Linux is capable of high-end security; however, the out-of-the-box
configurations must be altered to meet the security needs of most businesses
with an Internet presence.This article shows you the steps for securing a Linux
system called hardening the server using both manual methods and open source
security solutions. The hardening process focuses on the operating system, and
is important regardless of the services offered by the server.The steps will
vary slightly between services, such as e-mail and Hypertext Transfer Protocol
(HTTP), but are essential for protecting any server that is connected to a
network, especially the Internet. Hardening the operating system allows the
server to operate effi- ciently and securely. This article includes the
essential steps an administrator must follow to harden a Unix system;
specifically, a Red Hat Linux system.These steps include updating the system,
disabling unnecessary services, locking down ports, logging, and maintenance.
Open source programs allow administrators to automate these processes using
Bastille, sudo, logging enhancers such as SWATCH, and antivirus software. Before
you implement these programs, you should first understand how to harden a system
manually.
Updating the Linux System
An linux system may contain many
security vulnerabilities and software bugs when it is first released.Vendors,
such as Red Hat, provide updates to the operating system to fix these
vulnerabilities and bugs. In fact, many consulting firms recommend that
companies do not purchase and implement new operating systems until the first
update is available. In most cases, the first update will fix many of the
problems encountered with the first release of the Linux system(distrobution).
Maintenance Issues
You should apply the latest updates
before the server goes live, and constantly maintain the server after it is
deployed to make sure the most current required patches are installed.The more
time an operating system is available to the public, the more time malicious
hackers have to exploit discovered vulnerabilities. Vendors offer patches to fix
these vulnerabilities as quickly as possible; in some cases, the fixes are
available at the vendor’s site the same day. Administrators must also regularly
test their systems using security analyzer software. Security analyzer software
scans systems to uncover security vulnerabilities, and recommends fixes to close
the security hole.
Manually Disabling Unnecessary Services and
Ports
To harden a server, you must first disable any unnecessary
services and ports.This process involves removing any unnecessary services, such
as the Linux rlogin service, and locking down unnecessary Transmission Control
Protocol/User Datagram Protocol (TCP/UDP) ports. Once these services and ports
are secure, you must then regularly maintain the system.
Services
to Disable
Linux, by nature, is more secure than most operating
systems. Regardless, there are still uncertainties to every new Linux kernel
that is released, and many security vulnerabilities that have not been
discovered. Most Linux services are not vulnerable to these exploits. However,
an administrator can reduce the amount of risk by removing unnecessary services.
Red Hat Linux includes many services, so it makes sense that an administrator
customize the system to suit the company needs. Remember, you are removing risk
when you remove unnecessary services.
The xinetd.conf
File
The /etc/xinetd.conf file (previously the inetd.conf file)
controls many Unix services, including File Transfer Protocol (FTP) and Telnet.
It determines what services are available to the system.The xinetd (like inetd)
service is a super server listening for incoming network activity for a range of
services. It determines the actual nature of the service being requested and
launches the appropriate server. The primary reason for the design is to avoid
having to start and run a large number of low-volume servers. Additionally,
xinetd’s ability to launch services on demand means that only the needed number
of servers is run. The etc/xinted.conf file directs requests for xinetd services
to the /etc/xinetd.d directory. Each xinetd service has a configuration file in
the xinetd.d directory. If a service is commented out in its specified
configuration file, the service is unavailable. Because xinetd is so powerful,
only the root should be able to configure its services. The /etc/xinetd.d
directory makes it simple to disable services that your system is not using. For
example, you can disable the FTP and Telnet services by commenting out the FTP
and Telnet entries in the respective file and restarting the service. If the
service is commented out.
Telnet and FTP
Most
administrators find it convenient to log in to their Unix machines over a
network for administration purposes.This allows the administrator to work
remotely while maintaining network services. However, in a high-security
environment, only physical access may be permitted for administering a server.
