FW: Linux Network Security

aha120

Linux Network Security
www.internetsolver.com | Other Linux Documents
By David Weis with Internet Solver, LLC

This is a list of basic steps to take to help secure your Linux machine. The information is applicable to all distributions (and some other Unix variants), but the actual commands are targetted towards RedHat and it's offspring.

   1. Decide what should be running on your machine.

      This step will depend on what you are using the machine for. If it's a mail server that will be available to outside users, there are different processes than if it's your desktop machine behind a firewall.

      We'll imagine that we are going to be configuring a mail server running Sendmail, ntp (network time synchronization), an imap server, and ssh.
   2. Find out what is running on your machine.

      There are two ways to see what is currently running on your machine. If you would like to know by process what is happening, you can use

          ps ax

      to see all of the running programs. There are going to be some in the list that you don't recognize. You need to find out what they are and if they are needed.

      Here is a sample from ps ax:

          [root@monolith /root]# ps ax
            PID TTY      STAT   TIME COMMAND
              1 ?        S      0:07 init [3]
              2 ?        SW     0:00 [kflushd]
              3 ?        SW     0:02 [kupdate]
              4 ?        SW     0:00 [kpiod]
              5 ?        SW     0:00 [kswapd]
            311 ?        S      0:00 apcmain       -f /etc/apcupsd/apcupsd.conf
            336 ?        S      0:07 syslogd -m 0
            345 ?        S      0:00 klogd
            359 ?        S      0:00 /usr/sbin/atd
            373 ?        S      0:01 crond
            387 ?        S      0:00 inetd
            401 ?        S      0:39 named -u named
            410 ?        S      0:00 sshd
            427 ?        SL     0:13 xntpd -A

      You will also need to find out what's running on your machine from a network point of view. Some of the programs that you see listen to the network for requests from clients. In an ideal world, none of the programs on your machine would have any errors in them and would properly authenticate clients. That world doesn't exist. To see which programs are listening for network requests, you can use

          netstat -a | grep LISTEN

      Here is a sample from netstat -a | grep LISTEN:

          [root@monolith /root]# netstat -a | grep LISTEN
          Proto Recv-Q Send-Q Local Address           Foreign Address         State
          tcp        0      0 *:968                   *:*                     LISTEN
          tcp        0      0 *:sunrpc                *:*                     LISTEN
          tcp        0      0 *:bbs                   *:*                     LISTEN      
          tcp        0      0 *:smtp                  *:*                     LISTEN      
          tcp        0      0 *:ssh                   *:*                     LISTEN      
          tcp        0      0 mail.dmz.busines:domain *:*                     LISTEN      
          tcp        0      0 monolith.dmz.bus:domain *:*                     LISTEN      
          tcp        0      0 localhost.locald:domain *:*                     LISTEN      
          tcp        0      0 *:imap2                 *:*                     LISTEN      
          unix  0      [ ACC ]     STREAM     LISTENING     396    /var/run/ndc

      You can see from the list above that there are 7 ports open to the outside world. Some of them match the list we made in step one, but some are unwanted.

   3. Find and shut down unwanted services.

      From the netstat list, we can see that there are three ports open that aren't in our list of desired services. The first two are for NFS and RPC. We aren't using either of those on our mail server. If you have a machine that is exposed to the world, you should try very hard not to use the portmapper and NFS/RPC on them, since they are home to more than their share of bugs.

      We aren't sure what the bbs service is, so we'll use another command to find out. Here are the steps to find out which program is listening to a specific port:

          [root@monolith /root]# /sbin/fuser -n tcp bbs
          bbs/tcp:               499
          [root@monolith /root]# ps ax | grep 499
            499 ?        S      0:00 apcnis        -f /etc/apcupsd/apcupsd.conf
          17846 pts/0    S      0:00 grep 499

      Oops, we forgot a service when we were making the list in step one. This program is for monitoring our UPS and shutting down the machine when the power fails. For this particular program, we can either make it stop listening to the network or firewall the port from outside access. Since the program came with monitoring utilities that need access to that port, we will have to firewall the port.

