Basic linux security

You either have a need to install linux or were just interested in doing so. Either way, linux is now installed and you'd like to connect your computer to the internet. Being a responsible network citizen, you'd like to be sure that your computer is configured to make a minimum negative impact on the network. In this page, I will outline some simple steps that you can take that will make your computer (and your data and your reputation) relatively safe from the big, bad internet.

Assumptions on my part:

  1. You are the system administrator (posess the password for the root account)
  2. You are running a distribution based on RedHat 6.2 or 7.0
  3. You are going to connect your computer to the internet


Parts left out can't break (or maybe they can, but who can tell ?)

Many distributions of linux offer lots of network services by default. Rather than starting from this relatively insecure stance, we will turn all network services off until we need them.

Linux distributions based upon RedHat 6/7 have the configuration utility /sbin/chkconfig that can be used to see and to set what programs are started at system boot time. Here is an example: 

[morris@goes ~]$ /sbin/chkconfig --list
httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
apmd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:off   4:on    5:off   6:off
named           0:off   1:off   2:off   3:off   4:off   5:off   6:off
keytable        0:off   1:off   2:on    3:on    4:on    5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
random          0:off   1:on    2:on    3:on    4:on    5:on    6:off
pcmcia          0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
linuxconf       0:off   1:off   2:on    3:off   4:off   5:off   6:off
lpd             0:off   1:off   2:on    3:off   4:off   5:off   6:off
inet            0:off   1:off   2:off   3:off   4:off   5:off   6:off
portmap         0:off   1:off   2:off   3:off   4:off   5:off   6:off
postgresql      0:off   1:off   2:off   3:off   4:off   5:off   6:off
xfs             0:off   1:off   2:on    3:off   4:off   5:off   6:off
routed          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rstatd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rusersd         0:off   1:off   2:off   3:off   4:off   5:off   6:off
rwhod           0:off   1:off   2:off   3:off   4:off   5:off   6:off
smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off
sendmail        0:off   1:off   2:on    3:off   4:off   5:off   6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:off   3:off   4:off   5:on    6:off
fwall           0:off   1:off   2:off   3:off   4:off   5:off   6:off
anacron         0:off   1:off   2:off   3:off   4:off   5:off   6:off
ipchains        0:off   1:off   2:off   3:on    4:on    5:on    6:off
kdcrotate       0:off   1:off   2:off   3:off   4:off   5:off   6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
nfslock         0:off   1:off   2:off   3:off   4:off   5:off   6:off
identd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
[morris@goes ~]$
The left hand column is the name of the boot time service, while the numbered columns are the run levels and off / on indicate the state of the service at that run level. For example, in the case above the service ipchains is on at run levels 3, 4, and 5 while the service sendmail is off at all run levels. Since our initial configuration will have every network service turned off, we will run chkconfig and turn off each of the services given in the list below. An example command is given after the list. Note that after all of these services are turned off, you must reboot the computer for the changes to take effect. Also, you may not see all of these services and some may already be turned off. Don't worry about this, it is only necessary for you to use chkconfig to turn off services that your computer lists as being on that are on the following list:
  For example, to turn off identd: 
[root@goes morris]# /sbin/chkconfig identd off
Paranoia is good, so let's firewall anyway

We've turned off all network services, so why should be install a firewall ? Isn't this kind of paranoid ? Well, yes, but it's pretty common to have two lines of defense, just in case of a later misconfiguration. Network security is one of those fields where a little paranoia can be a good investment.

To turn on a firewall on a RedHat 6/7 host:
 

  1. Turn on the ipchains service:           /sbin/chkconfig ipchains on
  2. Copy the following to /etc/sysconfig/ipchains
  3. Reboot
[morris@goes ~]$ cat /etc/sysconfig/ipchains
:input DENY
:forward DENY
:output ACCEPT
-A input -s 127.0.0.1/255.255.255.255 -d 127.0.0.1/255.255.255.255 -i lo -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 67:67 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 68:68 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 1 -j ACCEPT
A brief description of the above IPChains rules: 
:input DENY
:forward DENY
:output ACCEPT
Set the default policies to DENY (block) for inbound and forwarded packets, and ACCEPT (pass) for outbound packets. 
-A input -s 127.0.0.1/255.255.255.255 -d 127.0.0.1/255.255.255.255 -i lo -j ACCEPT
Allow inbound packets from the loopback address on the loopback interface 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j ACCEPT ! -y
Allow packets inbound that belong to established connections 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth0 -p 6 -j ACCEPT
Allow inbound packets on the well known port for SSH (the secure shell) 
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
Allow inbound udp packets from the well known DNS source port 
-A input -s 0.0.0.0/0.0.0.0 67:67 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 68:68 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j ACCEPT
Allow inbound udp packets from the well known BOOTP(C/S) ports 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 1 -j ACCEPT
Allow inbound ICMP

FTP does not work!

FTP is a bizarre protocol. It has active and passive modes, and if you have a choice, you should choose passive. If you don't have a choice, you will have to add a "hole" to the firewall to enable active ftp to work. Here are the two lines to add to your firewall configuration (/etc/sysconfig/ipchains) 

-A input -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 1024:5999 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 6010: -p 6 -j ACCEPT


As before, you will have to restart. You should also note that this is a pretty significant reduction in your firewall's security. On the other hand, you are still much better off than if you had no firewall whatsoever.

Turning services on

Now it's time to offer selected services to the internet. For each of these services, we will need to:

Turn on web service (httpd)

Run the following command to turn the service on: 

/sbin/chkconfig httpd on
Add to the firewall configuration (/etc/sysconfig/ipchains): 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -i eth0 -p 6 -j ACCEPT
Turn on ftp service (inet)

Run the following command to turn the service (inet) on: 

/sbin/chkconfig inet on
Add to the firewall configuration (/etc/sysconfig/ipchains): 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -i eth0 -p 6 -j ACCEPT
Edit the service configuration file, /etc/inetd.conf. All lines should be commented out (the first character in the line should be #) except the line that begins with ftp. Note that a commented out (disabled) telnet service line is included to illustrate how to comment out ALL of the services besides ftp. 
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
#telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
Turn on pop service (inet)

Run the following command to turn the service (inet) on: 

/sbin/chkconfig inet on
Add to the firewall configuration (/etc/sysconfig/ipchains): 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 110:110 -i eth0 -p 6 -j ACCEPT
Edit the service configuration file, /etc/inetd.conf. All lines should be commented out (the first character in the line should be #) except the line that begins with pop-3. Note that commented out (disabled) pop-2 and imap service lines are included for illustration. 
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd


Caveats

Thinking of turning on telnet to conect to your host remotely? Don't! Use ssh (secure shell) instead. Likewise, if you are going to use ftp, be aware that the telnet and ftp protocols reveal your username and password to anyone who has access to the network traffic (which is almost anyone) and therefore are security risks. Thinking of having an anonymous ftp server? Pay VERY close attention to the ownership and permissions of all directories in the anonymous ftp tree. I have seen many instances recently where user's disks were filled with data and they unwittingly became distribution sites for pirated software, music, movies, you name it! It happened to me ...