|
Box
Examined: Linux RedHat 6.2
-----------------------------------------------
Welcome to another of my tutorials, now this is a subject
which has been covered many times before, although i havent
read many other linux security tutorials im going to try and
write it with a twist. So you understand it and not be
puzzled. The system i have chosen to write about is the
redhat operating system as that is what most newbies and
kiddies are using these days, just so they can say they run
linux. I am going to rush through this tutorial and then
flick back and add more detail so if some parts seem to have
bad english or dont seem to follow on from one another then
thats why.
Preparation
------------
The best place to begin in the security and integrity of
your system is in the installation. You should begin with a
fresh installation of the system and carry out all secuurity
checks and modifications while offline. If you wish to get
updates then bung the box on an isolated network away from
script kiddies. So you can download the files and transfer
them through the network. An unsecured box put online could
be breached within any amount of time during your time.
The
box could be picked up by services scanners and other shit
which kiddies use these days.
Installation
-------------
Alright we are moving on now to the installation. What sort
of installation shall we use ? Workstation, Server or
custom? This way we can be flexible in what we want to
install and not have lots of bloated rubbish like "gabber",
audio servers and other things which we dont need installed.
Obviously the less stuff we have on the system then the
less potential security risks we have. If you change your
mind and need any of the software which you chose not to
install then you can always install this again at a later
date, by downloading the up to date version from the
vendors website.
Custom
- Partitioning.
----------------------
Now we have selected custom we will need to partition the
system. I wont try to dwell on this subject as its all
fairly straight forward. We will make a few partitions to
make the system more secure.
To do this we would create an extra /var partition and not
have /var on the root partition like you are able to. This
would prevent a system failure due to filling the root
partition with log files, this is a method of DoS because
once the root partition has become full then the system
cannot operate due to it not being able to create files or
anything else, potentially crashing the system.
I find that around 300mb to 450mb will be suffice for the
/var partition where all the email and system logging and
other log related crap goes. This depends on what the system
is used for if there is going to be extensive logging or
not and also if there is going to be a lot of mail coming
in. Below is what the partition scheme will look like.
/ - Everything else.
/var - Around 350mb to 400mb or depending on how much mail
you expect etc.
swap - I usually leave this at around 40mb, should probably
be
made slightly larger, depending on amount of ram you have.
Now follow through and reboot when prompted.
System
is installed.
--------------------
Now we need to patch the system for security
vulnerabilities within the software first of all. Because
its redhat we will be using rpm based files on the system.
Remember the box should still be on the network and not on
a direct connection to the internet. I advise you to
download the files and patches to the main box connected to
the net and then rip them through the network connection to
the system we are currently patching up. An example of
patching the system is shown below using rpm.
$ rpm -Uvh <rpmfile>.rpm
Now if you have been vicious and confident and put the box
online or you are upgrading software on a system which is
connected to the net then you can use the following command.
As shown below.
$ rpm -Uvh ftp://<ftp path to the patch goes here>.rpm
Then again if your feeling slightly lazy which should be a
complete "no no" with security as thats where over 90% of
security compromises come from wether it be lazy programmers
or administrators. Then you can use a utility called
"up2date". This is a much faster alternative as you dont
have to go poking around your system looking for files and
everything which needs updates because this will search them
all out and check the mirror for new updates and then you
can update them all at once. Now Reboot the system and we
will concentrate on shutting down services.
Shutting down services
-----------------------
How do we know what services are uncommented and thus
running ? Well a simple way to do this is by typing the
command which i will show you below, using the grep cmd.
$ grep -v "^#" /etc/inetd.conf
To edit the file we can use one of our favourite text
editors like vi, open the file in one of these and begin to
add comments to the services which you do not want to be
running. To do this we add a # to the beginning of all the
services which we dont want. I chose to shut down ftp,
finger, telnet and opted to use ssh to login to my box
remotely. Now we have edited what services should be running
we need to restart the inetd, we do this by sending the
following to restart the inetd.
$ kill -HUP <pid of inetd>
Startup Scripts
----------------
Now we need to get rid of all the unneeded startup scripts
which we have on the system, to make it more secure. Where
you find these scripts depends on wether you are
automatically booting into a user interface, we only need to
keep the start up scripts active which are totally needed
for system operation. Otherwise off they go. Below i am
going to list quite a few default start up scripts which are
usually enabled on a fresh install.
Script
List
-----------
S72amd - AutoMount daemon,
S75gated - used to run other routing protocols, such as
OSPF
S80sendmail - the sendmail pop3 daemon.
S85httpd - Usually the apache web server.
S87ypbind - Use only if your an NIS client.
S90xfs - Xfont server
S95innd - A basic news server.
S99linuxconf - Remote administration of the system via
browser
S50snmpd - SNMP daemon.
S55named - DNS server.
S55routed - RIP, don't run this unless you REALLY need it
S60lpd - Printer services, not much need.
S60mars-nwe - Netware file and print server
S60nfs - Use for NFS server
S05apmd - You only need this for laptops
S10xntpd - Network time protocol
S11portmap - Required if you have any rpc services,
S15sound - Sound card related, no use on a server.
