnssh@ etc]$ rpm -q pampam-0.75-64
Edit the/etc/PAM. d/system-auth and set
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=0 ucredit=-1 dcredit=-1 ocredit=-1
To get Password Expiration information:
# chage -l <system_account_name>
For example:
# chage -l dawarMinimum: 7Maximum: 60Warning: 7Inactive: 14Last Change: Jan 11, 2005Password Expires: Mar 12, 2005Password Inactive: Mar 26, 2005Account Expires: Never
Configure automatic logout for inactive sessions
Add in the/etc/profile
#Set idle logout after 15 minutesTMOUT=900[ etc]# echo $SHELL/bin/bash
System resources usage
To prevent individual users from consuming too using system resources, edit/etc/security/limits. conf file as below.
*hard core 0*hard fsize 102400*hard nproc 150
If you are concerned that users will set weak passwords, consider using the cracklib open-source password-checking library.
Services are controlled by files located in the/etc/rc. d directory and the subdirectories below it. The directory named init. d contains scripts too manage services installed on the system.
/etc/init.d/ squid
Run level
The runlevel used by Linux is 3 (full multiuser mode ).
Changes make in/etc/inittab as below:
id:3:initdefault:
Identify and configure the services that are configured to start
Issue the following command to show the services that are configured to start when the system boots.
[root@ABC init.d]# /sbin/chkconfig --list
Independent services
The list of services that shoshould be run for every system is short.
Service name |
What it does (see/etc/init. d/servicename) |
Keytable |
Loads keyboard map for the System |
Syslog |
Activates daemon that other daemons use for logging messages |
Network |
Starts Network Interfaces |
Random |
Increase Quality of Random Number Generation (important for applications encrypting network data) |
Crond |
Enable Cron Daemon used for scheduling jobs |
Iptables |
Loads the iptables host-based firewall |
Ntpd |
Control system clock synchronization |
Rhnsd |
Periodically checks the Red Hat Network for Available Updates |
Xinetd (sgi_fam) |
Monitors the filesystem for changes and notifies interested applications (e.g., The Nautilus File Manager) |
GPM-the GPM service adds mouse support for the Console mode text-based applications.
[root@abc root]# rpm -q gpmgpm-1.19.3-27.2
Sshd-the sshd service encrypts all network communication and provides Interactive Shell and file transfer access for remote users.
If users need to access the system remotely, the sshd service shoshould be configured on so it will start when the system boots. we are accessing the system remotely on regular basis. so this service shoshould be on.
Kudzu-hardware changes occur infrequently, so set this service to off.
The services that are not needed must be removed. if any of these services are needed during the OS/application migration process, then the migration procedure shoshould include a step to add the service back in before OS upgrade and another to remove these services after migration.
Applying updates and patches
Always apply Security Update and patches.
Register and configure the system to use the Linux Network
Use Linux network to apply update and patches on your test servers. It is a good security practice to turn off Linux Network for your production servers.
Ensure that the rhnsd or other Linux network service isConfigures to start when the system boots.
If you want to use Red Hat Network for security updates, patches, and maintenance, rhnsd service shoshould be on as below.
[root@abc etc]# /sbin/chkconfig rhnsd on[root@abc etc]# /etc/init.d/rhnsd start
Restricting System Access from servers and networks
Firewall setup is already in use in most of the business environment.
Secure NFS
NFS (Network File System) allows servers to share files over a network. But like all network services using NFS, it can be risky.
Here are some basic rules:
- NFS shoshould not be enabled if not needed.
- If you must use NFS, use TCP Wrapper to restrict remote access.
- Make sure you export to only those machines that you really need.
- Use fully qualified domain names to diminish spoofing attempts.
- Export only directories you need to export.
- Export read-only wherever possible.
- Use NFS over TCP.
Connect accounting utilities
Here is a list of commands you can use to get data about user logins:
Command |
What it does |
Who |
Shows a listing of currently logged-in users. |
W |
Shows who is logged on and what they are doing. |
Last |
Shows a list of last logged-in users, including login time, logout time etc. |
Lastlog |
Reports data maintained in/var/log/lastlog, which is a record of the last time a user logged in. |
AC |
Prints out the connect time in hours on a per-user basis or daily basis etc. This command reads/var/log/wtmp. |
Replace the default configuration file for the syslogd daemon (/etc/syslog. conf) with a more secure configuration file.
The SYSLOG. conf below ensures that important messages are recorded. the configuration also causes messages stored to the local file system to be segregated into subsystem specific log files. this makes each log file more readable and increase the chances that anomalies will be noticed when reviewing a log file.
Restart the syslogd and ensure that it is configured to run on boot.
Force the syslogd daemon to reload its configuration file.
[root@ init.d]# /sbin/chkconfig --level 2345 syslog on[root@ init.d]#