Locking Down Linux Mandrake
Author: Ph33r (ph33r@fatelabs.com) Sat June 13 00:39:03 GMT 2001 |
About Mandrake |
Linux Mandrake was first based on the default install of Red Hat.
Since Mandrake first was launched, it has become the one of the
newbies favorite systems. When I first started out on Linux, I
liked
to try a few distributions to see how everything ran, but when I
came
upon Mandrake, I found this one of the easiest systems to learn
from.
Since Mandrake was born form the roots of RH, they have made many,
many changes and added a lot of features.
One thing I do like about the latest releases of Mandrake is there security. Over the last while, they have put better emphasis on security. This, I felt my self is very important and I see this as a very important aspect in security. You cannot stress enough the importance of security, and with this in mind, Ill move on to the installation of Linux.
|
Before Installation |
One of the best places to start locking down Linux Mandrake is
during the install of the OS. Never trust previous installs, you dont
know what they have setup. Its better to start fresh so you can guarantee
that the system is secured.
I have read in a pervious Guide to securing Linux from a one, Lance Spitzner. I have been a fan of Lances over the last while. I find his white papers clear and they get straight to the point. In his whitepaper, Armoring Linux, he describes a nice way of setting up your box on an isolated network during the install. Heres a caption from his whitepaper, Armoring Linux. "Place your system in an isolated network. At no time do you want to connect this box to an active network nor the Internet, exposing the system to a possible compromise. I personally witnessed a system hacked by a script-kiddie* within 15 minutes of connecting to the Internet." This would prove that you cannot stress enough the importance of security. The way that he has described hooking your system up to an isolated network, would I think is the best way to get around this. Once you have the box all setup on an isolated network, you are ready to begin. You will now want to select what packages to install, but as for Linux Mandrake, you get a nice little list. When the OS installation is running, at the beginning, it will prompt you for what type of way you would like to setup the system. You will have a choice of tree. Recommended, Customize, and Expert. From here, I would choose Customize so that you can choose what packages and services are installed. Remember the less services that you have running on your system, the better. Many holes are being discovered for Linux every day, so, if you would like to stand a better chance of not being compromised, dont run services that are un-nesscerry such as, popd, imapd, ftpd, rsh etc. Choosing this option also allows you to select in what way your system is partitioned, which is nice :). Depending on what type of system you would like to run, at the partition table you can change the size of certain directories. If you plan to have a large logging system, I would tend to make /var about 400-500 MB. That would usually cover everything needed since all logging in stored in /var/log. If you intend on having a lot of users, meaning that you would end up having a large /home directory, you can increase the size of this also. I would usually setup my partitions as follows:
/ - everything else
|
After Installation |
Now, the system should reboot and you will be booted either into a gui boot, or a console. (Depending on what you choose during the install). I would then go onto downloading official security patches and updates for known system vulnerabilities etc. You can download any of these patches and update from most Mandrake mirror sites. One nice please to visit would be the Mandrake web site for such updates and downloads. http://www.linux-mandrake.com/en/security/ would be a nice start :). Lately Mandrake has been including a nice new tool with there latest releases that downloads the latest patches and installs them for you. Mind you, I have never used this myself, but I have seen it on such version as 7.x. |
Basic Lockdown Procedures |
One of the most important procedures that I find would be
Eliminating Services. Once again, Lance Spitzner also covers this in his
whitepaper, Armoring Linux. Ok, once you have downloaded, installed all
the patches and then rebooted, its time to start getting down to doing
some basic lockdowns.
