Blog |Follow Nick on Twitter| About
 

November was a slow posting month, the reason being that I'm working on a rather time consuming project, one of the areas I've had to focus on again is Linux Security.

Security goes on and on forever, you can do as much or as little as you deem necessary, too much will consume resources*, too little opens you up to attack; this article talks about some steps I take, be advised tho' this will generate a load of e-mails, and if you're not going to read them why bother implementing them.

The first point of security is "need to know" - only install what you need, applications , people , operating systems all have floors so the less you install the lower your risk. I get that command line for n00bs is a problem so you might want to install gnome or kde to get started but that's not to say they need to be installed on your production servers. I try to make an effort that everything is tested offline (in a vmware machine since £££ are tight) and when I'm happy upload or copy what I need.

Another golden rule is patch patch patch, it's a good idea to subscribe to application mailing lists, where possible I try to use YUM (I'm a redhat/fedora/centos/whitebox man) and then I have the following script in /etc/cron.daily to tell me what needs patching.

1
2
#!/bin/bash
yum list updates

Now the basics are covered you need to "lock down" your box, so this I'd recommend bastille-linux, it's a script that tightens up existing installs, it'll also covers firewall (iptable) settings for you has well.

Moving on you now need some kind of intrusion detection, lets be honest no-one knows everything about linux so how to we know if it's been hacked? To start with I like to use tripwire. Tripwire goes through your files on the hard drive and creates a database, if they change a report shows you what and when.

Getting paranoid. Rootkits are the linux virus, so I like to install a detection method, well actually two chkrootkit and root kit hunter hopefully one will find something.

Even more paranoid. Get your box to e-mail if someone logs in as root. Edit /root/.bash_profile and add the following to the end...

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Now I actually don't use root, the password is set using this generator and I force all users to use sudo , this allows me to make a couple of important changes to ssh (/etc/ssh/sshd_config),

AllowUsers someadmin
PasswordAuthentication no

Notice password authentication can't be used... google has some great documents on the alternatives.

And finnaly tune your app, if it's a mail (pop/imap) install ssl encryption, if it's a webserver things like mod_Security and suphp

Hopefully this helps someone get started.... here are some useful references:

*To much doesn't stop you working, that's just poor security management ;)

rgds,

Nick

 
Nick Bettison ©