|
Check List for Linux Security Check List for Linux Security
Linux is an amazing operating system considering how it was originally
created. It was a modest program written for one person as a hobby - Linus
Torvald of Finland. It has grown into a full-fledge 32-bit operating system.
It is solid, stable and provides support for an incredible number of
applications. It has very powerful capabilities and runs very fast and
rarely crashes.
Unfortunately Linux machines are broken almost every day. This happens
not because it is an insecure operating system. It contains all the
necessary tools to make it very secure. But the truth is. It hasn't become
significantly more secure with the increase in popularity. On the other
hand, our understanding of the hackers methods and the wide variety of tools
and techniques available contributed to help system administrators to secure
their Linux computers.
Our goal in this article is to list the most critical situations, and how
to prevent an invasion with simple measures.
1- Weak passwords - By far the first and most used method used by hackers
to try penetrating a Linux system is cracking a password, preferently of the
user root. Usually they will target a common user first, and then, using
his/her access to the operating system, try to get a privileged access
cracking the root password. Good password policy, and good passwords are
absolutely critical to the security on any computer. Some common mistakes
when selecting a password: A- use "password" as password. B- use the name of
the computer. C- a well-know name from science, sports or politics. D-
reference to movies. E- anything that is part of the user web site. F-
references associated with the account. The latest version of Linux offer
shadowed passwords. If a cracker can see an encrypted password, crack it
would a simple task. So, instead of storing the password in the passwd file,
they are now stored in the shadow file which is readable only for root.
Before a hacker can crack a password he needs to figure out an account name.
So, simple accounts names must be avoided as well. Another security measure
is to apply a "no login" to the account in the passwd file. This must be
done to all the accounts that don't need to log in to the system. Examples
are: apache, mysql, ftp and other.
Limit which terminals root may log in from. If the root account is
allowed to log in only in certain terminals that are considered secure, it
will be almost impossible for a hacker to penetrate the system. This can be
done listing the allowed terminals on /etc/security. The login program will
consider insecure any terminal that is not listed on this file, which is
readable, only by root.
2- Open Network Ports
Any Linux default installation will provide the Operating System with
tons of software and services. Several of them are not necessary or even
wanted by the administrator. Removing these software and services will close
the path to several attacks and improve security. The /sbin/chkconfig
program can be used to stop services from automatically starting at run
levels 3, 4 and 5. Log in as root and type /sbin/chkconfig --list to view
all the services set to start automatically. Select the ones you don't need
and type /sbin/chkconfig 345 name_of_service off. You must do that to all
services you don't want to keep running. Also, the xinetd server can be used
to disable other services as well.
3- Old Software Versions
Everyday vulnerabilities are found in programs, and most of them are
fixed constantly. It is important, and sometimes critical, to keep up with
the changes. There are mailing lists for every Linux distribution where one
can have security related information's, and the latest vulnerabilities
found. Some place to watch for security holes are: ·
http://www.redhat.com/mailman/listinfo/redhat-announce-list ·
http://www.debian.org/MailingLists/ ·
http://www.mandrakesecure.net/en/mlist.php ·
http://www.suse.com/us/private/support/security/index.html ·
http://www.freebsd.org/security/index.html ·
http://www.linuxtoday.com/ ·
http://www.lwn.net/ It is crucial to
insure that the security released patches are applied to the programs as
soon as they area available. The hacker community will be aware of the
discovered holes and will try to explore them before the fixes are applied.
4- Insecure and Badly Configured Programs
There are some programs that have a history of security problems. To name
a few IMAP, POP, FTP, port map and NFS, are the most known. The good thing
is that most of these programs can be replaced by a secure version like spop,
sftp or scp.
It is important that, before deploying any service, the administrator
investigate its security history. Sometimes simple configuration measures
can prevent serious headaches in the future.
Some advices regarding a web server configuration are well worth to
mention:
- Never run the web server as a privileged user; - Do not keep clients'
confidential data on the web server - Credit card numbers, phone numbers,
mailing addresses, must be recorded on a different machine. - Make sure the
privileged data that a user supplies on a form does not show up as a default
for the next person to use the form; - Establish acceptable values for data
that is supplied by web clients. - Check vulnerabilities on CGI programs.
