Forgot your password?
typodupeerror
Security Software Linux

Hardening Linux 204

Posted by CmdrTaco
from the you-know-you-should dept.
davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."
This discussion has been archived. No new comments can be posted.

Hardening Linux

Comments Filter:
  • FP (Score:4, Funny)

    by Anonymous Coward on Sunday August 12, 2007 @09:31AM (#20202787)
    yes but does it run my favorite rootkit?
    • Not if your favorite rootkit is the Sony music CD rootkit. Sony have wisely decided to only annoy Windows users ... ;-)
  • AppArmour (Score:3, Interesting)

    by Shuntros (1059306) on Sunday August 12, 2007 @09:35AM (#20202829)
    I know people seem to find it all trendy to bash Novell these days, but AppArmour is a a pretty damn good tool for containing the behaviour of applications. Use a handy little utility to monitor your application (apache, bind, postfix, anything else..) being used in a controlled environment, then apply that ruleset at kernel level and if access isn't defined in the AppArmour profile, it ain't happening.
  • by Anonymous Coward
    Linux hardens You
  • I know that Mandriva tells you if you have any services installed that have open ports (SSH,Samba) when you do the install. There are some necessary open ports for most users, like samba. Having open ports doesn't have to be a bad thing, although I will agree that having them open without any reason is not a good idea. However, as long as you keep on top of the updates (very easy with Mandriva and most other distros), you shouldn't have too much to worry about.
  • by delire (809063) on Sunday August 12, 2007 @09:40AM (#20202881)
    In this regard I'm very impressed with the work the Ubuntu developers have done: a netstat -tupa post-install reveals a very small attack-surface where ports are concerned. That said, it would certainly be interesting to see a per-distro comparison at some point.

    Anyone know of such a project - even if just comparing a few top-tier distributions?
    • by DrXym (126579) on Sunday August 12, 2007 @11:12AM (#20203437)
      I think a dist security roundup would be an awesome thing. Do a default install of Mandrive, RedHat, Ubuntu etc. and then run nmap, examine their password policy, see what "dangerous" apps are installed by default and so on. Dists should be named and shamed if they have a single port open.
  • by owlman17 (871857) on Sunday August 12, 2007 @09:41AM (#20202887)
    This is mainly for those who roll their own using LFS, but Hardened Linux From Scratch [linuxfromscratch.org] should give some tips, and practical advice, which critical areas need patching, plus proper practices.
  • If your Linux distro is out-of-the-box "insecure with open ports and unpatched vulnerabilities", then change distro. If this is not an option, it's time to approach your vendor menacingly, clue bat in hand.
    • by Nasarius (593729)
      Seriously. As someone else mentioned, this article has been outdated for about a decade. Good installers will pull in all the latest stable versions (assuming a net connection), but any popular Linux distro is trivial to update immediately after. And I can't recall the last time I've seen a default workstation/desktop install with any open ports. Maybe SSH.
  • by Anonymous Coward on Sunday August 12, 2007 @09:47AM (#20202925)
    The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

    Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.

    The article isn't very useful or accurate.
    • by jgrahn (181062)

      The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

      It triggers me on two other points too:

      • ps + grep + kill is so 1990s. pkill from Solaris
  • Box? (Score:5, Insightful)

    by wytcld (179112) on Sunday August 12, 2007 @10:02AM (#20203011) Homepage

    Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities.
    That box must have a lot of dust on it, and an early 13-floppy Slackware distro inside.

    Before making a claim like that, the writer should come up with at least three examples, from current versions of major distros.

    Reminds me of a local woman who said "We must have a town-wide neighborhood watch, because there's a child sexual predator on every block." In the several years since she raised that hysteria, there's been exactly one serious case in town: one of her best friends had his extensive child porn collection found by the police. He hired the state's most expensive lawyers and got off with probation. She's still his best friend.

    Back to the topic. The article mentions telnet. Is there a single current distro that comes with telnetd enabled? Let's help the sloppy author. Has anyone here installed any current distro and found "open ports and unpatched vulnerabilities"?
  • Hardened? Hardly. (Score:4, Informative)

    by slummy (887268) <shawnuthNO@SPAMgmail.com> on Sunday August 12, 2007 @10:13AM (#20203085) Homepage
    This article makes no mention of grsecurity [grsecurity.net]. Surely closing off unused services and patching vulnerabilities can certainly prevent a penetration, but what happens if a penetration is successful? grsecurity is the answer.
  • I bet that 99% of Linux users are behind a NAT router (because as IT geeks they have tons of networked gear and a private network). The remaining 1% with a public IP directly on their Linux box probably know what they are doing. And don't give me the "what if there is port forwarding rules on the router" argument. If the user has port forwarding rules then he/she also knowledgeable enough to secure the target Linux box. I know a lot of IT geeks (being one myself) and I seriously don't know ANY IT geek who
    • My laptop is the NAT router, you insensitive clod! :)
  • by kwabbles (259554) on Sunday August 12, 2007 @10:32AM (#20203195)
    Can you tell us the story about how you came to write this article?

