Linux Security Guide
I was wondering if you guys might be willing to help me create a sticky thread that we could use to talk about Linux security from beginner level up to more advanced topics. I was thinking that this way we could help any newbies to Linux (or BSD for that matter) get a feel for security, and I'd have a place to refer back to (because I forget things). I'd appreciate any contributions you guys are willing to make.
Ok, seriously now....
Step 0. use strong passwords.
Step 1. do not use any wireless technologies. No wifi, no bluetooth, no wireless keyboards or mice.
Step 2. physical security, keep everything locked, use an alarm system and cameras.
Step 3. always use encryption. Use whole disk encryption and only encrypted protocols.
Step 4. disable all system services/daemons except ssh.
Step 5. do not use the well known ports in /etc/services.
Step 6. read up on iptables at http://netfilter.org/ and apply the strictest firewall rules you can live with.
Step 7. Disable root logins.
Step 8. Install tripwire, aide, etc.
Step 9. Make sure any services running on your computer are only accessible from your LAN.
Step 10. always check the checksums and sigs and run virus scans before you install anything.
Step 11. run rootkit checking software daily.
Step 12. run yum / apt-get daily.
Step 13. to be continued.
Sweet, thanks for the response! Perhaps we could elaborate on these one by one? For example, how might one find a list of all the outward facing daemons on their machine? I think after finding all the outward facing daemons, it might be a good idea to either shut them down as Linux_0 so wisely stated, or if they are needed, perhaps change the ports they use so that scanners will have a harder time finding them?
Also, I think we should also talk about doing a bit of "forensic analysis" (i.e. how to figure out if your machine got compromised and what to do about it). When I have a bit more free time (like this weekend) I will read up on it and post my findings here.
My guide to Linux Security:
Step 1) only install software from the official software distribution application (i.e. in Ubuntu 9.10 that's the Software Store)
Step 2) Enable updates and make sure they are installed at regular intervals
Step 3) Don't connect your PC directly to the internet, but make use of a NAT router in between. Note that this works independently from any firewall you may or may not have.
Step 4) there is no step 4
Basically, if you leave the Windows world where you're used to download executable code from the internet and execute it without thought or restrictions, you're so much better off from a security standpoint. Since virtually all windows PCs are infected with spyware a merge to Linux would be very beneficial to security. Even with a clean windows installation contains a light form of spyware - Microsoft does business with Alexia which integrates their sniffing app with Windows).
So my original intent for this thread was to create a more or less ongoing guide to ensuring that a Linux desktop is secure, and I wanted to contribute more, but then school got in the way for the last couple of months. Now that I have graduated, I plan on reading up on the various aspects to Linux desktop security and then I will consolidate things a bit and post my findings here. This guide is as much for me as any newbie who comes across the forum, so by all means, if you guys see something that I missed or that is blatantly wrong, feel free to let me know and correct the mistake!
Long time windows user I have only started using Ubuntu two weeks ago and I found this guide at Ubuntu forums which came handy controlling inbound and out services:
Firewall Ubuntu Desktops
November 23rd, 2009 by bodhi.zazen
Many Ubuntu users are interested in learning how to enable a firewall. The majority of people seem to be interested in filtering in an out bound connections on a Desktop installation.
Without getting into the inevitable debate on the merits of using a firewall, I would like to pass on some basic information. Please understand that discussions about firewalls and understanding the technical details of a firewall can become complicated very fast. The goal of this blog therefore is to enable users to feel comfortable with the basic firewall manipulations on an Ubuntu Desktop installation.
You should also know, by default Ubuntu, unlike some operating systems, has no significant listening servers. You may list your listening servers with any of the following commands:
sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
sudo lsof -i -n -P
Alternately you may perform a portscan from a second computer, ie nmap
I strongly advise the use of UFW (Uncomplicated FireWall) as it is installed by default, the syntax is easy to understand, and the defaults are more then adequate for the vast majority of users. If you prefer a graphical front end, install GUFW.
Enable your firewall
This is very easy:
sudo ufw enable
Deny incoming connections
This setting will deny all new incoming connections. Established connections (connections you request) are allowed.
sudo ufw default deny
Since we are not running a server, nothing further is required for incoming connections.
Deny outgoing connections
This is a bit harder as you need to know the services you wish to allow and write rules for outbound traffic you wish to allow. Common services you may wish to allow (and their ports) include:
DNS (Domain Name Service) = protocol udp port 53.
Web browsing = http protocol tcp port 80.
