Resonance Networks - Basics of Securing Linux

Main Menu

Home

Services & Rates

Call Rates

Free Consultation

Savings Calculator

Resources

Links

FAQs

Billing and payments

Basics of Securing Linux - I

Linux is evolving into a desktop operating system. The main user base of linux is changing from hobbyist hackers to business and home users. Linux, like any other operating system is not secure out of the box, but with Linux you can actually do something about it and make it secure.

Security starts with a proper installation. It is never a good idea to install every thing to the / partition. Proper partitioning is the first step to a secure installation. Putting an OS on one single partition is a security faux pas. At least have these partitions

/ - the root partition doesnt need a lot of space this could be a small partition

/var - this partition should be medium sized as it mostly stores logs, mail etc either unless you run your web server from /var/www

/usr - this partition needs to be sizeable because it contains all the binaries necessary for the system to run applications for the users.

/home - this partition contains the home direcotries of the users.
Proper partitioning lets you restrict access, un mount and fix a corrupted partition, prevent total loss of data.

Next step in the process of securing your Linux box is setting up a decent password. If it is in a dictionary its not a decent password. Make your passwords a combination of charachters and numbers. A lot of linux distros even support ASCII code in the password for example you may type "azs2<ALT>255zxc3" and it will appear as "azs2 zxc3", its a good way to beat dictionary and brute force attack. check your distro before trying it out. Also enable shadowed passwords.

Next step is deciding what packages to install. Decide what you want you use your linux box for. Do you really need a webserver or a mail transport agent? do you need to run ftp? disable all the network service daemons you dont need. It is also a good idea to not start services you dont need at boot time.
For example: if you arent going to serve a lot of files its a good idea to disable ftp from /etc/inetd.conf if you are using inetd. if you are using xinetd please refer to the manual.
Also replace telnet with SSH and you can copy files between machines using scp which is a part of ssh. ps will show you a list of all the servers and processes running.

kavit@trishul:/tmp> ps -aux | more

You can also control which remote hosts connect to the services run by inetd by modifying /etc/hosts.allow and /etc/hosts.deny
add ALL:ALL to hosts.deny and make a default deny policy. Now add the hosts you want to hosts.allow

Another good idea is to install sudo. sudo lets users execute commands with escalated previleges without them knowing the root password. You can deny or allow access to sudo via /etc/sudoers. Also disallow use to su. This can be done by editing /etc/suauth. Read the manual to su.

Next Part will look at local user and group security and file ACLs.

[ Back ]