Linux Box Security: 101

Security is an issue of profound importance to many who spend computing time on the internet. How important is security to you? If you value your security and also use Linux, I have some information for you that may help.

Any time your computer is connected to the internet, it has exposed doorways into the files and data that reside on your hard drives. It is your decision to lock these doors, but it is a decision I highly recommend you take.

Attempting to secure your computer will increase your computer's chance of being safe from intruders, but there is always an exception. The only way to be sure your computer is safe is to totally rip the internet connection from the computer.

If you connect to the internet, then you are at risk. There's no way to get around this basic fact of computing life. This article is designed to help you reduce that risk. And take note: If your computer is hacked, I am in no way responsible, even if you follow my advice and instructions. As I stated earlier, the only way to be totally safe on the internet is to not be on it at all. But since most of us don't want to stay away from the net, we have to take other measures to protect privacy.

The first thing you should do is log in as root and check to see if you have a program called nmap, which will scan your computer's ports and inform you of which ones are open. Go to a command prompt and type "nmap". If you get a option list, then you have it. If you didn't get the option list, go to www.insecure.org/nmap and download the file. At the prompt type "nmap localhost" and this will show you all ports open on your computer. The main objective here is to have as few as possible open. Have open only what you need! Here is what my scan looks like:

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1,521 ports scanned but not shown below are in state: closed)
Port       State       Service
515/tcp    open        printer
6000/tcp   open        X11

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

As you can see, I only have two ports open at this time. You will probably have more open, but we will take care of that soon enough.

Head on over to your /etc directory and open inetd.conf with an editor. This configuration file has a list of all the services on your computer. Everything that has a "#" beside it is considered remarked and is not used. Do not delete anything in this file. If you wish to take out the service, just put a # beside the service. I am using my computer as a workstation, and I am not on a network, so many of these services and utilities I will not use. I can't tell you what to remark and what not to, you have to decide for yourself. Take out what you know you don't need open. Remember, when you shut the port daemon down in the inetd.conf file, it doesn't mean that you can't use that program any more. It only means that someone can't use that program to connect to your computer. For example, if you remark the telnet and ftp services, you can still use those programs to connect to other computers, but Telnet and Ftp aren't able to connect to your computer. Here is an example from a inetd.conf file:

# These are standard services.
#
 ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
 telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
 login  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
#exec   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
#comsat dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#talk   dgram   tcp     wait    root    /usr/sbin/tcpd  in.talkd
#ntalk  dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
#dtalk  stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp   stream  tcp     nowait  uucp    /usr/sbin/tcpd  /usr/lib/uucp/uucico    -l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp   dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
#bootps dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
 finger stream  tcp     nowait  root    /usr/sbin/tcpd  in.fingerd
#cfinger stream tcp     nowait  root    /usr/sbin/tcpd  in.cfingerd
#systat stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/ps -auwwx
 netstat        stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/netstat    -f inet

As you can see: ftp, telnet, login, finger, and netstat are running. Since I don't want anyone to telnet of ftp to my computer, I will put a # beside them to close the service. I also don't want anyone to be able to login to my machine or use netstat or finger, so I also put a # beside them. This leaves me with:

# These are standard services.
#
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
#login  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
#exec   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
#comsat dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#talk   dgram   tcp     wait    root    /usr/sbin/tcpd  in.talkd
#ntalk  dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
#dtalk  stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp   stream  tcp     nowait  uucp    /usr/sbin/tcpd  /usr/lib/uucp/uucico    -l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp   dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
#bootps dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
#finger stream  tcp     nowait  root    /usr/sbin/tcpd  in.fingerd
#cfinger stream tcp     nowait  root    /usr/sbin/tcpd  in.cfingerd
#systat stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/ps -auwwx
#netstat        stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/netstat    -f inet

What this says is that none of these services are being used. If you change anything in the inetd.conf file, send the inetd process a SIGHUP to restart it and let the new settings take effect. I honestly can't stress enough how important it is to shut off unused ports. An open port is a major security hazard just waiting to happen.

There are also some other actions you can take to increase security on your computer.

The wonderful thing about Linux is that it is open source and along with that comes relatively fast upgrades and fixes for your programs. I highly recommend that you update your files as frequently as possible. Whenever an exploit for a program is identified, a fix for that is usually released soon thereafter. Not updating these vulnerable files can lead to some security issues, but all-in-all it is up to you. Additionally, updated programs generally mean that it is better than the last release, so it is just common sense to get the upgrade. But, never download from an untrusted source. Always go to the maker's website and trusted Linux websites for information on upgrades to your programs. Since these programs are open source, it also means that trojan virii can be coded into the upgrade.

Linux has the really nifty ability to log anything you want logged. A log is information about a process that is recorded in a text file. To the trained eye, the information in your log can reveal someone trying to get into your system. A little trick I picked up from LinuxNewbie.org is to edit your syslog.conf file and put this at the end of the file:

# this was added to log all SU attempts and failed passwd logins
auth.*                                            /dev/console
authpriv.*                                        /dev/console

This will send a warning to your open console when someone tries to SU or has a failed login.

Everything I have written about here has been written about elsewhere, often to a much greater extent. The only way to keep up with Linux, or any system, is to read, read, read -- and then read some more. And when you are done with that...read it all again to make sure you know it. Computers are always changing and therefore nothing ever stays true for very long. If you expect to keep your computer secure, then you better read current articles about it all the time. The article I have written will get you started, but it is now up to you to further this art. I'd like to hear your ideas about Linux security.

You can contact me at chad@corndancer.com
I am still writing, so keep coming back for updates.