Secure web browsing = https protocol tcp port 443.
Mail = protocol tcp port 25.
FTP = protocol tcp port 20 and 21.
SSH = protocol tcp port 22.
VNC = protocol tcp port 5900.
Samba uses multiple ports , protocol udp ports 137 and 138 as well as tcp ports 139, and 445.
IRC protocol tcp , Ubuntu Servers defaults to 8001.
A listing of ports can be found here.
UFW will block outbound traffic based on the destination port on the server. To allow the outbound traffic listed above use:
sudo ufw allow out 53,137,138/udp
sudo ufw allow out 20,21,22,25,80,139,443,5900,8001/tcp
Then block all other outbound traffic with:
sudo ufw deny out to any
Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.
List your rules by number with:
sudo ufw status numbered
If you used the above syntax you will see :
To Action From
-- ------ ----
[ 1] 53,137,138/udp ALLOW OUT Anywhere (out)
[ 2] 20,21,22,25,80,139,443,5900,8001/tcp ALLOW OUT Anywhere (out)
[ 3] Anywhere DENY OUT Anywhere (out)
Say we wish to allow out telnet on port 23. We will need to add this before the third rule (which denies all outbound traffic). We do this using insert.
ufw insert 3 allow out 23
I used this guide as a stepping stone then moving on and giving iptables a go. Hope this helps.
Ok. Things have been pretty busy for me as I am just settling in at my new job and what not, but I have finally gotten a moment to reinstall my Linux (that I had accidentally hosed) and I am trying to secure it bit by bit. I will start out by sharing some of the things that I've learned about locking down SSHD. Arguably this whole thread is motivated by an experience I had one day where I read my /var/log/auth.log and found out that I was being probed and bruteforced hundreds of times per day, and since this is a very important service for me as well as one of the few entry points into my box, I figured I'd better be 100% sure that things are as safe as I can make them. So, here is what I have learned so far:
After you install an openssh server, you will want to open up /etc/ssh/sshd_config and add the following lines:
This is as much for my own reference as well as for any newbies to the Linux world, so I am going to explain what each line is supposed to do (and feel free to correct me if I am wrong, guys).
"PermitRootLogin no" disallows people from trying to connect directly to the root account from the outside world. They first have to connect to the machine with a normal user and then use "su -" to get to root. This prevents the root password from being bruteforced from the outside since sshd is going to deny all attempts sign in directly as root. I am not sure how it works on other distributions, but in gentoo, anyone who wants root access would have to sign in as a user that is a part of the "wheel" group first. So if an account that is not a part of the wheel group gets compromised, it may not be the end of the world. However, it is important to note that setting this option only slows the bad guys down instead of stopping them, but it is better/safer than not setting it at all.
"AllowUsers <user_list>" will only accept logins from people on the list you specify. This is yet another option that slows the bad guys down since they'd have to compromise a user account that is on that list first. Once again, it won't save you necessarily, but its better than not doing it.
"Port <some_port_other_than_22>" By default, SSH servers listen for traffic on port 22, and since this is a standard port, the bad guys have their scanners look for SSH servers there and when they find one they start doing what they do best. By setting your SSH port to some high number (up to 65535), you are slowing them down further since they have to scan all the ports to find your server first. Again this won't save you but it helps in that it makes your machine less of a low-hanging fruit (i.e. easy pickings). If you change your port number every once in a while, that should help keep the scanners guessing. Please note that you will have to change your firewall to allow traffic for whatever port you change your SSH server to, and that whenever you want to log into your computer you will have to use "ssh <your_domain_or_IP> -p <new_port_number>" or else you won't be able to connect.
"Protocol 2" As I understand it, OpenSSH has two versions of the protocol, and version 1 was subject to man-in-the-middle attacks, so it is better to only use protocol 2 since it isn't subject to that problem.
These last two lines are about setting up appropriate logging so that you can see all the incoming connections and log in attempts from the outside. They are a diagnostic tool to help you figure out if there is suspicious activity going on.
So, the options I have listed here are a start. I have read about more sophisticated things like disabling password authentication in favor of RSA key authentication (which I have read is much more secure), and tools like fail2ban which IP bans computers that have more than N failed login attempts in M minutes, where N and M are parameters you specify. I haven't had time to look into these things in detail, but when I do, I will post about them.
Thanks for your contributions, guys, and please feel free to correct any glaring mistakes. I am trying to learn from all of this as well as lend a helping hand to the newbies!