/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsSecurity consciousness is a frame of mind and an attitude. In this big bad world, there is no reason for us to trust everybody. Thus, no installation is complete without taking care of security issues. The information given here will help you start securing your system, and is specific to the modified PCQ Linux distribution available on the CD along with this issue. This will only get you started. (Do not assume that your system is fully secure after having done what is mentioned here.)
Pre-installation
Before installing the OS, decide on its functionality–as in the case of the Gateway machine. It helps to list out the functionality of the resource. In this case, the Gateway machine is expected to perform two basic functions–forward packets from the Intranet to the Internet (Routing), and apply a set of conditions relating to the source of the packet and the service that the packet is attempting to use, and decide whether to forward the packet or not (Packet Filtering). You need to decide these conditions and incorporate the details. The easiest way of putting this down is in the form of a table. Here is an example-table where we decide how some of the basic services will be handled on the Gateway machine.
Service |
Internet to Intranet | Intranet to Internet |
| telnet | Deny | Allow |
| ssh | Allow | Allow |
| ftp | Deny | Deny |
|
Table 1: Initial plan to permit services to and from the |
||
If you did this, you have actually written a portion of what is termed as a Security Policy for your user community.
During installation Install only what you need
Installing correctly is the first step in having a secure machine. It is always advisable to go for a custom install, as you can choose the packages that you need. If you are a newbie, then you may have to do some learning. So, we decided to remove the unwanted packages on the gateway machine. If you choose the Gateway System (PCQ) option during the install, you automatically get to do a trimmed installation. Remember that installing an additional package without knowing its vulnerability, exposes you that much more.
Kick in security right at the beginning
Another part of the installation is the firewall configuration section. Enable the security level at high or medium. If you have a table such as Table 1 above, you could customize the firewall by implementing that portion of the Security Policy right here. This is a good place to start though there are only a few services that one can allow/deny in this particular firewall configuration. This is a new part of the install in the PCQ Linux distribution. Remember to use ssh to provide remote interactive access to the machine.
Post Installation
Once the installation is complete and you have checked the functionality, it is time to take a second look at securing your machine.
Close unused service ports
As soon as the machine boots up, you have to first close the services you do not want to use. The Gateway Install option takes care of this already. Run ntsysv command. This will list you all the services available. Examine them carefully and do not start any service that you do not use. You then need to verify if your system is safe. You have to find which of your service ports are open. This is done with a port scanner. Nmap
(www.insecure.org) is the most widely used port scanner. Run nmap on your own machine to check open service ports. Here is a sample output of
nmap:
Starting nmap V.2.53 by fyodor@insecure.org (www.insecure.org/nmap/)
Interesting ports on pcqlabs.pcquest.com (213.179.717.242):
(The 1518 ports scanned but not shown below are in state: closed)
| Port | State | Service |
| 22/tcp | open | ssh |
| 25/tcp | open | smtp |
| 110/tcp | open | pop-3 |
| 995/tcp | open | pop3s |
Nmap run completed – 1 IP address (1 host up) scanned in 33 secondss
Observe that this machine has four service ports open. If you do not want your machine’s ports to be scanned and you want an automated port-scan detection and alert system to do this, consider snort or portsentry. These utilities detect and can block traffic from a suspect source IP
address.
Control access to the open service ports
At the next level of access control, you can specify which hosts can access the services that are open. This is part of the configuration of the tcpwrapper tool. This tool lets you specify the details of access and the action to take in case of a violation. Here is an example that specifies only access restrictions but no action on violation.
To permit access to all the open services from the 192.168.1.0 network, edit the /etc/hosts.allow to include ALL: 192.168.0. To permit smtp port connections from all hosts, use the rule smtp: ALL in the same file. To close access to other open ports, edit /etc/hosts.deny to include ALL: ALL.
Must-dos
| New security features in PCQ Linux 7.1 |
|
| Security in kernel 2.4 |
|
| Crptography |
| kernel.org has a cryptography repository and contains crypto extensions to the new 2.4 kernel that provide the ability to encrypt file system, create virtual private networks ,etc |
Monitor all system logs on the server for suspicious activity. The most informative is /var/log/messages. It keeps a track of failed login attempts and TCP connections from outside hosts. The utmp and wtmp files keep a track of logins, and are useful for tracking any unknown users accessing the system.
The Red Hat website has regular updates on packages in its
distribution.securityfocus.com and
linuxsecurity.com are two of the best sources of security information. Ironically though, there is nothing like a last word on security. As long as packages evolve, there will be vulnerabilities detected causing host installations to be vulnerable to malicious attacks. Given that the OS is a collection of utilities and packages, it is up to the administrator to track such vulnerabilities continuously, and apply fixes and patches. Fortunately, in the recent past there have been utilities that detect intrusion and attacks quite comprehensively. Use these utilities (a few are listed below) effectively and be on guard.
Tools that keep you secure
Here are a few tools that you must consider using to ensure that you have a secure system.
Bastille Linux
The Bastille Hardening System (current version 1.1.1; 1.2 announced for release), as it is termed, is an interactive script that does a comprehensive hardening of the host as well as access to it. It has sixteen modules that comprehensively cover system and access security. The user (typically the systems administrator) is asked questions, given an explanation of the context and then prompted for a yes/no to carry out the hardening
task.
Libsafe
Libsafe (current version 2.0) is a dynamically-loadable library module that transparently intercepts function calls, system wide and then hands them over to the real calls in the system ensuring that there is no attempt to smash the stack (aka buffer overflow attacks). The library installs stand-alone and does not require compilation of any applications to use its features.
TripWire
TripWire (Current version - 2.2.1) is a good tool to use to monitor any modifications in system binaries. TripWire maintains a checksum of all important binaries on the system, and compares them against a checksum of previously taken ‘safe values’, such as those taken on install.
Interesting websites
- www.rootshell.com/
- www.securityfocus.com/
- www.insecure.org/
- www.linuxsecurity.com/
- www.sans.org/
- www.securityportal.com/
- www.redhat.com/support/alerts/
- www.cert.org/
Gopi Garge is a director of Exocore Consulting