S15netfs - This is the nfs client.
S20rstatd - r services are a risk, they provide info about
the Sys
S20rusersd - not much need.
S20rwhod - not much need
S20rwalld - again not much need.
S20bootparamd - Used for diskless clients.
S25squid - A gay little Proxy server
S34yppasswdd - Required if you are a NIS server.
S35ypserv - Required if you are a NIS server.
S35dhcpd - Starts dhcp server daemon
S40atd - Used for the at service, similar to cron.
S45pcmcia - You only need this script for laptops.
So how
do we turn these off ?
------------------------------
OK so you have now decided which you really need and which
you don’t need, to turn these off we simply cd into the rc
directory which holds all these files and turn the large S
into a small s this will prevent the script from starting
at boot time.
Alternatively you can check before you do this to see which
scripts are actually set to run at boot time by typing the
following command
# ps aux | wc -l
Logging should i or not?
-------------------------
Well personally i run low spec systems for my servers
ranging from SPARC 2's to SPARC 5's so system performance
and memory usage is very important for me so i tend to turn
off every service which i see as a waste of system
resources.
Obviously if you are a company concerned highly about
monitoring what users do what to the system and if any
breaches happen then to find the culprit then i would highly
recomend running logging daemons But if you are a home
users and / or a home user who has his own basic server in
his room then there is not much need to run these. Lets
admit, logs take up space and how many of us actually spend
time reading them everyday? ITs just one less service and
one less security risk.
User
Accounts
--------------
First things first we should cat the passwd file and see
what accounts are lurking within this. we do this by typing
the following:
# cat /etc/passwd
The output should be similar to the one below:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
ntfx:x:500:500:ntfx:/home/ntfx:/bin/bash
now to remove all default and unneeded accounts we simply
type:
# userdel -r <username>
This will remove the username and the home dir of the user.
Once we have got rid of all the unneeded usernames we can
begin to sort out who we want access to su'ing up to root.
To secure this method we must put the users into group
"wheel" After this we can then chmod the following items to
secure the system even more.
# /bin/chgrp wheel /bin/su
# /bin/chmod 4750 /bin/su
Now su will be only permissed to those whom is in group
wheel. You should also do this for all the files you wish
to restrict to authorised users. This prevents abuse of
available programs.
now we will lock down the rhost files. .rhosts, .netrc, and
/etc/hosts.equiv. The r commands use these files to access
systems. To lock them down, touch the files, then change the
permissions to zero, locking them down. This way no one
can create or alter the files. For example,
/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv
Now
lets get on with the services again
---------------------------------------
So you want to run the following....
HTTPD
FTPD
SSHD
TELNETD
Well at the moment your probably running default apache and
wu-ftpd an old opensshd and an old telnetd version.
Why put up with being shipped with old out of date and
exploitable goods? Shipping you with wu-ftpd and old
opensshd and other items is like they are saying they want
you to be compromised. Just so you go back and get more of
there goods, yeah i know its free but thats besides the
point, its more hassle. So lets get rid of this shit.
The
bad stuff:
wu-ftpd - exploitable with every release within weeks. Slow
and buggy. Avoid this shit.
openssh - generally ok, but switch to the commercial one
its still free for private use.
TelnetD - sniffed and all the usual, not usually
exploitable unless you run gay freebsd. Keep this up to
date though. I have never heard of a lintel telnetd
exploit.
The
Alternatives:
PureFTPD - hasnt any exploits released in its entire
project. Obviously one to consider, its what we use.
thttpd - Very Secure and flexible httpd, hardly any
exploits found within this httpd, More secure than apache
anyway.
SSHD - More secure than openssh, yet rpm distro's tend to
get hit by exploitable ssh daemons.
TelnetD - This is usually fine keep it up to date, avoid
rpm installs of the telnetd if given the choice.
Why add telnetd to both? it has its advantages and
disadvantages so you decide
Extra
Security?
---------------
You may want to choose from a variety of things. Other
things i tend to impliment certain modules and tripwire or
whatever else you way want to include. Ill give a list of
certain modules you may want to include below and there
purpose.
StJude LKM module - this can search and prevent remote and
local root exploits. I havent used this one but By the
description it seems worth its while to add that bit of
extra security.
DTK - The deception toolkit, Set of perl scripts to Harden
security on a system based on attacks.
WINDOG-DTK - This was something i found, although wasnt the
official windog it was a replacement. I have continued on
this project to make more daemons and other certain
deception stuff.
Conclusion:
I will update this text soon with more indepth security
measures. these are just the basics for now so you can feel
slightly more seure than you would if you was a sitting duck
practically with an unsecure install.
Credits
Author: NTFX 19/02/02
Contact: NTX@SpyModem.Com
Website: www.legion2000.tk -=- www.spymodem.com
Legion2000 Security Research 1996 - 2002
Greets: opt1k, IL, EazyMoney, SpyModem, fubar, kod |