In this case, you should disable the Telnet interactive login utility. Once
disabled, no one can access the machine via Telnet.
1. To disable Telnet,
you must edit the /etc/xinetd.d/telnet file. Open the Telnet file, using vi or
an editor of your choice. 2. Comment out the service telnet line by adding a
number sign (#) before service telnet: #service telnet 3. Write and quit the
file. 4. Next, you must restart xinetd by entering: /etc/rc.d/init.d/xinetd
restart 5. Attempt to log on to the system using Telnet.You should
fail. 6. Note that commenting out the service line in the respective xinetd.d
directory can disable many services. 7. Disable the FTP service using the
same method (e.g., edit the /xinetd.d/wu-ftpd file by commenting out the service
ftp line and restarting xinetd). 8. Attempt to access the system via FTP.You
should be unable to log in to the server.
The Rlogin
Service
The remote login (rlogin) service is enabled by default in
the /etc/xinetd.d/ rlogin file. Rlogin has security vulnerabilities because it
can bypass the password prompt to access a system remotely.There are two
services associated with rlogin: login and RSH (remote shell).To disable these
services, open the /xinetd.d/ rlogin file and comment out the service login
line.Then, open the /etc/ xinetd.d/rsh file and comment out the service shell
line. Restart xinetd to ensure that your system is no longer offering these
services.
Locking Down Ports
TCP/IP networks assign a port
to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post
Office Protocol version 3 (POP3).This port is given a number, called a port
number, used to link incoming data to the correct service. For example, if a
client browser is requesting to view a server’s Web page, the request will be
directed to port 80 on the server.The Web service receives the request and sends
the Web page to the client. Each service is assigned a port number, and each
port number has a TCP and UDP port. For example, port 53 is used for the Domain
Name System (DNS) and has a TCP port and a UDP port. TCP port 53 is used for
zone transfers between DNS servers; UDP port 53 is used for common DNS queries
resolving domain names to IP addresses.
Well-Known and Registered
Ports
There are two ranges of ports used for TCP/IP networks:
well-known ports and registered ports.The well-known ports are the network
services that have been assigned a specific port number (as defined by
/etc/services). For example, SMTP is assigned port 25, and HTTP is assigned port
80. Servers listen on the network for requests at the well-known ports.
Registered ports are temporary ports, usually used by clients, and will vary
each time a service is used. Registered ports are also called ephemeral ports,
because they last for only a brief time.The port is then abandoned and can be
used by other services. The port number ranges are classified, as shown below,
according to Request for Comments (RFC) 1700.To access RFC 1700, go to ftp://ftp.isi.edu/in-notes/rfc1700.txt.
Well-known 1 to
1023 Registered 1024 to 65535
To explain how well-known ports work
with registered ports, let’s look at a typical Web site connection from a Web
browser to a Web server.The client sends the HTTP request from a registered TCP
port, such as port 1025.The request is routed across the network to the
well-known TCP port 80 of a Web server. Once a session is established, the
server continues to use port 80, and the client uses various registered ports,
such as TCP port 1025 and 1026, to transfer the HTTP data. Figure 2.5 is a
packet capture that displays the establishment of a TCP session between a client
and server, and the transmission of HTTP data between them. In frame 2 of the
packet capture, the source address (10.0.0.100) is the client computer
requesting the Web page.The destination address (192.0.34.65) is the Web server,
which hosts the Internet Corporation of Assigned Names and Numbers (ICANN) Web
site. In the Info field, the 1025 > 80 indicates that the source TCP port is
1025.The 80 indicates that the destination TCP port is 80. The first three
frames display the TCP handshake, which establishes a TCP connection between the
client and server. In the frames that follow, the client requests HTTP data from
the server.The request determines the HTTP version.