5- Stale and Unnecessary Accounts
When a user no longer uses his /her account, make sure it is removed from
the system. This stale account won't have this password changed periodically
leaving a hole. Publicly readable or writable files owned by that account
must be removed. When you remove an unnecessary service make sure you remove
or disable the correspondent account.
Security Resources in the web
Bugtraq - Includes detailed discussions of Unix security holes
http://www.securityfocus.com/
Firewalls - Discuss the design, construction, operation, and maintenance
of firewall systems.
http://www.isc.org/services/public/lists/firewalls.html
RISKS Discuss risks to society from computers
http://www.risks.org/
Insecure.org
http://www.insecure.org/
About the Author
Jair Santos Software Engineer Cliconnect Internet Telephony
www.cliconnect.com
Additional Google i linux microsoft openo Resources
NewsForge | OpenOffice.org Writer vs. Microsoft Word
OpenOffice.org Writer vs. Microsoft Word -- article related to Top Story and Office Software. ... ThinkGeek - Slashdot - ITMJ - Linux.com - SourceForge.net ... Up to OpenOffice.org: Finding ...
The OpenOffice.org Unofficial FAQ
The OpenOffice.org Unofficial FAQ v0.3.1b. A guide to complement the already existing documentation out there! DEPRECATED: Go to the FAQ at OOoAuthors. ... Can OpenOffice.org open up ...
NewsForge | A Microsoft guy tackles Linux
...believed I could start talking about Linux without being branded Microsoft ... average user, you might be right that OpenOffice can replace...
PC World New Zealand - The Linux Experiment
...they need that no Linux alternative will successfully replace. ... features from Microsoft Office I couldn't find in OpenOffice were the ones...
OpenOffice.org Forum at OOoForum.org
The OpenOffice.org Forum at OOoForum.org is an OpenOffice.org help and discussion forum for exchanging information and tips with other users of OpenOffice.org, the open source office suite. ...
Linux Links - The Linux Portal: Web/Miscellaneous
Linux server product · Making the leap: Microsoft Word to OpenOffice.org ... statistics from Google and ... Gutenberg etext, applies what I hope...
| George Ou | ZDNet.com
... affects common Microsoft and Linux VPN implementations ... is going to replace text books is ... Google branded OpenOffice.org might have a chance at getting some traction against ...
Matt Croydon::Postneo 2.0 » Linux
...rather than searching Google, I would ... If I were on the same Linux box all day I would replace Instiki with Tomboy. I may augment my...
NewsForge | Making the leap: Microsoft Word to OpenOffice.org Writer
Making the leap: Microsoft Word to OpenOffice.org Writer -- article related to Office Software. ... Linux, or just from the proprietary Microsoft Office to the free software OpenOffice.org ...
Linux/390 and Linux Links from the Linux for S/390 Mailing List
Linux Microsoft Warns SEC of Open-Source Threat IBM: Linux will replace AIX ... I.B.M. to Use Linux ... X Server WeirdX is an X Window System...
api: Professional UNO
OpenOffice.org: The Open Office Suite ... service manager might ask Linux to load and instantiate a ... target on the OpenOffice.org roadmap is to split ... ...
Waypath - Topic Stream: Technology > Linux
LINUX Professional and OpenOffice.org 1.1 ... linux server web window ... by upgrading to Linux , instead Microsoft's Piracy ... Enterprise...
Calculating in OpenOffice.Org Text Documents | Linux Journal
Subscribe Now. Since 1994: The Original Monthly Magazine of the Linux Community. Current Issue ... OpenOffice.org is an open-source office suite. It can replace other office suites and has ...
The alt.os.linux.mandrake FAQ V2.21
...and tweak OpenOffice ... b) Why might I choose Linux-Mandrake? ... groups.google.com, the Google ... To become ... root , open up a console...
Detroit high school happy with Linux
Comprehensive news, information, and resources on using Linux as a desktop operating system for personal and business purposes. ... and the Linux desktop. Google gives $350K to ... Dropping ...
Other Recommended Google i linux microsoft openo Links
Linux backup tar
Linux oracle cluster
Access cluster free linux
Cluster linux manegment sof...
Bladecenter linux cluster
Hpc linux cluster
Linux cluster software
Download red hat linux 9
How to install red hat linu...
Red hat linux 9 tutorial
Linux help desk software
Help desk linux
Blogspot.com desk help linu...
Suse linux help
Mandrake linux help
|