It used to be so that you had to this all this securing manually, but now a-days, there are many programs to do this for you. One of these programs that I found for Red Hat users would be Bastille. It was originally going to be a full distribution based on Red Hat, but they ended up designing it as a script that would change the few things on a default Red Hat installation. One handy thing I found about this tool was version 1.1 was also supported different distributions, such as Mandrake. This I found a very nice little tool. When you install Bastille, it asks you a series of questions and then gives you a reason to why these changes should be made. Even if you dont plan on running this box as an online server, its still very handy as it gives you a nice idea of some stuff to look out for, security-wise :). You can also manually secure your system, which I like to do myself. One if the many things that I would do first would be check what services are running, and shutdown certain services that are not needed. Most of the time, when running a lot of services it opens up a threat of a potential compromise for this. Such services would be popd, imapd, rsh, ftpd etc. as explained above. Also, there are other things that you can do instead of just eliminating services. You can also add in logging features, do some tweaking to some certain files, setup firewall rules and if you wish, you could setup TCP Wrappers with will be explained later in this paper. Firstly, we will cover eliminating services that are not needed. From default, Linux is designed to have a lot of very useful services, but many of these arent needed as most of the time they cause a high security risk. One of the first of many places to start would be /etc/inetd.conf. This file is the configuration of the intend daemon located in /usr/sbin/inetd. By default, /etc/inetd.conf is the configuration file for all these services. Most of the time, you only need two main services running, telnet and ftp. The rest can be edited out by adding a # at the beginning of the line. Click here to see an example of my own inetd.conf file for Linux Mandrake 7.0. As I have mentioned earlier in this paper, a lot of the services cause a major security risk. I cannot stress enough what services cause the most security risk, these being popd, imapd, rsh, ftpd etc. With this in mind there are also other services that could replace both, ftp and telnet and is very secure. It not only encrypts your connection, but stops things like sniffers and keystroke loggers, which could easily pick up passwords etc. This service is called SSH. If youre interested in setting up SSH, which I would strongly recommend, check out a paper on installing sshv2 which was written by Markus Delves, a self thought hacker in his teens. Also, I know that telnet is everywhere now a-days and thats why so many people would run the telnet service. They like the idea that they can login from remote locations. But, this is highly un-secure. Plus, there are many SSH clients designed for Windows out there that are both free and commercial. One excellent commercial SSH client that I have come across is SecureCRT, but, if you rather go with the free route kind, there is a nice SSH 1 terminal program that can be used called PuTTY . So, with all these clients around, there aint no reason for leaving telnet or ftp around ;). One of the many handy commands that Ive seen used before is grep -v "^#" /etc/inetd.conf. This shows you all the services that are left uncommented or, still running. After editing the /etc/inetd.conf file, the next stop would be moving onto the .rc scripts. For Red Hat and Mandrake users, these files are located in /etc/rc.d/rc3.d. If you are running a GUI boot loader for KDE or Gnome, the scripts can be found in /etc/rc.d/rc5.d instead. These files are used to stop/start script during boot up. If you wish to stop certain scripts from starting up at bootup, all you have to do is to rename the scripts. One of the best ways would be to change the s to an S, that way, if you wish to restart that script, all you have to do is the S back to its original state. If you would wish to see a list of all the services, check out this link. Remember if you dont need the script, turn it off as it can hold potential security risks. One thing that might be handy to know would be, script that begin with K instead of S are used to kill certain services that are already running. A handy thing is checking what services you have running before you edit the .rc scripts with the command ps -aux | wc -l then run once the scripts are stopped/started, issue the command again and compare to your last results :) |
Setting up your Firewall Rules |
Bastille, as I have explained earlier in this paper is a great
little tool to use. It also creates a nice basic set of rules that can be
used as a firewall. If you would like to use this method, go ahead, but I
prefer using PMFirewall.