Determining Ports
to Block
When determining which ports to block on your server, you
must first determine which services you require. In most cases, block all ports
that are not exclusively required by these services.This is tricky, because you
can easily block yourself from services you need, especially services that use
ephemeral ports, as explained earlier. If your server is an exclusive e-mail
server running SMTP and IMAP, you can block all TCP ports except ports 25 and
143, respectively. If your server is an exclusive HTTP server, you can block all
ports except TCP port 80. In both cases, you can block all UDP ports since SMTP
and IMAP all use TCP services exclusively. However, if you want to use your
server as an HTTP client (i.e., for accessing operating system updates) or as an
e-mail client to a remote mail server, you will restrict the system. Clients
require registered UDP ports for DNS, as well as registered TCP ports for
establishing connections with Web servers. If you open only the corresponding
UDP ports 25, 80, and 143, DNS requests are blocked because DNS queries use UDP
port 53, and DNS answers use a UDP registered port. Even if you open port 53, a
different registered port may be assigned each time for the answer. Attempting
to allow access to a randomly assigned registered port is almost impossible and
a waste of time.The same problem applies with TCP connections that require
ephemeral ports. Therefore, you should either open all TCP/UDP registered ports
(so you can use your server as a client), or block them (except for the services
you require) and access resources, such as operating system
updates.
Blocking Ports
To block TCP/UDP services in Linux,
you must disable the service that uses the specific port.The following section
discusses disabling ports using xinetd, and disabling ports assigned to
stand-alone services.
Xinetd Services
Many services are
disabled by their respective files in the /etc/xinetd.d directory by commenting
out the service that uses the port.You learned how to comment out xinetd
services earlier in this article. For example, to disable port 79 (used for
finger services, which gives out user data that can be used by malicious
hackers), you would comment out the service finger entry in /etc/xinetd.d/
finger file. Refer to Table 2.2 to view other ports you may wish to block. It
lists common ports blocked by firewalls. However, these ports can also be
blocked at the server itself. Follow these steps to disable port 79:
1.
To disable port 79, you must edit the /etc/xinetd.d/finger file. Open the finger
file and locate the service finger line. 2. Comment out the finger service
line, and then write and quit the file. 3. Next, you must restart xinetd by
entering: /etc/rc.d/init.d/xinetd restart 4. If you have a finger program
installed on your system, or access to a finger gateway, attempt a finger
request to your system.You should fail. Note that you can use xinetd to disable
many other ports.
Stand-Alone Services
To disable ports
whose corresponding services are not included in the /etc/xinetd.d directory,
you must kill the service’s process and make sure that service does not
automatically restart upon reboot.These services are called standalone services.
For example, port 111 is assigned a stand-alone portmapper service not required
for most e-mail servers.The portmapper service, which is technically part of the
Sun Remote Procedure Call (RPC) service, runs on server machines and assigns
port numbers to RPC packets, such as NIS and NFS packets. Because these RPC
services are not used by most e-mail services, port 111 is not necessary. To
disable port 111, you must disable the portmapper service as follows:
1.
To disable the portmapper service, identify the process identifier (PID) for
portmap by entering: ps aux | grep portmap 2. The second column lists the PID
number.The last column lists the process using that PID.T 3. To stop the
portmapper service, identify the PID number and enter: kill 9 [PID
NUMBER]
Note:
Some ports, such as port 80, are not activated
unless the service is installed. For example, if you have not installed Apache
server, then port 80 is not used. There is no need to block the port because it
is already disabled.
Hardening using Bastille
Bastille is
an open source program that facilitates the hardening of a Linux system. It
performs many of the tasks discussed in this article, including downloading
operating system updates and disabling services and ports that are not required
for the system’s job functions.The program also offers a wider range of
additional services, from installing a firewall (ipchains) to implementing
secure shell (SSH). Bastille is powerful and can save administrators time from
configuring each individual file and program throughout the operating system.
