Advertisment

Security and Hardening

author-image
PCQ Bureau
New Update

Security consciousness is a frame of mind and an attitude. In this big bad world, there is no reason for us to trust everybody. Thus, no installation is complete without taking care of security issues. The information given here will help you start securing your system, and is specific to the modified PCQ Linux distribution available on the CD along with this issue. This will only get you started. (Do not assume that your system is fully secure after having done what is mentioned here.)

Advertisment

Pre-installation

Before installing the OS, decide on its functionality–as in the case of the Gateway machine. It helps to list out the functionality of the resource. In this case, the Gateway machine is expected to perform two basic functions–forward packets from the Intranet to the Internet (Routing), and apply a set of conditions relating to the source of the packet and the service that the packet is attempting to use, and decide whether to forward the packet or not (Packet Filtering). You need to decide these conditions and incorporate the details. The easiest way of putting this down is in the form of a table. Here is an example-table where we decide how some of the basic services will be handled on the Gateway machine.



Service
Internet to Intranet Intranet to Internet
telnet Deny Allow
ssh Allow Allow
ftp Deny Deny

Table 1: Initial plan to permit services to and from the

Internet

Advertisment

If you did this, you have actually written a portion of what is termed as a Security Policy for your user community.

During installation Install only what you need

Installing correctly is the first step in having a secure machine. It is always advisable to go for a custom install, as you can choose the packages that you need. If you are a newbie, then you may have to do some learning. So, we decided to remove the unwanted packages on the gateway machine. If you choose the Gateway System (PCQ) option during the install, you automatically get to do a trimmed installation. Remember that installing an additional package without knowing its vulnerability, exposes you that much more.

Advertisment

Kick in security right at the beginning

Another part of the installation is the firewall configuration section. Enable the security level at high or medium. If you have a table such as Table 1 above, you could customize the firewall by implementing that portion of the Security Policy right here. This is a good place to start though there are only a few services that one can allow/deny in this particular firewall configuration. This is a new part of the install in the PCQ Linux distribution. Remember to use ssh to provide remote interactive access to the machine.

Post Installation

Advertisment

Once the installation is complete and you have checked the functionality, it is time to take a second look at securing your machine.

Close unused service ports

As soon as the machine boots up, you have to first close the services you do not want to use. The Gateway Install option takes care of this already. Run ntsysv command. This will list you all the services available. Examine them carefully and do not start any service that you do not use. You then need to verify if your system is safe. You have to find which of your service ports are open. This is done with a port scanner. Nmap

(www.insecure.org) is the most widely used port scanner. Run nmap on your own machine to check open service ports. Here is a sample output of

nmap:

Advertisment

Starting nmap V.2.53 by fyodor@insecure.org (www.insecure.org/nmap/)



Interesting ports on pcqlabs.pcquest.com (213.179.717.242):

(The 1518 ports scanned but not shown below are in state: closed)

Port State Service
22/tcp open ssh
25/tcp open smtp
110/tcp open pop-3
995/tcp open pop3s
Advertisment

Nmap run completed – 1 IP address (1 host up) scanned in 33 secondss

Observe that this machine has four service ports open. If you do not want your machine’s ports to be scanned and you want an automated port-scan detection and alert system to do this, consider snort or portsentry. These utilities detect and can block traffic from a suspect source IP

address.

Control access to the open service ports

Advertisment

At the next level of access control, you can specify which hosts can access the services that are open. This is part of the configuration of the tcpwrapper tool. This tool lets you specify the details of access and the action to take in case of a violation. Here is an example that specifies only access restrictions but no action on violation.

To permit access to all the open services from the 192.168.1.0 network, edit the /etc/hosts.allow to include ALL: 192.168.0. To permit smtp port connections from all hosts, use the rule smtp: ALL in the same file. To close access to other open ports, edit /etc/hosts.deny to include ALL: ALL.

Must-dos

New

security features in PCQ Linux 7.1
  • Bug fixes for 7.0 packages
  • Services option while installation
  • Most services closed by default
  • Firewall-configuration tool
Security

in kernel 2.4
  • Less dependence on root.Using the new kernel

    2.4,



    you can hand off some of the root priviledges to normal users.
  • Netfilter allows users to set up, maintain,

    and inspect the packet



    filtering rules in the new 2.4 kernel
Crptography
kernel.org has a

cryptography repository and contains crypto extensions to the new 2.4

kernel that provide the ability to encrypt file system, create virtual

private networks ,etc

Monitor all system logs on the server for suspicious activity. The most informative is /var/log/messages. It keeps a track of failed login attempts and TCP connections from outside hosts. The utmp and wtmp files keep a track of logins, and are useful for tracking any unknown users accessing the system.

The Red Hat website has regular updates on packages in its

distribution.securityfocus.com and

linuxsecurity.com are two of the best sources of security information. Ironically though, there is nothing like a last word on security. As long as packages evolve, there will be vulnerabilities detected causing host installations to be vulnerable to malicious attacks. Given that the OS is a collection of utilities and packages, it is up to the administrator to track such vulnerabilities continuously, and apply fixes and patches. Fortunately, in the recent past there have been utilities that detect intrusion and attacks quite comprehensively. Use these utilities (a few are listed below) effectively and be on guard.

Tools that keep you secure

Here are a few tools that you must consider using to ensure that you have a secure system.

Bastille Linux

The Bastille Hardening System (current version 1.1.1; 1.2 announced for release), as it is termed, is an interactive script that does a comprehensive hardening of the host as well as access to it. It has sixteen modules that comprehensively cover system and access security. The user (typically the systems administrator) is asked questions, given an explanation of the context and then prompted for a yes/no to carry out the hardening

task.

Libsafe

Libsafe (current version 2.0) is a dynamically-loadable library module that transparently intercepts function calls, system wide and then hands them over to the real calls in the system ensuring that there is no attempt to smash the stack (aka buffer overflow attacks). The library installs stand-alone and does not require compilation of any applications to use its features.

TripWire

TripWire (Current version - 2.2.1) is a good tool to use to monitor any modifications in system binaries. TripWire maintains a checksum of all important binaries on the system, and compares them against a checksum of previously taken ‘safe values’, such as those taken on install.

Interesting websites

  1. www.rootshell.com/
  2. www.securityfocus.com/
  3. www.insecure.org/
  4. www.linuxsecurity.com/
  5. www.sans.org/
  6. www.securityportal.com/
  7. www.redhat.com/support/alerts/
  8. www.cert.org/

Gopi Garge is a director of Exocore Consulting

Advertisment