People consider the GNU or free software and open source software to be unsafe and are supposed to easily compromised because their source code are readily available,which isn’t correct. This article is specifically related for the security of the GNU Linux Operating system and will help the person for enabling the security parameters for added safety.
First step in this is to have a Security as a Policy – A Security Policy. With out this you are not having clear definition to what you want to protect and what to do when you find any violations. I would suggest to have a look at Site “Security Handbook” an RFC 2196.
A GNU/Linux distributions has lots of softwares coming along with it as its installation part,so a GNU/Linux user needs to be aware of what packages he should install on the server systems which he is going to use in production environment.
Choosing a right password for an account. Always this is the point which gets stressed by the Security experts,and this is where maximum people override choosing the right password for there account and some or the other day compromise occurs. Passwords chosen for the systems should be of alphanumeric kind and every 3 months they should be changed and as far as possible use impersonal passwords i.e passwords should not be based on date of birth, children names etc. Length of the passwords are to be of minimum six characters.And should be revoked after some number of failed attempts.
The Account which makes you Powerful – “root”. Knowing the root password is privilege and at the same time is of great responsibility. you become the GOD of the systems you can do whatever you want with the system – its under your control. The “root” account has no security restrictions imposed upon it.
For security reasons, never login on your server as “root” unless it is absolutely necessary an instance that necessitates root access. Disable the remote logins directly for the root account,to become root login with normal user account and then “su” to become root.
Set the login time out for the root account. Add to your /etc/profile TMOUT=1800. This means if a user leaves a console/terminal without logging out then shell after time specified by above parameter will logout the user. Enable the command history in /etc/profile by adding to your /etc/profile HISTSIZE=10 or some figure you would like to keep. Zeroing the .bash_history file so that when user logout the history file get deleted. HISTFILESIZE=0 .
Single user login mode of GNU/Linux
Passing these parameters to the Linux kernel will make land you up in a single user mode where usually administrators are supposed to do system maintenance activities after a crash. By default it does not ask for user password. so edit the /etc/inittab file and the following contentsa
id:3:initdefault:
~~:S:wait:/sbin/sulogin
Be sure to backup the inittab file in case you make mistake. after adding the contents execute
#/sbin/init q
which rereads the inittab contents and loads the new configuration.
Editing the /etc/lilo.conf file
timeout=00
This gives lilo wait for 0 seconds and interval for user to put in parameters on lilo boot prompt. You should do this unless your are dual booting some other Operating system like windows. You should also provide a password for lilo. Basically this option specifies that for any parameters passed to boot prompt of lilo will be asking you to supply a password enabled by password parameter option.
password=
This option basically protect the Linux image from booting without specifying a password. But this can be problem if you reboot the systems remotely,it will always wait for the user to type in the required password.
So after adding these changes /etc/lilo.conf file should look like this.
timeout=50 Change this line to 00
Remove the line if your are not passing any command line parameters.
Add this line to enable linux image protection
restricted
Add this line to enable password and put your password.
password=
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message Remove the above line line if you do not want to get welcome message
lba32
image=/boot/vmlinuz-2.4.18-3bigmem
label=linux
initrd=/boot/initrd-2.4.18-3bigmem.img
read-only
root=/dev/hda7
image=/boot/vmlinuz-2.4.18-3smp
label=linux-smp
initrd=/boot/initrd-2.4.18-3smp.img
read-only
root=/dev/hda7
image=/boot/vmlinuz-2.4.18-3
label=linux-up
initrd=/boot/initrd-2.4.18-3.img
read-only
root=/dev/hda7
The configuration is readable by everyone, so change the permissions to disable that.
chmod 600 /etc/lilo.conf
Now we update our configuration for changes to take affect after rebooting.
/sbin/lilo -v
This will rewrite the new configuration for the Linux loader after we made changes to it. We can make the /etc/lilo.conf as an immutable file so that normally no one can edit and add any changes. You can do this by executing.
chattr +i /etc/lilo.conf
Note: But when you again modify something in this file please remove the immutable bit and edit any changes.
Disabling the CTRL+ALT+DEL – 3 finger salute
You can edit the /etc/inittab file and find out the entry. You can edit the /etc/inittab file and find out the entry
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
and put a #, so that line looks like this
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Where # represents a comment. after this you need to execute
/sbin/init q
This will make sure that after pressing the key combinations the system does not reboot. Also set the immutable bit on the /etc/services file like this
chattr +i /etc/services
Edit the /etc/securetty file. This file allows you to specify on which tty’s and Virtual Consoles(VC) root is allowed to login
The tty and VC’s listed here, will allow root to login on certain tty’s or VC’s. On other tty or vs root user will not be allowed and user has to “su” to become root. Disable all accounts on the system which you do not use like for e.g.
userdel adm
userdel operator
also,remove the groups
groupdel adm
groupdel operator
then make the following file immutable
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/gshadow
chattr +i /etc/group
Note:if you are editing this file for some reason,please remove the immutable bit like this:
chattr -i /etc/
Change the mode of “rpm” binary so that only root is able to use it.
chmod 700 /bin/rpm
Increase the Security of /etc/rc.d/init.d/ files. So change the permissions if all the file to 700 like this:
#chmod -R 700 /etc/init.d/*
#chmod -R 700 /etc/init.d/*
Remove the /etc/issue and /etc/issue.net files. /etc/issue.net is the banner which users see when they remote login to the system. Find the SUID and SGID file on the system and make a list for your reference in case system gets compromised then you can compare the changes happened in the system. To find out the files use:
find / -type f ( -perm -04000 -o -perm -02000 ) -exec ls -l {} ; > SuSgfiles
it will create a file “SuSgfile” of file on whome suid and sgid bits have been set.
find the unusual or hidden file s
find / -name “.. ” -print -xdev
find / -name “.*” -print -xdev |cat -v
Finding group and world writable files
find / -type f ( -perm -2 -o -perm -20 ) -exec ls -lg {} ;
For finding directories use the command below
find / -type d ( -perm -2 -o -perm -20 ) -exec ls -ldg {} ;
To find the unowned files
find / -nouser -o nogroup
This covers the basic GNU/linux settings for systems which will make the system secure,you also have to consider the application which your server is supposed to server like for e.g running a webserver or an ftp server then there are various other steps which you need to cover for securing the applications.
Jagjit Phull is a Linux enthusiast from New Mumbai. If you have a linux project you need help with, contact Jagjit here: jacky_jag@yahoo.com.