Instead, the administrator answers a series of Yes and No questions through an
interactive textbased interface.The program automatically implements the
administrator’s preferences based on the answers to the questions. Bastille is
written specifically to Red Hat Linux and Mandrake Linux, but can be easily
modified to run on most Unix flavors.The specific Red Hat/Mandrake content has
been generalized, and now the hard-code filenames are represented as
variables.These variables are set automatically at runtime.You can download
bastille at http://www.bastille-linux.org/
Logging Your
Configurations in Bastille
As with many security programs, Bastille
is relatively simple to implement, but it’s easy to lose track of the changes
you implemented. This can be a problem if you are unable to perform a typical
operation on the system, or are denied access to a command or service. Many
times, it is because you locked down part of the system by mistake, or misjudged
the impact of a particular Bastille choice.
It is always a good idea to
create a hard-copy log of the options you select in Bastille, or any security
configurations you implement on your system. When you configure Bastille on your
systems, use the Bastille log included in Appendix A of this book. It includes
each configuration question and an area for your manual input. Make copies of
the Appendix A, fill out the table during configuration, and keep the hard
copies in a safe place.
If your system goes down, you can access the hard
copies and recreate your Bastille configurations. Of course, if your system
became unusable due to Bastille, it will help you determine what went wrong.
This is especially helpful if you are unable to access the /root/Bastille/
config file, which saves the administrator’s preferences based on the answers to
the Bastille questions.
Controlling and Auditing Root Access with
Sudo
Superuser Do (sudo) is an open source security tool that allows
an administrator to give specific users or groups the ability to run certain
commands as root or as another user.The program can also log commands and
arguments entered by specified system users.The developers of sudo state that
the basic philosophy (www.courtesan.com/sudo/readme.html) of the program is to
give as few privileges as possible but still allow people to get their work
done. Sudo was first released to the public in the summer of 1986, and Todd
Miller of Courtesan Consulting currently maintains the program and distributes
it freely under a BSD-style license.The Sudo Main Page is located at http://www.courtesan.com/sudo .
Because sudo logs all
commands run as root (or specified otherwise), many administrators use it
instead of using the root shell.This allows them to log their own commands for
troubleshooting and additional security. The ticketing system is ideal because
if the root user walks away from the system while still logged in (a very bad
idea), another user cannot access the system simply because he or she has
physical access to the keyboard. After the ticket expires, users must log on to
the system again. A shorter time is recommended, such as the default five
minutes.The ticketing system also allows users to remove their ticket
file.
The Sudo Command
The sudo command allows a user to
execute a command as a superuser or another user. All configurations for sudo
are written to the /etc/sudoers file.The sudoers file specifies whether that
command is allowed by that particular user. In order to use sudo, the user must
have already supplied a username and password. If a user attempts to run the
command via sudo and that user is not in the sudoers file, an e-mail is
automatically sent to the administrator, indicating that an unauthorized user is
accessing the system.
Once a user logs in to sudo, a ticket is issued
that is valid by default for five minutes. A user can update the ticket by
issuing the -v flag, which will validate the ticket for another five minutes.The
command is entered as follows: sudo -v
If an unauthorized user runs the
-v flag, an e-mail will not be sent to the administrator.The -v flag informs the
unauthorized user that he or she is not a valid user. If the user enters command
via sudo anyway, an e-mail will then be sent to the administrator. Sudo logs
login attempts, successful and unsuccessful, to the syslog(3) file by default.
However, this can be changed during sudo configuration.
Often used flags
on Sudo are:
-V Version Prints version number and exits. -l List Lists
the commands that are allowed and denied by current user. -h Help Prints
usage message and exits. -v Validate Updates the user’s ticket for a
configured amount of time (default is five minutes). -k Kill Expires the
user’s ticket. Completing this option requires the user to re-enter the user
password to update the ticket. -K Sure kill Removes the user’s ticket
entirely. User must log in with username and password after running this
option. -u User Runs the specific command as the username specified. The user
specified can be any user except root.
Managing Your Log
Files
Another aspect of system security is managing your log files.
