Posted by Jerom Monday, July 07, 2003 – 09:19 PM CEST
Linux is capable of high-end security; however, the out-of-the-box configurations must be altered to meet the security needs of most businesses with an Internet presence.This article shows you the steps for securing a Linux system called hardening the server using both manual methods and open source security solutions. The hardening process focuses on the operating system, and is important regardless of the services offered by the server.The steps will vary slightly between services, such as e-mail and Hypertext Transfer Protocol (HTTP), but are essential for protecting any server that is connected to a network, especially the Internet. Hardening the operating system allows the server to operate effi- ciently and securely.
This article includes the essential steps an administrator must follow to harden a Unix system; specifically, a Red Hat Linux system.These steps include updating the system, disabling unnecessary services, locking down ports, logging, and maintenance. Open source programs allow administrators to automate these processes using Bastille, sudo, logging enhancers such as SWATCH, and antivirus software. Before you implement these programs, you should first understand how to harden a system manually.
Updating the Linux System
An linux system may contain many security vulnerabilities and software bugs when it is first released.Vendors, such as Red Hat, provide updates to the operating system to fix these vulnerabilities and bugs. In fact, many consulting firms recommend that companies do not purchase and implement new operating systems until the first update is available. In most cases, the first update will fix many of the problems encountered with the first release of the Linux system(distrobution).
You should apply the latest updates before the server goes live, and constantly maintain the server after it is deployed to make sure the most current required patches are installed.The more time an operating system is available to the public, the more time malicious hackers have to exploit discovered vulnerabilities. Vendors offer patches to fix these vulnerabilities as quickly as possible; in some cases, the fixes are available at the vendor’s site the same day. Administrators must also regularly test their systems using security analyzer software. Security analyzer software scans systems to uncover security vulnerabilities, and recommends fixes to close the security hole.
Manually Disabling Unnecessary Services and Ports
To harden a server, you must first disable any unnecessary services and ports.This process involves removing any unnecessary services, such as the Linux rlogin service, and locking down unnecessary Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports. Once these services and ports are secure, you must then regularly maintain the system.
Services to Disable
Linux, by nature, is more secure than most operating systems. Regardless, there are still uncertainties to every new Linux kernel that is released, and many security vulnerabilities that have not been discovered. Most Linux services are not vulnerable to these exploits. However, an administrator can reduce the amount of risk by removing unnecessary services. Red Hat Linux includes many services, so it makes sense that an administrator customize the system to suit the company needs. Remember, you are removing risk when you remove unnecessary services.
The xinetd.conf File
The /etc/xinetd.conf file (previously the inetd.conf file) controls many Unix services, including File Transfer Protocol (FTP) and Telnet. It determines what services are available to the system.The xinetd (like inetd) service is a super server listening for incoming network activity for a range of services. It determines the actual nature of the service being requested and launches the appropriate server. The primary reason for the design is to avoid having to start and run a large number of low-volume servers. Additionally, xinetd’s ability to launch services on demand means that only the needed number of servers is run. The etc/xinted.conf file directs requests for xinetd services to the /etc/xinetd.d directory. Each xinetd service has a configuration file in the xinetd.d directory. If a service is commented out in its specified configuration file, the service is unavailable. Because xinetd is so powerful, only the root should be able to configure its services. The /etc/xinetd.d directory makes it simple to disable services that your system is not using. For example, you can disable the FTP and Telnet services by commenting out the FTP and Telnet entries in the respective file and restarting the service. If the service is commented out.
Telnet and FTP
Most administrators find it convenient to log in to their Unix machines over a network for administration purposes.This allows the administrator to work remotely while maintaining network services. However, in a high-security environment, only physical access may be permitted for administering a server. In this case, you should disable the Telnet interactive login utility. Once disabled, no one can access the machine via Telnet.
1. To disable Telnet, you must edit the /etc/xinetd.d/telnet file. Open the Telnet file, using vi or an editor of your choice.
2. Comment out the service telnet line by adding a number sign (#) before service telnet: #service telnet
3. Write and quit the file.
4. Next, you must restart xinetd by entering: /etc/rc.d/init.d/xinetd restart
5. Attempt to log on to the system using Telnet.You should fail.
6. Note that commenting out the service line in the respective xinetd.d directory can disable many services.
7. Disable the FTP service using the same method (e.g., edit the /xinetd.d/wu-ftpd file by commenting out the service ftp line and restarting xinetd).