    Here's how I'm picturing it:

    (editor) Mr. Williams, we need a techie article on Linux.
    (mr. williams) Okay... I haven't touched linux since I played around with my RedHat 7.2 box 3 years ago.
    (editor) Do you still have it?
    (mr. williams) Yes, what would you like me to write about it?
    (editor) Write something up on securing its "holes and vulnerabilities", and we'll sensationalize it a bit by making it look like Linux is insecure out of the box.
    (mr. williams) I don't know how to do that.
    (editor) Find something on google. Try it on your RedHat machine.
    (mr. williams) I'm going to look really stupid.
    (editor) You're a journalist.
  • by bl8n8r (649187) on Sunday August 12, 2007 @10:43AM (#20203253)
    Seems to me the article is just pimping bastille Linux. Years and years ago, most distros did indeed ship with some pretty crack-worthy options enabled by default. It took a small amount of prodding by the community, but most distros, these days, lean towards a default disable policy:

    - [KU]buntu
        All services off by default. netfilter rules are default allow however, but there is
        nothing to connect to.

    - Fedora/RHEL/CentOS
        Choose during install what services you want enabled/open/firewalled.
        SELinux enabled by default.

    - Knoppix 5.1.1
        Only Port 68 for dhcp client listener. /etc/hosts.deny ALL:PARANOID

    - Mandriva 2007 Bootable CD
        Port 6000 is all that's open (X server. Ok this is dumb, why?)

    Other distros follow similar suit. You can find out what's running on your linux box with:
      - netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
      - locate iptables; sudo iptables -nvL (show iptables chains for netfilter)

    Chances are, if you've not mucked around with the default services things are pretty tight.
    TFA is a bit inaccurate for linux systems these days.

    • by sootman (158191)
      > Mandriva 2007 Bootable CD
      > Port 6000 is all that's open (X server. Ok this is dumb, why?)

      Well, if it's a bootable CD, maybe the idea is you boot to it, and then do a remote X session to it? With no HD in the box, there would be no risk to your data.
  • newbie article (Score:3, Interesting)

    by NynexNinja (379583) on Sunday August 12, 2007 @10:52AM (#20203321)
    The obvious problem with this article is they mention using "Bastille" and forget to mention grsec [grsecurity.net]. I don't really care about Bastille, but I do care about using grsec. Just because you turn off some services doesnt mean someone is not going to pop an xterm off your apache web server from some random cgi vulnerability... At least when someone compromises your web server in this way (which is probably how most linux web servers get compromised these days anyway), the attacker wont be able to do anything besides navigate the directory tree maybe. The attacker wont be able to view processes that are outside their own uid. The attacker wont be able to execute binaries outside of the standard bin directories (so custom scripts/binaries wont execute), and stack overflows do not allow execution of arbitrary code.. Its not a very fun environment to work in, most attackers will just look around and exit when confined to this type of environment...
  • Uh oh..
  • Almost all script kiddies work off the same theory: find an application that has not been updated, and which has a security vulnerability (un-updated versions of Wordpress or AWStats are always favourites), use this to run wget to pull a script, rootkit, etc. onto the server, then "break" the machine and use it as a spambot.

    The simplest way, then, to prevent script kiddies from compromising your system is not only allow access to wget through sudo! Simply chmod it.

    Now, this is no excuse not to ensure every
    • by Ant P. (974313)
      It'd be safer to just have an execute-permission whitelist for the httpd user.
  • by Santana (103744) on Sunday August 12, 2007 @12:34PM (#20204051) Homepage
    1. Insert OpenBSD CD
    2. Reboot
    3. Follow the instructions on screen
  • Services run from inetd/xinetd have their port and interface bindings managed externally, and since UNIX systems have run multihomed almost from the start, there are few if any deamons that can't be run bound to localhost, so if you have to run a local webserver for some purpose it can be unconditionally protected from remote exploits simply by running it on localhost... so as far as an attacker is concerned it doesn't exist.
  • by Britz (170620) on Sunday August 12, 2007 @03:26PM (#20205231) Homepage
    I would install a Debian server using the minimum install cds and then apt-getting just the services I need from the mirrors (which should have current patches). I mean, if it is going to be a server it should have a somewhat fast internet connection, right?
  • Use nmap? (Score:3, Insightful)

    by verbatim_verbose (411803) on Sunday August 12, 2007 @03:39PM (#20205315)
    Why do "security experts" like these folks always suggest using nmap to determine what services you are running? Have these folks never heard of netstat?
    • Because you can't trust the machine you're auditing if it has been compromised.

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...