By default, Linux offer modest logging so that administrators can see who and
what has accessed their system. More logging is available (both more detail and
logging on more services), but Linux keeps it brief so that you don’t fill your
hard disk with log information.This section briefly discusses helpful commands
and programs that provide access to system logs. Linux offers commands that
allow administrators to access useful log files. Two commands of interest are
last and lastlog.The message file also offers useful data for determining
possible security breaches on your system. The last command displays data such
as who is logged on to the system, who recently logged on, and when the system
has rebooted.
The lastlog command displays the users and services that
have accounts on your machine. It lists the last time each account logged in to
the system, or if the account has ever logged in. Each service in Linux is given
an account.This is very helpful because if a service logged in without your
knowledge, a hacker may be responsible.This would indicate that the hacker
controls your system and is currently exploiting it. It could also mean that
another administrator started the service without telling you.
The
messages file is a log file that displays a list of recent activity on the
system. For example, it lists if a password was changed and who changed it. It
identifies when a user session opens and closes. It also lists the time and data
each event took place. It can be viewed by entering the following command: tail
/var/log/messages
If you prefer a GUI to view your log files, a program
called SWATCH allows an instant and real-time display for various log files. It
can view any log files you specify and is discussed in the next section. The
Linux logs should be checked frequently to determine if any security violations
have occurred on your system. Logs do not offer solutions, so you must analyze
the data and decide how to counteract the attack.
Using Logging
Enhancers
Logging enhancers are tools that simplify logging by
allowing logging information to be filtered and often displaying logs in
simplified formats. Many open source logging programs exist to make system
administration much easier. Viewing text-based files with hundreds or thousands
of entries can be burdensome, especially if you are only looking for one
specific error entry. Logging enhancers can make logging a much more
user-friendly experience, and greatly expand and customize the information you
need to log. The next sections explain a little bit of the three popular logging
services used by administrators: SWATCH, scanlogd, and the next generation of
syslogd (syslogd-ng).
SWATCH
Simple WATCHer or Simple
WATCHdog (SWATCH) is an open source package that allows administrators to
efficiently monitor system activity. It can monitor events on a system, or a
large number of systems, by monitoring system logs for specified events.
SWATCH’S main function is to monitor messages actively as they are written to a
log files through the Unix syslog utility. SWATCH requires Perl 5 to function.
SWATCH is efficient because it allows administrators to modify the SWATCH
configuration file (/etc/swatchrc) to filter logging entries and respond to
certain events. For example, SWATCH can monitor the system for bad login
attempts, and e-mail the administrator whenever this failed authentication event
occurs. It can monitor and alter when system halts and reboots occur, when a
user upgrades to root using the su command, when the file system is full, and
when someone is sniffing the system. It can monitor anything desired from
the log files.
Scanlogd
Scanlogd is an open source
program that detects and logs TCP-port scanning on a system. For example, it can
detect nmap scans. Nmap is a program used by hackers to create a map of your
network. It is often the first step a hacker takes once he or she has access to
your network to determine which system to hack. Nmap lists the systems and the
services on the network. Scanlogd can alert an administrator when the network is
being mapped, but it cannot stop the intrusion.
Scanlogd was originally
designed to illustrate attacks, not to fix them. Therefore, even though it is
safe to run on your system, it does not prevent hacking attacks. You must read
the system log to discover what happened to your system, and then determine the
appropriate solution.
Scanlogd writes one line per scan using the
syslog(3) mechanism. It also logs when a source address sends many packets to
several different ports in a short amount of time.You can learn about scanlogd
and download the program at www.openwall.com/scanlogd. Because scanlogd is only
meant to detect scans, it is totally safe to run on your system. It must have
access to raw IP packets to function, and can capture packets coming in and out
of the system interface, or across the network to which the system is attached.
In addition, scanlogd v2 supports the raw socket interface on libnids, libpcap,
and Linux.