PMFirewall basically does the damn as Bastille. It will prompt you with a few questions etc depending on what services you wish to run through the firewall. One important factor to remember is that, all services that you run will be open to people on the Internet. If you dont run them, that doesnt mean you cant access these serviced through your LAN (Local Area Network). With this in mind, let me move onto Logging and some basic Tweaking that can be made. |
Logging and some tweaking |
Now, you should be running very little services, a firewall and
some basic security on the system, next thing that we will want to do is
to setup logging so you can see is anyone tries anything to or on the
system. By default, Linux has all logging in /var/log, everything except
ftp. For logging ftp, you have two options, as described in Lance
Spitzers paper, you can either edit the /etc/ftpaccess file or
/etc/inetd.conf. After reading Lances section on Logging and Tweaking, I
have come to the conclusion that his way for setting up ftp logging would
be one of the best, and most easiest for most newbies to understand. When
editing the /etc/inetd.conf file, scroll down to the ftp service, then at
end of the line add the tags -l -L -i -o. If you have done this
correctly, you should have as follows:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o This should enable logging for ftp. Now that you have all the logging enabled, and running, the next step is tweaking some files. We will want to make sure that certain files that should only be edited and or viewed by root have the permissions set correctly. /etc/passwd is our database of passwords. All user accounts and passwords are saved in this database, so it is critical that this is sure. We will want to be using shadow password files to be sure. The use of shadow is default in Red Hat and Mandrake and most other distros now a-days. To make sure that your /etc/passwd file is secure, su/login to root and convert your file into /etc/shadow with the command, pwconv . This should convert your /etc/passwd file to shadow. The next step is removing unused default accounts setup by the system during install. Accounts such as news are useless if you are not running a new server. Sort through your /etc/passwd file and remove any unused accounts or accounts that are not necessary. Once you have removed unwanted account, make sure that you have removed the account ftp as this is the anonymous ftp account. Also, as pointed out in Lances paper, you might want to edit /etc/cron.hourly since it looks for the user news . Next thing to do will be to edit the /etc/ftpusers file. This file basically blocks certain accounts from using the ftp service. Most of the time, by default, accounts such as root are already added into this file so that o one can login as root through the ftp service. This is handy to stop sniffers etc form grabbing your password. If you want certain accounts to have ftp access, make sure that they are not contained in this file (/etc/ftpusers) otherwise, they should be able to use the ftp service fine. Since root is blocked from logging in through ftp, you will want to stop root from being able to login via telnet. This is one of the most stupid things that I have come across. Anyone that allows root access via telnet seriously needs their head checked, but Im not here to tell you what you can and cannot do, so its really up to you at the end of the day. If you would like to stand a better chance of not being compromised, then you will want to remove all ftp, telnet, and such services from root. We do not want someone trying a brute force for the root account and getting in. :) (hopefully) Anyhow, once that root is removed from all these services, this will force a user to login as themselves, then having to su to root, providing that they are in the su wheel. /etc/securetty list the ttys that root can login to. Be sure to add in ttyp1, ttyp1 etc but make sure that you remove all ttyps if it is not done so already. This means that root can login through ttyp (locally), and not ttyps (remote). This is very handy to also stop people from trying to sniff passwords etc. Also, as an extra warning to users who may connect to your system, you can create a file, /etc/issue. This file displays a message every time someone connects to you. If this file is already created, it usually contains information on what type of system you are running etc. It is handy to edit this stuff out so that they wont be able to tell unless they use some sort of stealth scanner, such as nmap, or sscan. Here is an example of /etc/issue:
/etc/issue
|
Conclusion |
In this paper, we have covered only a light part in securing Linux Mandrake. This paper was designed for newbies and people interested in learning about security, so I only went over some basic rules to show how easy it really is. Most of the time its just common sense. There are many more things that can be done to secure a Linux box. I would urge new Linux users to check out such sites as http://www.bastille-linux.org/ and be always sure to download and install security patches. Check out your distros web site for any updates or news on the system and security holes that would be discovered. Remember, a secure system would be one that is running as little services and software as possible, as this would size down the chances of them being exploited. So, with all this in mind, I bid you farewell. :). |
Author's Bio |
Ph33r claims to be nothing more then simply a computer geek. He
has
only been interested in computers over the last 2 years, durring
of which
he was introduced to the cyber world, known only as The
Internet. While trying to keep a grasp on what is happening in the
security world, he struggles to meet the standards in school and hold up
his personal life. He enjoys experimenting with computers in his room late
at night and loves having conversations with anyone half way across the
world ;). He can be contacted at ph33r@fatelabs.com for any questions or
suggestions you may have on this paper.
Ph33r
|