January 2nd, 2002 09:13 PM
Linux and Security
I'm posting this as a basic guide to securing your box (not necessarily linux, but I'm being linux-oriented). I'd like some input on what you think of this, and if I get enough positive feedback, I'll put this out in the Tutorials section, as short as this is.
Contrary to popular belief, just because something is open-sourced does not mean the code is written by programming gods who never make mistakes. It does mean that fixes come out much faster, but still, there are some large-installed-base packages out there with serious vulnerabilities and very poor track records. The three most notorious that come to my mind are Sendmail, WU-FTPd, and BIND.
At any rate, the most important step in securing a linux box is to make sure you're not running any services that you don't need.
The first real step is to discover what's running, and disable what you don't need. There's little to no reason that most people need sendmail, BIND, etc., running. Most people don't need to run any servers. In short, find what you don't need, and disable it -- better yet, remove it.
The second step is to discover what you are running, and to check out whether or not it's had a bad track record. If you really feel that you need to run sendmail, qmail is a very good replacement from a security standpoint. The great thing about Linux is that there is tonnes of good open-source software for it, giving you many many alternatives.
The third step is to lock down what you do have running with iptables/ipchains. I do a fair amount of web development with PHP on my linux box at home. There's no reason I want all of that information accessible to everyone though, so I have firewall rules that essentially allow port 80 connections from my internal network, and a couple of select IP addresses, and no more. As far as the rest of the world is concerned my linux box is simply there for me to surf from.
The fourth and most important and most commonly overlooked step is to keep your software up to date!! I can't stress this enough. All of the major problems in the last year related to viruses, break-ins, worms, etc., are all thanks to lazy SysAdmins and people who don't exactly know what they're doing not patching their systems against vulnerabilities. Keeping up to date with software is perhaps the single best defense against intrustions on publicly accessible systems.
If you feel I've left anything out, let me know either by reply or by pm.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
January 2nd, 2002 09:27 PM
This is good. Although it speaks of many things that are common sense, you are right in that it is needed to know and this is a good reminder to everyone.
January 2nd, 2002 09:41 PM
All good ideas...
I can't remember how many times I've been mapping the web (i'm trying to map my whole area of the web, or at least part of it) I've found a box running a couple dozen ports. Even a fingerd, sendmail on a non-server (usually running an old, easy to abuse, version of Sendmail), or the shell demon for Novel (allows unpassworded logins!)
The sky above the port was the color of a television, tuned to a dead channel- Neuromancer