Hardening Linux
Hardening an OS is a task that can never be finished. We will
try to provide here a couple of important directions and hints
that can in general be used for any UNIX-like operating
systems. (well, hopefully)
Note however that we can not be made responsible for any
problems or serious damage your system may suffer in following
this hints.
The following text tends to be rather paranoid and you'll find
a lot of the hints simply too much. Consider yourself disclaimed.
Distribution
Choosing the right distribution is the first step in securing your server.
Either use a normal desktop-centric distro and go through all the steps
manually or start with a security-enhanced package.
I recommned starting with osix.org.
Services
- Check your inetd.conf. Eliminate
any service you do not need.
- Use
tcp-wrappers for services that do not bring
their own access control mechanisms.
- Run netstat -an and check the output. This will
give you hints about tcp/udp deamons that do not get started
via inetd but with startup-scripts (e.g. in
/etc/rc.d...).
- Run lsof (list of open files) and go through its
output.
Remote Access
- Kill telnet! (Run a fake deamon instead that logs every
telnet attempt to yor machine)
- Use
ssh with strong encryption and RSA based
authentication
- Use
IPSec for encrypted tunnels to hosts and networks
Webserver
- Use SSL (https) for administration pages
- Change the ID-line of your server (eg
"HTTP-Deamon/1.34")
- Check your robots.txt file. Does it provide information to
outsiders that can be abused?
- Change all suffixes of cgi-scripts or any other server
scripts to something unsuspicious. (This needs changes in your
webserver's configuration files)
- Do not use hidden fields in forms to save important
information about prizes/session/etc.
- Do sanity checks for input provided by the user. (eg. form
values)
- chroot the webserver
DNS
- Use a recent version of
bind
- Prevent zone transfers to unauthorized hosts
- chroot your dns server
- Do not use the HINFO fields
Mailserver
- Do not use sendmail unless you must....(use
qmail or postfix
instead)
- Take measures against spammers (prevent unauthorized
relaying)
- Consider using a simple SMTP-deamon on your firewall that
act as your mail gateway and relays to your internal
mailserver, if the rules allowes it.
- chroot your mailserver
FTP
- Do not use ftp, use scp instead.
- Never allow a regular user to login with ftp, only allow
anonymous ftp if you must run ftp at all.
- chroot your ftp-server
Filesystem
- Do not allow more suid-programs than you really need
(search for them with find!)
- Check PATH environment variable: no "."!!
- Run a tool like tripwire (with an offline database, of
course) to detect altered binaries that may contain trojan
horses. (Also check important configuration files,
e.g. sshd.conf, on a regular base)
Security Scanner
Regularly run a security scanner, e.g. nessus.
|