Syslogd-ng
Syslogd-ng is a logging daemon that
is the replacement for the traditional syslogd. The ng is an acronym for next
generation.The original syslogd was the general Unix logging daemon that handled
requests for syslog services, but was diffi- cult to configure. Syslogd-ng is
easier to configure and offers additional logging features, such as more
configurations. For example, syslogd-ng allows administrators to filter messages
based on priority, as well as the content of the messages. You can also forward
logs on TCP, sort logs to different destinations, and create a direct log stream
to various hosts. It will eventually support log files that are protected with
hash encryption.
Syslogd made it difficult to choose only the important
messages. The reason this occurs is that messages are sent to different
destinations depending on the assigned facility/priority pair.These destinations
are very broad, and include general facilities such as mail, news, auth, and so
forth, and priorities ranging from alert to debug. Many programs use the
facilities, so many unneeded messages are written to their logs. In many cases,
the message and the facility are not even related. Syslogd-ng filters messages
based on message content in addition to the facility/priority pair. Using this
method, only the messages that are needed are logged. Syslogd-ng has been tested
on Linux, BSDi, and Solaris. At the time of this writing, the latest stable
version was 1.4.17.You can learn more about syslog-ng and download it from the
Balabit site at http://www.balabit.com/downloads/syslog-ng/downloads The site
also contains information on installing and configuring the
service.
Last Words
This article covered the very basics of
hardening a server to avoid security vulnerabilities using Linux.The main
sections covered disabling unnecessary services, locking down ports, Bastille,
sudo, and logging enhancers. It is extremely important to install the latest
updates to the operating system, which fix many security vulnerabilities and
bugs before you install any programs. Many services provided with operating
systems are not required and can be removed.The key to remember is that the
fewer services running, the less potential vulnerability.TCP/UDP ports were
covered in this article, and how each port is used by specific services. If you
block ports on your server, you block the services that use those ports. Locking
down ports is an excellent way to reduce exploitations of your
system.
Maintaining your server involves downloading service packs and
updates, and requires regularly installing bug fixes, security patches, and
software updates.These items are available through the operating system vendors,
as well as the specific vendors that created the software that you
implement.
Bastille is an open source program that facilitates the
hardening of a Linux system. It performs many of the tasks listed previously,
including downloading operating system updates and disabling services and ports
that are not required for the system’s job functions. Bastille is powerful and
can save administrators time from configuring each individual file and program
throughout the operating system. Instead, administrators answer a series of Yes
and No questions through an interactive text-based interface.The program
automatically implements the administrators’ preferences based on the answers to
the questions.
Superuser Do (sudo) is an open source security tool that
allows an administrator to give specific users or groups the ability to run
certain commands as root or as another user.The program can also log commands
and arguments entered by specified system users.The developers of sudo state
that the basic philosophy (www.courtesan.com/sudo/readme.html) of the program is
to give as few privileges as possible, but still allow people to get their work
done.
Logging enhancers are tools that simplify logging by allowing
logging information to be filtered and often displaying logs in simplified
formats. Many open source logging programs exist to make system administration
easier.You were introduced in this article to SWATCH, scanlogd, and
syslog-ng.
SWATCH is an open source package that allows administrators to
efficiently monitor system activity. It can monitor events on a system, or a
large number of systems, by monitoring system logs for specified events.
SWATCH’s main function is to monitor messages actively as they are written to
log files through the Unix syslog utility.
Scanlogd is an open source
program that detects and logs TCP-port scanning on a system. Scanlogd can alert
an administrator when the network is being mapped, but it cannot stop the
intrusion.
Syslogd-ng is a logging daemon that is the replacement for the
traditional syslogd.The ng is an acronym for next generation.The original
syslogd was the general Unix logging daemon that handled request for syslog
services, but was difficult to configure. Syslogd-ng is easier to configure and
offers additional logging features, such as more configurations. For example,
syslogd-ng allows administrators to filter messages based on priority, as well
as the content of the messages.
Be first to comment this article