8. Attempt to access the system via FTP.You should be unable to log in to the server.
The Rlogin Service
The remote login (rlogin) service is enabled by default in the /etc/xinetd.d/ rlogin file. Rlogin has security vulnerabilities because it can bypass the password prompt to access a system remotely.There are two services associated with rlogin: login and RSH (remote shell).To disable these services, open the /xinetd.d/ rlogin file and comment out the service login line.Then, open the /etc/ xinetd.d/rsh file and comment out the service shell line. Restart xinetd to ensure that your system is no longer offering these services.
Locking Down Ports
TCP/IP networks assign a port to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3).This port is given a number, called a port number, used to link incoming data to the correct service. For example, if a client browser is requesting to view a server’s Web page, the request will be directed to port 80 on the server.The Web service receives the request and sends the Web page to the client. Each service is assigned a port number, and each port number has a TCP and UDP port. For example, port 53 is used for the Domain Name System (DNS) and has a TCP port and a UDP port. TCP port 53 is used for zone transfers between DNS servers; UDP port 53 is used for common DNS queries resolving domain names to IP addresses.
Well-Known and Registered Ports
There are two ranges of ports used for TCP/IP networks: well-known ports and registered ports.The well-known ports are the network services that have been assigned a specific port number (as defined by /etc/services). For example, SMTP is assigned port 25, and HTTP is assigned port 80. Servers listen on the network for requests at the well-known ports. Registered ports are temporary ports, usually used by clients, and will vary each time a service is used. Registered ports are also called ephemeral ports, because they last for only a brief time.The port is then abandoned and can be used by other services. The port number ranges are classified, as shown below, according to Request for Comments (RFC) 1700.To access RFC 1700, go to ftp://ftp.isi.edu/in-notes/rfc1700.txt.
Well-known 1 to 1023
Registered 1024 to 65535
To explain how well-known ports work with registered ports, let’s look at a typical Web site connection from a Web browser to a Web server.The client sends the HTTP request from a registered TCP port, such as port 1025.The request is routed across the network to the well-known TCP port 80 of a Web server. Once a session is established, the server continues to use port 80, and the client uses various registered ports, such as TCP port 1025 and 1026, to transfer the HTTP data. Figure 2.5 is a packet capture that displays the establishment of a TCP session between a client and server, and the transmission of HTTP data between them. In frame 2 of the packet capture, the source address (10.0.0.100) is the client computer requesting the Web page.The destination address (184.108.40.206) is the Web server, which hosts the Internet Corporation of Assigned Names and Numbers (ICANN) Web site. In the Info field, the 1025 > 80 indicates that the source TCP port is 1025.The 80 indicates that the destination TCP port is 80. The first three frames display the TCP handshake, which establishes a TCP connection between the client and server. In the frames that follow, the client requests HTTP data from the server.The request determines the HTTP version.
Determining Ports to Block
When determining which ports to block on your server, you must first determine which services you require. In most cases, block all ports that are not exclusively required by these services.This is tricky, because you can easily block yourself from services you need, especially services that use ephemeral ports, as explained earlier. If your server is an exclusive e-mail server running SMTP and IMAP, you can block all TCP ports except ports 25 and 143, respectively. If your server is an exclusive HTTP server, you can block all ports except TCP port 80. In both cases, you can block all UDP ports since SMTP and IMAP all use TCP services exclusively. However, if you want to use your server as an HTTP client (i.e., for accessing operating system updates) or as an e-mail client to a remote mail server, you will restrict the system. Clients require registered UDP ports for DNS, as well as registered TCP ports for establishing connections with Web servers. If you open only the corresponding UDP ports 25, 80, and 143, DNS requests are blocked because DNS queries use UDP port 53, and DNS answers use a UDP registered port. Even if you open port 53, a different registered port may be assigned each time for the answer. Attempting to allow access to a randomly assigned registered port is almost impossible and a waste of time.The same problem applies with TCP connections that require ephemeral ports. Therefore, you should either open all TCP/UDP registered ports (so you can use your server as a client), or block them (except for the services you require) and access resources, such as operating system updates.
To block TCP/UDP services in Linux, you must disable the service that uses the specific port.The following section discusses disabling ports using xinetd, and disabling ports assigned to stand-alone services.
