Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

SECURITY

Hardening

  • Linux hardening
    • Hardening is the process of restricting access to a host be it via a network or at the local user level.
    • It can also incorporate limiting the amount of damage caused if the system is exploited.
    • There is no hard and fast rule as to how to achieve this.

    You could customise the kernel to the extent that only required modules are supported and that they are built into the kernel. This negates the need to load modules thereby removing an attack vector (e.g. someone running a rootkit).

    However, this then creates issues for upgrades, maintenance, kernel size, applications that rely on module loading, enhancements ... Such issues are not insurmountable but do increase complexity, do require low-level skills and invariably will cost more.

    A compromise is usually made.

    In general, hardening involves at least:

    • Keeping binaries up to-date, specifically security fixes
    • Disabling all unnecessary services and ports
    • Restricting user access, including root
    • Controlling user and system resources -Enable appropriate logging

    Once hardened other software can be installed such as (Network) Intrusion Detection Systems (IDS), log enhancement software, attack response software, implement port-knocking ...

  • SELinux

    Many Linux distributions now come with SELinux (Security Enhanced Linux) and Novell AppArmor.

    Non SELinux security models are based on Discretionary Access Control (DAC) where tools and conventions work together. These include user and group file ownership and permissions. However, since they are not enforced from a central point, the model can start to fall apart once an attacker has gained access to a process via an exploit, slack access controls or whatever.

    SELinux implements Mandatory Access Control (MAC).

    • MAC is a kernel facility that restricts user mode programs to the minimum amount of kernel privileges needed for them to run properly.
    • What privileges a user mode program gets is based on its policy.
    • Enforcement of these policies is done by the kernel, so unless the kernel itself is compromised, it is not possible for a compromised/exploited piece of software to access resources outside of its context.
    Novell AppArmor

    An application that provides a mechanism for applications to be protected from their vulnerabilities. Novell calls this 'immunising'.

    Candidate applications for AppArmor immunisation include those that grant privileges, open ports, run as servers and cron jobs.

  • Keeping binaries up-to-date
    • Binaries generally require updating because of software bug(s) or security issues.
    • Most distributions separate security fixes and 'bug' fixes.
    • Bug fixes rectify a problem with an application's functionality.
    • A security fix fixes a flaw within an application that may be exploited.
    • Most distributions will provide security updates via their package manager.

    So even if the system and its applications are running smoothly (bug fredd) it is still necessary to apply security fixes/patches. It is also advisable to keep a watchful eye on current (and past) security alerts.

    CERT

    Computer Emergency Response Team (Carnegie Mellon University)

    www.cert.org/contact_cert/certmaillist.php
    Announcements via mailing lists
    CIAC

    Computer Incident Advisory Capability (US Dep. of Energy)

    www.ciac.org/ciac
    Publishes bulletins and C-Notes
    BUGTRAQ

    Hosted by SecurityFocus

    www.securityfocus.com/archive/1
    Full disclosure list via subscription
    REDHAT

    www.redhat.com/security

    Debian

    www.debian.org/security

  • Disable unused ports and services
    • Disabling ports is usually achieved via a firewall - see the section on Firewalls.
    • Which ports to disable depend on the services that the system will provide.

    There are a number of ways to disable a service - if using 'inetd' or 'xinetd' comment out the service in the relevant configuration file, uninstall a service's application, remove it's startup script from rc.d/ directories using 'chkconfig' and or 'update-rc.d'.

    Access to running services can be controlled using TCP wrappers or, as with many standalone services, via that services configuration file and or it's own access control mechanisms.

    Disable telnet - /etc/inetd.conf

    # telnet    stream        tcp     nowait   root     /usr/sbin/tcpd     /usr/sbin/in.telnetd
    

    Disable telnet - /etc/xinetd.d/telnet

    # default: on
    # description: The telnet server serves telnet sessions; it uses
    # unencrypted username/password pairs for authentication.
    service telnet
    {
      disable         = yes
      .....
    

    Restart inetd or xinetd

    The /etc/services file contains a list of well known, reserved ports and services. Ports 0-1023 are assumed to be trusted ports so never configure an untrusted network application to use any of these.

  • Restricting local user access

    Files that can controlling access to a system:

    /etc/nologin

    If the file exists, login will allow access ONLY to root, other users will be shown the contents of this file and their logins will be refused.

