LINUX 安全規則

Introduction to Linux Security Guidelines
Author: Dawar Naqvi, Information System Coordinator / Linux Admin & Senior Oracle DBA, Los Angeles County Department of Health Services
Date: January 2006

This Technical Note is designed to assist users of Linux in securing workstations and servers against local and remote intrusion, exploitation, and malicious activity, based on my experiences at the Los Angeles County Department of Health Services.

Any user who has the ability to perform administrative actions by switching to root has full control over the system and could either by accident or deliberately undermine the security of your system. In this Technical Note, you will learn some preliminary steps toward reducing that risk. This Note will also be helpful for Oracle DBAs interested in an introduction to Linux security.

Note: This Technical Note is far from exhaustive; it is intended to serve as an introduction only.

Partitioning

Generally, there are many different options for partitioning filesystems depending on the project at hand, but here are the most popular ones:

• /boot = Contains all files necessary for the boot process
• /home = Contains each individual user's home directory
• /usr = Contains those files that are shared across a system by multiple users
• /var= Contains those files that are dynamic in nature
• /= Contains those files necessary for system management when no other partitions are available
• /tmp = Contains temporary files
• SWAP = Contains the paging file for memory management

Boot Loader

To add a password directive, do the following:

1. Decide on a password.
2. Open a shell prompt, log in as root, and then type:

   /sbin/grub-md5-crypt

3. When prompted, type the GRUB password and press [Enter]. This returns an MD5 hash of the password.
4. Next, edit the GRUB configuration file /boot/grub/grub.conf by doing the following:
   1. Open the file and below the timeout line in the main section of the document, add the following line:

       password --md5 <password-hash>

   2. Replace <password-hash> with the value returned by /sbin/grub-md5-crypt.

Note: GRUB also accepts unencrypted passwords, but it is recommended that an md5 hash be used for added security.

The next time the system boots, the GRUB menu does not allow access to the editor or command interface without first pressing [p] followed by the GRUB password.

Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment. For this approach, a different part of the /boot/grub/grub.conf file must be edited.

Root Password

There are some general rules for creating the root password.

• Use a mixture of upper and lower -case letters.
• Use a password between 8 and 13 characters long.
• Use a combination of numbers, letters, and special characters.
• Do not use any dictionary words.
• Make the password expire in 60 days.
• Do not set automatic password disabling.

Package Installation

Install all recommended packages for Oracle.

Remove compiler packages with the following:

# /bin/rpm -e

Linux Support recommends against removing perl or python packages. While these are not strictly "compiled" languages, they are necessary for the system to run smoothly.

Be careful to not remove any "devel" or "lib" packages.

If you do remove packages, please make a complete list and DO NOT remove ANYTHING that is not recommended by support. K eep a record of the package names that you removed so they can be installed again if you need to patch the Oracle environment.

For example, when applying patches to oracle home, the C compiler would be needed. Unfortunately, oracle uses gcc for linking and also for compiling some small .c files. Oracle would not use the compiler while the database is running, so it's OK to remove those files.

Network Security

You can configure /etc/sysctl.conf file to make any necessary changes. Create a backup first.

Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1

Disable IP Source Routing

Source routing is used to specify a path or route through the network from source to destination. This feature can be used by network admins for diagnosing problems. However, if an intruder were able to send a source-routed packet into the network, he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0

Disable ICMP Redirect Acceptance

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts' routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0

Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets that claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1

Enable Logging of Spoofed Packets, Source Routed Packets, and Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.log_martians = 1

Secure SSH

The Linux default configuration for SSH meets the security requirements for most environments. In this configuration, a subset of users are permitted to use SSH.
To limit who can login to SSH, edit the file /etc/ssh/sshd_config and add a line at the bottom of the file that says:

AllowUsers dnssh test

Disallow Remote Root Login

Under normal operating parameters, there should never be a need for the root account to log onto a server remotely. Any actions requiring a direct logon to the system via root should be restricted to the local console.

$ ls -ltr securetty-rw-------    1 root     root          122 Feb 17  2003 securetty

Edit the file /etc/security to reflect the following changes

tty1tty2tty3tty4tty5tty6

Disable CTRL-ALT-DELETE

It is important to disable the CTRL-ALT-DELETE function that allows an attacker to shutdown the machine.

Edit /etc/inittab to comment out the following line:

# ca::ctrlaltdel:/sbin/shutdown -t3 -r now

And add the following code to disable CTRL-ALT-DELETE:

ca::ctrlaltdel:/bin/true (This will prevent CTRL-ALT-DELETE from shutting down the machine)

Save the changes and restart the service as below

[root@abc etc]# /sbin/init q

Display Login Banner

Here is the login banner that will display when user logs on to console or SSH:

"Access to this device is restricted to authorized persons only.”

Edit /etc/motd, /etc/issue, and /etc/issue.net.

Disable FTP, Enable SFTP

Use SFTP instead of FTP for transferring files.

Password Protect Single-user Mode

Linux provides a mechanism for system maintenance via the “Single User Mode,” which is typically started when the system is booting. This allows an attacker at the console to bypass any system protection and move into Run Level 1 as root. The ramifications are serious and it is necessary to password-protect the single user mode.

id:5:initdefault:

~~:S:wait:/sbin/sulogin

Take the following steps to increase the security of user accounts on the system.

Password Aging

Here is the default password aging controls from /etc/login.defs

# Password aging controls:##       PASS_MAX_DAYS   Maximum number of days a password may be used.#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.#      PASS_MIN_LEN    Minimum acceptable password length.#       PASS_WARN_AGE   Number of days warning given before a password expires.#PASS_MAX_DAYS  60PASS_MIN_DAYS   0PASS_MIN_LEN    5PASS_WARN_AGE   7

All passwords will expire in 60 days.