Many services are disabled by their respective files in the /etc/xinetd.d directory by commenting out the service that uses the port.You learned how to comment out xinetd services earlier in this article. For example, to disable port 79 (used for finger services, which gives out user data that can be used by malicious hackers), you would comment out the service finger entry in /etc/xinetd.d/ finger file. Refer to Table 2.2 to view other ports you may wish to block. It lists common ports blocked by firewalls. However, these ports can also be blocked at the server itself. Follow these steps to disable port 79:
1. To disable port 79, you must edit the /etc/xinetd.d/finger file. Open the finger file and locate the service finger line.
2. Comment out the finger service line, and then write and quit the file.
3. Next, you must restart xinetd by entering: /etc/rc.d/init.d/xinetd restart
4. If you have a finger program installed on your system, or access to a finger gateway, attempt a finger request to your system.You should fail. Note that you can use xinetd to disable many other ports.
To disable ports whose corresponding services are not included in the /etc/xinetd.d directory, you must kill the service’s process and make sure that service does not automatically restart upon reboot.These services are called standalone services. For example, port 111 is assigned a stand-alone portmapper service not required for most e-mail servers.The portmapper service, which is technically part of the Sun Remote Procedure Call (RPC) service, runs on server machines and assigns port numbers to RPC packets, such as NIS and NFS packets. Because these RPC services are not used by most e-mail services, port 111 is not necessary. To disable port 111, you must disable the portmapper service as follows:
1. To disable the portmapper service, identify the process identifier (PID) for portmap by entering: ps aux | grep portmap
2. The second column lists the PID number.The last column lists the process using that PID.T
3. To stop the portmapper service, identify the PID number and enter: kill 9 [PID NUMBER]
Some ports, such as port 80, are not activated unless the service is installed. For example, if you have not installed Apache server, then port 80 is not used. There is no need to block the port because it is already disabled.
Hardening using Bastille
Bastille is an open source program that facilitates the hardening of a Linux system. It performs many of the tasks discussed in this article, including downloading operating system updates and disabling services and ports that are not required for the system’s job functions.The program also offers a wider range of additional services, from installing a firewall (ipchains) to implementing secure shell (SSH). Bastille is powerful and can save administrators time from configuring each individual file and program throughout the operating system. Instead, the administrator answers a series of Yes and No questions through an interactive textbased interface.The program automatically implements the administrator’s preferences based on the answers to the questions. Bastille is written specifically to Red Hat Linux and Mandrake Linux, but can be easily modified to run on most Unix flavors.The specific Red Hat/Mandrake content has been generalized, and now the hard-code filenames are represented as variables.These variables are set automatically at runtime.You can download bastille at http://www.bastille-linux.org/
Logging Your Configurations in Bastille
As with many security programs, Bastille is relatively simple to implement, but it’s easy to lose track of the changes you implemented. This can be a problem if you are unable to perform a typical operation on the system, or are denied access to a command or service. Many times, it is because you locked down part of the system by mistake, or misjudged the impact of a particular Bastille choice.
It is always a good idea to create a hard-copy log of the options you select in Bastille, or any security configurations you implement on your system. When you configure Bastille on your systems, use the Bastille log included in Appendix A of this book. It includes each configuration question and an area for your manual input. Make copies of the Appendix A, fill out the table during configuration, and keep the hard copies in a safe place.
If your system goes down, you can access the hard copies and recreate your Bastille configurations. Of course, if your system became unusable due to Bastille, it will help you determine what went wrong. This is especially helpful if you are unable to access the /root/Bastille/ config file, which saves the administrator’s preferences based on the answers to the Bastille questions.
Controlling and Auditing Root Access with Sudo
Superuser Do (sudo) is an open source security tool that allows an administrator to give specific users or groups the ability to run certain commands as root or as another user.The program can also log commands and arguments entered by specified system users.The developers of sudo state that the basic philosophy (www.courtesan.com/sudo/readme.html) of the program is to give as few privileges as possible but still allow people to get their work done. Sudo was first released to the public in the summer of 1986, and Todd Miller of Courtesan Consulting currently maintains the program and distributes it freely under a BSD-style license.The Sudo Main Page is located at http://www.courtesan.com/sudo .
Because sudo logs all commands run as root (or specified otherwise), many administrators use it instead of using the root shell.This allows them to log their own commands for troubleshooting and additional security. The ticketing system is ideal because if the root user walks away from the system while still logged in (a very bad idea), another user cannot access the system simply because he or she has physical access to the keyboard. After the ticket expires, users must log on to the system again. A shorter time is recommended, such as the default five minutes.The ticketing system also allows users to remove their ticket file.
