Hardening Linux

davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."

How To in summary...

[IBBoard]

For those not wanting to read the article, that "basic how to" is:

1) Disable unwanted services (done via the CLI in this day of GUIs)
2) Keep the OS patched
3) Install and run Bastille to do everything else for you.

Article not very informative

[Anonymous Coward]

The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.

The article isn't very useful or accurate.

Re:Huh?

[Zocalo]

As root, run the following command:

netstat -plutn

That will list all the listening services on a Linux box, complete with the program/PID that is associated with it. It's faster than just running something like NMAP, plus it will identify whether a program is binding to a specific external IP, a loopback IP and so on, not all of which an external port scanner is going to be able to report on.

A default Ubuntu box has them all closed.

[khasim]

I'm running Ubuntu, and I was under the impression that the default installation doesn't leave any ports open.

That is correct. By default, they are all closed.

But you may have changed that. If you've installed any P2P or such apps, you may have open ports from that.

As the other poster suggested, use nmap to determine what your outward profile looks like. Even better, have a friend scan your address from their location. That will tell you what your machine looks like from the Internet.

xxxxxx@xxxxxxx:~$ sudo nmap -p0-65535 10.31.198.130

Starting Nmap 4.20 ( http://insecure.org/ [insecure.org] ) at 2007-08-12 07:54 PDT
All 65536 scanned ports on 10.31.198.130 are closed
MAC Address: 00:11:D8:E1:9F:A9 (Asustek Computer)

Nmap finished: 1 IP address (1 host up) scanned in 16.486 seconds

That's without a firewall.

Re:How To in summary...

[Anonymous Coward]

It doesnt *have* to be done via CLI, gedit would accomplish the same task - graphically. Its just - proper computer techies ( you know, not those who need a wizard to admin things for them ) use a command line because its either faster, and/or scriptable for them to do so. Its also not taxing on bandwidth should you want to remote in and do something - unlike a graphical app.

Hardened? Hardly.

[slummy]

This article makes no mention of grsecurity [grsecurity.net]. Surely closing off unused services and patching vulnerabilities can certainly prevent a penetration, but what happens if a penetration is successful? grsecurity is the answer.

Re:I'm not sure what this is doing on /.

[ozmanjusri]

I'm always looking for new references of how to do things, either for myself or people I have been trying to convert to Linux.

Don't read TFA then. The advice it gives is barely relevant to any distro released in the past decade.

The defaults are no longer what they were in 199x

[bl8n8r]

Seems to me the article is just pimping bastille Linux. Years and years ago, most distros did indeed ship with some pretty crack-worthy options enabled by default. It took a small amount of prodding by the community, but most distros, these days, lean towards a default disable policy:

- [KU]buntu
    All services off by default. netfilter rules are default allow however, but there is
    nothing to connect to.

- Fedora/RHEL/CentOS
    Choose during install what services you want enabled/open/firewalled.
    SELinux enabled by default.

- Knoppix 5.1.1
    Only Port 68 for dhcp client listener. /etc/hosts.deny ALL:PARANOID

- Mandriva 2007 Bootable CD
    Port 6000 is all that's open (X server. Ok this is dumb, why?)

Other distros follow similar suit. You can find out what's running on your linux box with:
  - netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
  - locate iptables; sudo iptables -nvL (show iptables chains for netfilter)

Chances are, if you've not mucked around with the default services things are pretty tight.
TFA is a bit inaccurate for linux systems these days.

This is the last time I'm explaining it to you.

[khasim]

Running nmap on those two IP addresses yields different results.

Maybe it does. Maybe it does not. But that is immaterial. This is about what an attacker would see. Not what your machine can see from itself.

It is possible to set up a system that allows access to those services from eth0 & localhost, but not from any other addresses.

You are not concerned about what you can see from your machine. You are concerned about what an attacker can see. They are NOT the same.

The latter will show exactly what an attacker would see.

NO it will NOT.

Your statement is only accurate for the condition in which NO ports are open. That is a single scenario and does NOT account for the various possibilities. Therefore the ONLY way to know what an attacker would see is to scan the way the attacker would.

When a service is bound to an IP on a machine, it has a choice of which IP to bind to. Services accessible by the connection on her eth0 network device (or any other device, for that matter) can be viewed by nmapping the network IP associated with that device.

No. Again, the system can be set up so that the ports are visible from localhost and eth0. The only way to know EXACTLY what the attacker can see (other than in the specific scenario of all ports being closed) is to scan the way the attacker would.

If her cable modem filtered traffic or ports, the list given by nmap would still be accurate, as any filtered ports would come back either as filtered or closed.

No, the list given by nmap would not be accurate. Because the list given by nmap would show ports open (and therefore vulnerable) when there would be no way for an attacker to see those ports.

Again, the only time your statement would be accurate is the single case of all ports being closed.

If you run it on the IP of the interface an attacker will access, you will see what the attacker sees.

I've given multiple, specific examples where such would not be the case. I've shown where your statement is correct ONLY FOR A SINGLE SCENARIO where all the ports are closed.

As such, going to a different machine is still superfluous. You're giving misinformation by trying to say it's not.

Again, I've provided specific examples that illustrate where the information gained by scanning from an attacker's position would be different than scanning from the machine itself.

You can claim that such is impossible all you want.

But the facts contradict you.

You are taking a single case and claiming that it is the same for ALL the possible configurations. It is not. The only way to know what an attacker will see is to perform the scan as an attacker would.

Re:Dude, that article sucked.

[TheRaven64]

Running inetd (and xinietd, for those who love breaking backwards compatibility for little gain) is not just about not running services all the time, it's also about:

• Simplifying development of TCP services by allowing them to communicate via stdio.
• Automatically forking instances of the service for each client.

UNIX is all about small programs doing one thing, and doing it well. Something like inetd does a few things that are needed by pretty much all server-type programs, and separating them out makes the remaining code simpler, which reduces bugs (and, hence, security holes), as well as overheads.