WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
If there is something worth stealing then someone will try and steal it. Linux-based systems have no special exclusion from this universal rule. A primary reason that Linux systems are so popular is because they are robust and have many sophisticated security measures.
As the manager of a Linux system for your department or small business, you might feel a bit daunted by all of these threats. You've heard Linux is supposed to be secure, but how do you make sure?
It is a truism, of course, that if you don't use the Linux security tools provided, then you should be ready for the inevitable break-in. Problems can also be caused by badly implemented security measures. Securing a Linux machine can get pretty complicated and entire shelves of books have been dedicated to the subject.
There are several methods remote attackers can use to break into your machine. Usually they are exploiting problems with existing programs. The Linux community always quickly spots these 'exploits' and releases a fix. Linux fixes are usually out long before the equivalent programs in other operating systems are mended. The issue here though is how to prevent your machine from suffering any sort of problem of this sort.
Know What's Running On Linux
Linux as a server offers all kinds of facilities like ftp, WWW, and mail. The way that it handles many of these services is via a system of ports. Port 21 controls ftp, for example. (If you are interested, the mapping of port numbers to service names is in the file /etc/services.)
To save on system resources and make system administration less complex, many services are handled through a configuration file /etc/inetd.conf. This file tells the system how to run each of the available services.
Many Linux vendors turn on various services in inetd.conf by default when for maximum security they should be off! In many corporate environments security as such is not an issue. If there is enough security to prevent accidental damage in these 'soft' environments providing access to these services is more important than preventing them. If your Linux host is exposed to the Internet you may hold a different point of view though. To check what services are currently running on your Linux system, type the command
This will print up something like this
tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN
Each line that says
a service waiting for connections.
Some of these services run as stand-alone programs, but many of them are controlled by /etc/inetd.conf. If you are not sure what a service does, look it up in /etc/inetd.conf. For instance, if you type
grep '^finger' /etc/inetd.conf
you will get back a line from inetd.conf like this
finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd
To see what the program does, look up in.fingerd in the man page. If
you think you can live without this service, then it can be turned off
in /etc/inetd.conf. By commenting out the line (put a
# at the start of
the line) and then issuing the command
kill all -HUP inetd you can
immediately and permanently turn a service off. There is no need to
If a service is not listed in /etc/inetd.conf then it probably runs as a stand-alone program.
You can remove a service provided by a stand-alone background program by uninstalling its package. Only do this if you are sure about what the program does and are certain that it is not necessary.
To add extra security to the various services, Linux has a system for allowing and denying them to chosen hosts. For instance, you may wish to allow logins from machines at your own site, but not from the Internet. The files /etc/hosts.allow and /etc/hosts.deny list allowed services and hosts.
The method of denying connections by checking the host provides a good basic method for throwing off attacks. But it is not the end of the story. It is possible to fake host names on incoming connections. While data is in transit between programs over the Internet, it is also in danger. Anyone with the knowledge can look at your data. Using a method known as 'spoofing' they can even inject fake data into a legitimate stream. These problems come about because of the way that Internet protocols interact. To overcome these difficulties, ssh was devised.
Ssh is a stable, well-developed system with open source that provides encryption and authentication on connections. Encryption is using codes to protect the packets of data while in transit. Authentication is a process for verifying if a.packet of data or a connection is valid. There are ssh clients for most other operating systems too. By using Linux as a server you can provide ssh level security for all your network use.
Linux has a comprehensive set of subsystems to let the systems administrator know what is going on with his or her system. All manner of log files are generally kept in the /var/log directory. Most of the standard services log information to /var/log/syslog and /var/log/messages about users connecting to them or attempting to connect. There are also log files for such services as apache (/var/log/httpd/access_log), mail (/var/log/mail) and firewall (/var/log/firewall).
Don't Forget to Filter
The main problem with logging events is that one tends to end up with too much data. So careful filtering and only logging important information is important.
There are some good tools out there that will make this work easier.
Ethereal is a packet sniffer. With it you can capture various types of packets over a given period of time. It also shows all manner of information about the packets. It's useful for watching packets coming into and going out of your machine. Generally it will detect traffic on your network segment.
Another logging/intrusion detection type tool is called Tripwire. It takes a snapshot of your important system files and records their signature in a database. Various signature levels are available from mild to wild. You can also set the rules in a policy file to tell Tripwire what to check. After the database is initialized and signed Tripwire can be executed whenever you need to check the integrity of your system. The report will point out when your files are changed and the severity of the security risk. The Tripwire report is pretty easy to read and can be customized according to your file tracking needs. Why not set Tripwire up to run every day, early in the morning and have a report ready to look at, with your first cup of coffee?
A popular program for detecting access attempts (via the network) and port scans is Snort. The program produces files that log these types of activities and even gives some idea of where to find out more information. Of course, then you have the same problem as with other log files. It gets tough for a busy system administrator to review all the log files on a regular basis.
A firewall is a device that protects a private network from the wider Internet. The simplest form of firewall is a Linux machine with one network connection ( an Ethernet card or modem ) connected to the Internet and the other connected to the private network. The Firewall computer can reach the protected network and the Internet. This traffic between the protected network and the Internet is controlled, in both directions by a list of rules. These rules can be customized for your needs. CoyoteLinux.com has a firewall system that fits on a floppy and doesn't need a hard disk to run. It's design specifically to address the need for an easy to install no-nonsense Linux firewall.
You might take a look at running a hardware firewall appliance. These devices are small routers or switches that have built-in firewalls. They generally allow limited setup of rules to allow packets to pass back and forth. They don't provide as much flexibility for rules as dedicated Linux firewalls. Usually the availability is good with some even being equipped with four or more RJ-45 ports and a wireless access point, all for around $100.
All data flowing to and from the Internet and the private network is filtered by the firewall. Inside the private network less care needs to be taken with turning off services and the like. It is a way of concentrating effort on making one machine secure and protecting many others in the process. The methods for correctly setting up firewalls are quite complex. First you have to configure your machine for two Ethernet cards. Then you have to use the IP-chains/IP-tables software to set up filters which connect the two Ethernet cards data links.
The main drawback with making your systems more secure is that they become less accessible. The idea behind ramping up your system's security is to stop use of your computers, by crooks, thieves and malcontents. Before implementing any of the ideas in this article you should consider carefully the opposite side of the coin: the systems are there to be used by your users! Linux has a wide range of security tools and by carefully combining various techniques and programs, you should be able to come up with a good balance between ready access and system security.
Rob Reilly is a senior technology consultant, whose work includes Linux, business integration and innovation training. He frequently writes and speaks about these and other topics. He has 16 years' experience in the high technology, manufacturing and the utilities industries. He is always looking for stories and projects that focus on Linux, business and the cutting edge. Send him a note or visit his web site at http://home.cfl.rr.com/rreilly.
This article was first published on Linux Planet, a Jupitermedia Corp. site.