The Sudo Command
The sudo command allows a user to execute a command as a superuser or another user. All configurations for sudo are written to the /etc/sudoers file.The sudoers file specifies whether that command is allowed by that particular user. In order to use sudo, the user must have already supplied a username and password. If a user attempts to run the command via sudo and that user is not in the sudoers file, an e-mail is automatically sent to the administrator, indicating that an unauthorized user is accessing the system.
Once a user logs in to sudo, a ticket is issued that is valid by default for five minutes. A user can update the ticket by issuing the -v flag, which will validate the ticket for another five minutes.The command is entered as follows: sudo -v
If an unauthorized user runs the -v flag, an e-mail will not be sent to the administrator.The -v flag informs the unauthorized user that he or she is not a valid user. If the user enters command via sudo anyway, an e-mail will then be sent to the administrator. Sudo logs login attempts, successful and unsuccessful, to the syslog(3) file by default. However, this can be changed during sudo configuration.
Often used flags on Sudo are:
-V Version Prints version number and exits.
-l List Lists the commands that are allowed and denied by current user.
-h Help Prints usage message and exits.
-v Validate Updates the user’s ticket for a configured amount of time (default is five minutes).
-k Kill Expires the user’s ticket. Completing this option requires the user to re-enter the user password to update the ticket.
-K Sure kill Removes the user’s ticket entirely. User must log in with username and password after running this option.
-u User Runs the specific command as the username specified. The user specified can be any user except root.
Managing Your Log Files
Another aspect of system security is managing your log files. By default, Linux offer modest logging so that administrators can see who and what has accessed their system. More logging is available (both more detail and logging on more services), but Linux keeps it brief so that you don’t fill your hard disk with log information.This section briefly discusses helpful commands and programs that provide access to system logs. Linux offers commands that allow administrators to access useful log files. Two commands of interest are last and lastlog.The message file also offers useful data for determining possible security breaches on your system. The last command displays data such as who is logged on to the system, who recently logged on, and when the system has rebooted.
The lastlog command displays the users and services that have accounts on your machine. It lists the last time each account logged in to the system, or if the account has ever logged in. Each service in Linux is given an account.This is very helpful because if a service logged in without your knowledge, a hacker may be responsible.This would indicate that the hacker controls your system and is currently exploiting it. It could also mean that another administrator started the service without telling you.
The messages file is a log file that displays a list of recent activity on the system. For example, it lists if a password was changed and who changed it. It identifies when a user session opens and closes. It also lists the time and data each event took place. It can be viewed by entering the following command: tail /var/log/messages
If you prefer a GUI to view your log files, a program called SWATCH allows an instant and real-time display for various log files. It can view any log files you specify and is discussed in the next section. The Linux logs should be checked frequently to determine if any security violations have occurred on your system. Logs do not offer solutions, so you must analyze the data and decide how to counteract the attack.
Using Logging Enhancers
Logging enhancers are tools that simplify logging by allowing logging information to be filtered and often displaying logs in simplified formats. Many open source logging programs exist to make system administration much easier. Viewing text-based files with hundreds or thousands of entries can be burdensome, especially if you are only looking for one specific error entry. Logging enhancers can make logging a much more user-friendly experience, and greatly expand and customize the information you need to log. The next sections explain a little bit of the three popular logging services used by administrators: SWATCH, scanlogd, and the next generation of syslogd (syslogd-ng).
Simple WATCHer or Simple WATCHdog (SWATCH) is an open source package that allows administrators to efficiently monitor system activity. It can monitor events on a system, or a large number of systems, by monitoring system logs for specified events. SWATCH’S main function is to monitor messages actively as they are written to a log files through the Unix syslog utility. SWATCH requires Perl 5 to function. SWATCH is efficient because it allows administrators to modify the SWATCH configuration file (/etc/swatchrc) to filter logging entries and respond to certain events. For example, SWATCH can monitor the system for bad login attempts, and e-mail the administrator whenever this failed authentication event occurs. It can monitor and alter when system halts and reboots occur, when a user upgrades to root using the su command, when the file system is full, and when someone is sniffing the system. It can monitor anything desired from the
Scanlogd is an open source program that detects and logs TCP-port scanning on a system. For example, it can detect nmap scans. Nmap is a program used by hackers to create a map of your network. It is often the first step a hacker takes once he or she has access to your network to determine which system to hack. Nmap lists the systems and the services on the network. Scanlogd can alert an administrator when the network is being mapped, but it cannot stop the intrusion.
