Firming Linux

From KdjWiki

Jump to: navigation, search


I'm no hardcore network or linux administrator, so I can't really speak on best practices for hardening linux, but here are a few tips that may or may not be simply common sense.

For security-minded development, try the Secure Development page.


Contents

System

/etc

/tmp

Network

iptables

Services

My general philosophy regarding service security is two-fold:

  • Disable all non-required services
  • Secure all logins/defaults

Obviously this can not always be achieved and a pragmatic approach should be taken when evaluating what to update.

Find Listening Services

You can use netstat to see what services are currently running (and listening for network connections): 

  $ sudo netstat -l -n -p -t -u -w

You should see something such as: 

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:2020            0.0.0.0:*               LISTEN      8954/sshd
tcp        0      0 0.0.0.0:8060            0.0.0.0:*               LISTEN      14957/mysqld
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      8854/smbd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      14985/apache2
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      8904/(squid)
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      17290/proftpd: (acc
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      14985/apache2
udp        0      0 0.0.0.0:32768           0.0.0.0:*                           8904/(squid)

This tells you that a) none of the services are bound to a specific network interface/IP address (not the 0.0.0.0 local address) and you can see the ports and program names currently being listened on (e.g. sshd is listening on port 2020).

The UDP connections can be (maybe) ignored(?)

If you see any entries here you don't need (or don't know) you should investigate further an consider stopping if unnecessary.


Alternatively, if you have nmap you can use that to find out what is running on all machines on your network: 

  $ sudo nmap -P0 -O 192.168.1.20

or 

  $ sudo nmap -P0 -O 192.168.1.0/24

may give you something ilke: 

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-07-03 17:58 EST
Interesting ports on test.server.com (192.168.1.20):
(The 1665 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
8060/tcp open  mysql
8080/tcp open  http-proxy
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10

Nmap finished: 1 IP address (1 host up) scanned in 3.000 seconds

This is interesting because it didn't find the SSH server running on port 2020.

SSH

Defaults to be modified for SSH are:

  • Port
  • Protocol
  • Allowed users

SSH is configured via the file /etc/ssh/sshd_config

The changes I make are: 

#Port 22
Port 2020

#Protocol 2,1
Protocol 2

#PermitRootLogin yes

# space delimit valid logins (if applicable)
AllowUsers user1 user2

If you have multiple network cards/IP addressed and SSH should only be available on a single interface, you should set this by updating the ListenAddress: 

#ListenAddress 0.0.0.0
ListenAddress 192.168.1.20

Don't forget to restart the SSH server to include your changes: 

  $ sudo /etc/init.d/sshd restart


Apache

MySQL

PHP

Retrieved from "http://wiki.accordingtokris.com/index.php?title=Firming_Linux"
Personal tools