Purging Unnecessary Accounts

See /etc/passwd file to see all accounts.

Locking System Accounts

Do not lock any system accounts.

Verify No Accounts Have Empty Passwords

Accounts with empty passwords pose a grave security risk to the system because all that is needed to login to such an account is knowledge of the login name. These accounts can be easily detected by checking to see if the second field of the /etc/shadow file is blank. Issue the following command:

[root@abc1 etc]# awk -F: '($2 == "") {print $1}' /etc/shadow

Set Password Restrictions

It is important to restrict people from using simple passwords that can be cracked easily.

Enforce the following password rules:

• Minimum length of password must be 8
• Minimum number of lower case letters must be 1
• Minimum number of upper case letters must be 1
• Minimum number of digits must be 1
• Minimum number of other characters must be 1

Make sure that you are using pam-0.75-62 or higher.

[dnssh@ etc]$ rpm -q pampam-0.75-64

Edit the /etc/pam.d/system-auth and set

password    required  /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=0 ucredit=-1 dcredit=-1 ocredit=-1

To get password expiration information:

# chage -l <system_account_name>

For example:

# chage -l dawarMinimum:        7Maximum:        60Warning:        7Inactive:       14Last Change:            Jan 11, 2005Password Expires:       Mar 12, 2005Password Inactive:      Mar 26, 2005Account Expires:        Never

Configure Automatic Logout for Inactive Sessions

Add in the /etc/profile as

#Set idle logout after 15 minutesTMOUT=900[ etc]# echo $SHELL/bin/bash

System Resources Usage

To prevent individual users from consuming too many system resources, edit /etc/security/limits.conf file as below.

*hard   core       0*hard   fsize      102400*hard   nproc      150

If you are concerned that users will set weak passwords, consider using the cracklib open-source password-checking library.

Services are controlled by files located in the /etc/rc.d directory and the subdirectories below it. The directory named init.d contains scripts too manage services installed on the system.

/etc/init.d/ squid

Run Level

The runlevel used by Linux is 3 (Full Multiuser mode).

Changes make in /etc/inittab as below:

id:3:initdefault:

Identify and Configure the Services That Are Configured to Start

Issue the following command to show the services that are configured to start when the system boots.

[root@ABC init.d]# /sbin/chkconfig --list

Independent Services

The list of services that should be run for every system is short.

Service Name	What it does (see/etc/init.d/servicename)
Keytable	Loads keyboard map for the system
Syslog	Activates daemon that other daemons use for logging messages
Network	Starts network interfaces
Random	Increase quality of random number generation (important for applications encrypting network data)
Crond	Enable cron daemon used for scheduling jobs
Iptables	Loads the iptables host-based firewall
Ntpd	Control system clock synchronization
Rhnsd	Periodically checks the Red hat Network for available updates
Xinetd (sgi_fam)	Monitors the filesystem for changes and notifies interested applications (e.g., the Nautilus file manager)

gpm - The gpm service adds mouse support for the console mode text-based applications.

[root@abc  root]# rpm -q gpmgpm-1.19.3-27.2

sshd - The sshd service encrypts all network communication and provides interactive shell and file transfer access for remote users.

If users need to access the system remotely, the sshd service should be configured ON so it will start when the system boots. We are access the system remotely on regular basis. So this service should be ON.

kudzu - Hardware changes occur infrequently, so set this service to OFF.

The services that are not needed must be removed.  If any of these services are needed during the OS/Application migration process, then the migration procedure should include a step to add the service back in before OS upgrade and another to remove these services after migration.

Applying Updates and Patches

Always apply security update and patches.

Register and Configure the System to Use the Linux Network

Use Linux Network to apply update and patches on your test servers. It is a good security practice to turn off Linux Network for your production servers.

Ensure that the rhnsd or other Linux network service is Configures to Start When the System Boots.

If you want to use Red Hat Network for security updates, patches, and maintenance, rhnsd service should be on as below.

[root@abc etc]# /sbin/chkconfig rhnsd on[root@abc etc]# /etc/init.d/rhnsd start

Restricting System Access from Servers and Networks

Firewall setup is already in use in most of the business environment.

Secure NFS

NFS (Network File System) allows servers to share files over a network. But like all network services using NFS, it can be risky.

Here are some basic rules:

• NFS should not be enabled if not needed.
• If you must use NFS, use TCP wrapper to restrict remote access.
• Make sure you export to only those machines that you really need to.
• Use fully qualified domain names to diminish spoofing attempts.
• Export only directories you need to export.
• Export read-only wherever possible.
• Use NFS over TCP.

Connect Accounting Utilities
Here is a list of commands you can use to get data about user logins:

Command	What it does
who	Shows a listing of currently logged-in users.
w	Shows who is logged on and what they are doing.
last	Shows a list of last logged-in users, including login time, logout time etc.
lastlog	Reports data maintained in /var/log/lastlog, which is a record of the last time a user logged in.
ac	Prints out the connect time in hours on a per-user basis or daily basis etc. This command reads /var/log/wtmp.

Replace the Default Configuration File for the syslogd Daemon (/etc/syslog.conf) with a More Secure Configuration File.

The syslog.conf below ensures that important messages are recorded. The configuration also causes messages stored to the local file system to be segregated into subsystem specific log files. This makes each log file more readable and increase the chances that anomalies will be noticed when reviewing a log file.

Restart the syslogd and ensure that it is configured to run on boot.

Force the syslogd daemon to reload its configuration file.

[root@ init.d]# /sbin/chkconfig --level 2345 syslog on[root@  init.d]#