Scanlogd was originally designed to illustrate attacks, not to fix them. Therefore, even though it is safe to run on your system, it does not prevent hacking attacks. You must read the system log to discover what happened to your system, and then determine the appropriate solution.
Scanlogd writes one line per scan using the syslog(3) mechanism. It also logs when a source address sends many packets to several different ports in a short amount of time.You can learn about scanlogd and download the program at www.openwall.com/scanlogd. Because scanlogd is only meant to detect scans, it is totally safe to run on your system. It must have access to raw IP packets to function, and can capture packets coming in and out of the system interface, or across the network to which the system is attached. In addition, scanlogd v2 supports the raw socket interface on libnids, libpcap, and Linux.
Syslogd-ng is a logging daemon that is the replacement for the traditional syslogd. The ng is an acronym for next generation.The original syslogd was the general Unix logging daemon that handled requests for syslog services, but was diffi- cult to configure. Syslogd-ng is easier to configure and offers additional logging features, such as more configurations. For example, syslogd-ng allows administrators to filter messages based on priority, as well as the content of the messages. You can also forward logs on TCP, sort logs to different destinations, and create a direct log stream to various hosts. It will eventually support log files that are protected with hash encryption.
Syslogd made it difficult to choose only the important messages. The reason this occurs is that messages are sent to different destinations depending on the assigned facility/priority pair.These destinations are very broad, and include general facilities such as mail, news, auth, and so forth, and priorities ranging from alert to debug. Many programs use the facilities, so many unneeded messages are written to their logs. In many cases, the message and the facility are not even related. Syslogd-ng filters messages based on message content in addition to the facility/priority pair. Using this method, only the messages that are needed are logged. Syslogd-ng has been tested on Linux, BSDi, and Solaris. At the time of this writing, the latest stable version was 1.4.17.You can learn more about syslog-ng and download it from the Balabit site at http://www.balabit.com/downloads/syslog-ng/downloads The site also contains information on installing and configuring the service.
This article covered the very basics of hardening a server to avoid security vulnerabilities using Linux.The main sections covered disabling unnecessary services, locking down ports, Bastille, sudo, and logging enhancers. It is extremely important to install the latest updates to the operating system, which fix many security vulnerabilities and bugs before you install any programs. Many services provided with operating systems are not required and can be removed.The key to remember is that the fewer services running, the less potential vulnerability.TCP/UDP ports were covered in this article, and how each port is used by specific services. If you block ports on your server, you block the services that use those ports. Locking down ports is an excellent way to reduce exploitations of your system.
Maintaining your server involves downloading service packs and updates, and requires regularly installing bug fixes, security patches, and software updates.These items are available through the operating system vendors, as well as the specific vendors that created the software that you implement.
Bastille is an open source program that facilitates the hardening of a Linux system. It performs many of the tasks listed previously, including downloading operating system updates and disabling services and ports that are not required for the system’s job functions. Bastille is powerful and can save administrators time from configuring each individual file and program throughout the operating system. Instead, administrators answer a series of Yes and No questions through an interactive text-based interface.The program automatically implements the administrators’ preferences based on the answers to the questions.
Superuser Do (sudo) is an open source security tool that allows an administrator to give specific users or groups the ability to run certain commands as root or as another user.The program can also log commands and arguments entered by specified system users.The developers of sudo state that the basic philosophy (www.courtesan.com/sudo/readme.html) of the program is to give as few privileges as possible, but still allow people to get their work done.
Logging enhancers are tools that simplify logging by allowing logging information to be filtered and often displaying logs in simplified formats. Many open source logging programs exist to make system administration easier.You were introduced in this article to SWATCH, scanlogd, and syslog-ng.
SWATCH is an open source package that allows administrators to efficiently monitor system activity. It can monitor events on a system, or a large number of systems, by monitoring system logs for specified events. SWATCH’s main function is to monitor messages actively as they are written to log files through the Unix syslog utility.
Scanlogd is an open source program that detects and logs TCP-port scanning on a system. Scanlogd can alert an administrator when the network is being mapped, but it cannot stop the intrusion.
Syslogd-ng is a logging daemon that is the replacement for the traditional syslogd.The ng is an acronym for next generation.The original syslogd was the general Unix logging daemon that handled request for syslog services, but was difficult to configure. Syslogd-ng is easier to configure and offers additional logging features, such as more configurations. For example, syslogd-ng allows administrators to filter messages based on priority, as well as the content of the messages.