      We want to stop the other two unwanted services. That can be done by using their startup/shutdown scripts.

          [root@monolith /root]# /etc/rc.d/init.d/nfslock stop
          Shutting down NFS file locking services:
          Shutting down NFS lockd:                                   [FAILED]
          Shutting down NFS statd:                                   [  OK  ]
          [root@monolith /root]# /etc/rc.d/init.d/portmap stop
          Stopping portmap services:                                 [  OK  ]

      To make sure our changes will stick after a reboot, we will use chkconfig to make them permanent.

          /sbin/chkconfig --level 345 portmap off
          /sbin/chkconfig --level 345 nfslock off

      Our list of open ports now looks like we want it to.

   4. Control access to your desired services

      There is no need for everyone on the Internet to have access to your imap and ssh server. They will need to be able to connect to your Sendmail port, unless you know the address of everyone that will ever send you mail.

      For the sake of discussion, we'll imagine that your mail server has a real IP address of 1.2.3.4 and your desktop machine is 2.3.4.5. You are the only one that will be retrieving mail from your server and the only one that will be administering your server.

      There are two main methods of access control in Unix, firewalling and TCP Wrappers. Both have their good points, and they are commonly used together. Firewalling prevents the connections from ever getting to the programs running on your machine. TCP Wrappers uses a "wrapper" around your services to allow or deny access to them.

      For the UPS monitoring program, we'll need to use firewalling to restrict access to our desktop machine. RedHat offers an easy way to save and restore your firewall rules.

      The default firewall rules are wide open:

          [root@monolith /root]# /sbin/ipchains -L
          Chain input (policy ACCEPT):
          Chain forward (policy ACCEPT):
          Chain output (policy ACCEPT):

      We want to block incoming connections to that port, so we use an ipchains command like:

          /sbin/ipchains -A input -p tcp -s \! 127.0.0.1 --dport bbs -j DENY

      which will prevent any incoming connections to the bbs port that don't come from the server that it's running on.

      Next we will block access to ssh and imap. We'll use TCP Wrappers for this. The wrappers are configured with /etc/hosts.allow and /etc/hosts.deny.

      As with firewalling, and much in life, you can have a default of denying access, or a default of allowing access. Since you care about your mail server, we'll go with a default deny. Note that we did the opposite with our firewall, since we only had one port to block. On a machine running more services, we would need to deny all by default and allow access selectively.

      You start by editing /etc/hosts.deny and putting in the deny rules.

          #
          # hosts.deny        This file describes the names of the hosts which are
          #                *not* allowed to use the local INET services, as decided
          #                by the '/usr/sbin/tcpd' server.
          #
          # The portmap line is redundant, but it is left to remind you that
          # the new secure portmap uses hosts.deny and hosts.allow.  In particular
          # you should know that NFS uses portmap!

          ALL : ALL


      Now we will add our desktop machine to the whitelist in /etc/hosts.allow.

          #
          # hosts.allow        This file describes the names of the hosts which are
          #                allowed to use the local INET services, as decided
          #                by the '/usr/sbin/tcpd' server.
          #

          imapd : 2.3.4.5/255.255.255.255

          sshd : 2.3.4.5/255.255.255.255


      This will allow your desktop machine imap and ssh connections to your server. The astute observer will note two things. 1. If you aren't at home and need to check your email, you are SOL. 2. If you aren't at home and need to fix your email, you are SOL. The solution for these is as follows: 1. Add webmail. 2. Add a trusted machine's address, or open ssh completely up.

      It is also a good idea to verify that you can in fact ssh to the server before closing the connection you are currently using. It is a rite of passage for an admin to shoot himself in the foot by changing the login or boot configuration of a server and failing to test it.

   5. Monitor your system.

      After your system is configured and secured, you need to monitor it to make sure you did everything correctly. Become familiar with /var/log/messages and /var/log/secure.

djweis@internetsolver.com