    /etc/nologin.txt

    Politely refuse a login. If the file exists, 'nologin' displays its contents to the user instead of the default message.

    pam_nologin

    A PAM module that prevents users from logging into the system when /etc/nologin exists.

    Example usage - /etc/pam.d/login

    auth  required  pam_nologin.so
    

    Restrict root access

    Generally advisable for root to not have login access. Can use 'sudo' to empower/authorise non-root users to carry out root tasks.

    /etc/sudoers         List of who can run what
    /etc/group           Local groups file
    /etc/netgroup        List of network groups
    

    Set up a mail aliase so no mail is sent to the root account - /etc/aliases

    root:    mark, jimmy    
    

    Users mark and jimmy will get mail addressed to root, root will not receive any.

    # newaliases            
    

    Always need to run after editing the '/etc/aliases' file.

  • Locate SUID and SGID files

    If no impact on the required operation then restrict a file's permissions.

    Find all files that have the SUID bit set, do not search /proc and it's subdirs

    # find / -path '/proc' -prune -or -perm -u+s -ls
    1086450    8 -rwsr-xr-x   1 mark     mark          194 Nov 21 13:50 /home/mark/if_script
      62829   68 -rwsr-xr-x   1 root     root        60432 Oct  8 14:41 /bin/mount
      62843   44 -rwsr-xr-x   1 root     root        40648 Apr  6  2007 /bin/ping
      62821   36 -rwsr-xr-x   1 root     root        30752 Oct 30 17:59 /bin/su
    .....
    

    Find all files that have the GUID bit set, do not search /proc and it's sub dirs

    # find / -path '/proc' -prune -or -perm -g+s -ls
    1086449    8 -rwxr-sr-x   1 mark     mark         1194 Nov 21 16:32 /home/mark/getops_script
    1344089   20 -rwx--s--x   1 root     utmp        15912 Sep 22 23:27 /usr/lib64/vte/gnome-pty-helper
    2164386   96 -rwxr-sr-x   1 root     nobody      87160 Mar 20  2007 /usr/bin/ssh-agent
    2163045  316 -rwsr-sr-x   1 root     root       315392 Sep 11 10:14 /usr/bin/crontab
    .....
    
  • Controlling resources
    • Users can consume excessive resources resulting in 'denial of service(s)'.
    • Controlling/limiting what resources users are allowed can reduce this possibility.

    Shell resources - ulimit

    • Bash built-in.
    • Provides control over the resources available to the shell and to processes started by it (on systems that allow such control).

      Hard limits

      once set 'cannot' be increased.

      Soft limits

      can be increased up to the value of the hard limit.

    ulimit [-SHacdefilmnpqrstuvx] [limit]
    
    Options:
     -H                Hard limit
     -S                Soft limit
                       If neither '-S', '-H' are specified, both are set
     -a                All current limits are reported
     -c                The maximum size of core files created
     -d                The maximum size of a process's data segment
     -e                The maximum scheduling priority ("nice")
     -f                The maximum size of files written by the shell and its children
     -i                The maximum number of pending signals
     -l                The maximum size that may be locked into memory
     -m                The maximum resident set size
     -n                The maximum number of open file descriptors (most systems
                       do not allow this value to be set)
     -p                The pipe size in 512-byte blocks (this may not be set)
     -q                The maximum number of bytes in POSIX message queues
     -r                The maximum real-time scheduling priority
     -s                The maximum stack size
     -t                The maximum amount of cpu time in seconds
     -u                The maximum number of processes available to a single user
     -v                The maximum amount of virtual memory available to the shell
     -x                The maximum number of file locks
    

    Display current (in my case default) shell limits

    $ ulimit -a
    core file size          (blocks, -c) 0
    data seg size           (kbytes, -d) unlimited
    scheduling priority             (-e) 20
    file size               (blocks, -f) unlimited
    pending signals                 (-i) 16382
    max locked memory       (kbytes, -l) 64
    max memory size         (kbytes, -m) unlimited
    open files                      (-n) 1024
    pipe size            (512 bytes, -p) 8
    POSIX message queues     (bytes, -q) 819200
    real-time priority              (-r) 0
    stack size              (kbytes, -s) 8192
    cpu time               (seconds, -t) unlimited
    max user processes              (-u) unlimited
    virtual memory          (kbytes, -v) unlimited
    file locks                      (-x) unlimited
    
    • Any unlimited setting makes the system more vulnerable to Denial of Service (DoS) attacks.
    • One setting to note is core file size (blocks, -c) 0. If you are running a stable system you should not really need core files - can always be 'enabled' if the need arises.
    • Core files can increase a systems vulnerability to DoS if their size is not constrained. They also provide a lot of low-level information that may be of use to an attacker.

    Remove compilers

    Always remove the compiler(s) from any production machine. Usually with Linux, the default is to have 'gcc' installed.

    Mount volumes as noexec

    If certain volumes/filesystems are available to users e.g. an upload directory on a web or ftp server, it is common practice to mount these as 'noexec'. This protects against simple scripted file-drop attacks.

    Further enhance a 'chrooted' ftp server - /etc/fstab

    .....
    /dev/sda6      /ftpsvr         ext3       defaults                0       0
    /dev/sda7      /ftpsvr/etc     ext3       noexec,nosuid,ro        0       0
    /dev/sda8      /ftpsvr/bin     ext3       ro                      0       0
    /dev/sda9      /ftpsvr/data    ext3       noexec, nosuid          0       0
    

    May look something like this.

    Configure appropriate logging

    Enable appropriate logging via Syslog, rsyslogd. There are several open source tools that enhance logging e.g. swatch, scanlogd, ...

  • Some resource related kernel parameters
    • The /proc filesystem is a virtual filesystem held in memory.
    • It is created and updated dynamically during system run time.

    Just a few examples:

    /proc/sys/fs/file-max

    The maximum number of file handles the kernel will allocate.

    # sysctl fs.file-max
    fs.file-max = 198995
    
    /proc/sys/fs/file-nr

    The number of allocated file handles, the number of allocated but unused file handles and the maximum number of file handles.

    # sysctl fs.file-nr
    fs.file-nr = 5376   0    198995
    
    /proc/sys/kernel/modprobe

    The path of the program to use when a thread calls 'kmod' to load a kernel module - default is '/sbin/modprobe'.

    If you are paranoid about rootkits and or do not want modules to be loaded during run time you can change this value so 'modprobe' is not found, modules then, cannot be loaded.

    Some applications that run, such as X, may need to load modules to work. You can pre-load these during the boot process using /etc/modules (Ubuntu - this file is distribution/implementation specific) and then as the last stage of the boot process change the value of /proc/sys/kernel/modprobe to make it unavailable.

    Enable IP forwarding

    # echo 1 > /proc/sys/net/ipv4/ip_forward
    # sysctl -w net.ipv4.ip_forward=1
    

    Anti-spoofing

    for file_name in /proc/sys/net/ipv4/conf/*/rp_filter
    do
        echo 1 > $file_name
    done
    
    /proc/sys/net/ipv4/conf# tree -aFf . | grep 'rp_filter' | grep -v arp
    |   |-- ./all/rp_filter
    |   |-- ./default/rp_filter
    |   |-- ./eth0/rp_filter
    |   |-- ./eth1/rp_filter
        |-- ./lo/rp_filter
    
    File/parameter Description
    ip_dynaddr If firewall uses dynamic IP (DHCP, PP or diald) should be set to 1.
    tcp_syncookies If fairly sure that the vast number of connection requests (SYN) are due to a DoS attack (syn flooding) and the kernel is compiled with CONFIG_SYNCOOKIES (default=0, off) then switching ON (tcp_syncookies=1) acts as a defence but breaks TCPIP specifications. Look at the next three parameters to help ...
    tcp_max_syn_backlog Sets the max number of connections remembered while no ACK has yet to be received. Default=1024. Increasing this may help though is dependent on the amount of memory.
    tcp_synack_retries Number of times system will attempt to send a syn+ack (in response to a syn). Default=5, approx. 180 seconds. May want to lower this a bit.
    tcp_abort_on_overflow If enabled, host starts sending RST packets to clients when a service is not accepting new connections. Default=0, off.
    icmp_echo_ignore_broadcasts Echo broadcasts are sometimes used in DDoS (distributed denial of service) attacks. All traffic from the external network directed at broadcast addresses on the internal network should be blocked by firewall. Default=1, on.
  • Set/change kernel parameters

    Via the command line

    # echo <value>  > /proc/sys/net/ipv4/<param file>
                                                             (or)
    # sysctl -w net.ipv4.<param>=<value>
    

    Sets the parameter at runtime.

    Via /etc/sysctl.conf

    net.ipv4.<param>=<value>
    

    Set the parameter during boot.