UVA Linux Security

Suggested Check List - updated 30-Aug-2005

Item Descriptions

1. Restrict Sendmail - in /etc/hosts.allow add this line:

   
          sendmail: 127.0.0.1
   
       

   This means that the local computer is the only IP that can send email. Sendmail is dangerous because people who send "spam" look for unix machines that accept mail from anyone and send it anywhere....Don't help spammers!!
   
2. Turn off all unneeded inetd services.
   • RedHat Fedora Core 2-4 - run /usr/sbin/ntsysv (manages the xinetd daemon) as root and turn off all unneeded services:
     Particularly, do not run telnet, rlogin, finger, ntalk, rexec, rhnsd, rsh, rtalk, rstatd, rwhod, talk, tftp, ypbind, or wu-ftpd.
     Run as root "/etc/rc.d/init.d/xinetd restart" to activate the changes.
   
   
3. Edit RedHat Security Files - all these items have man pages
   • /etc/hosts.allow - limit access to trusted locations
   • /etc/hosts.deny - deny TCP access to everyone
   
   
4. Never allow anonymous users to send files to your FTP site.
   
5. Read your security logs:
   /var/log/messages contains all root access allowed and all denied access

   
   

6. If you manage a group of machines, make a root account on each machine with the same user id and a very strong password. (A strong password contains Capital Letters, punctuation, numbers and no English syllables!!)
   • Create a regular user account, say rroot
   • In /etc/passwd, change the owner and group number to 0, so it has root priviledge.
     xdrrroot:x:0:0:rich as root:/root:/bin/bash
   
   
   
7. Do regular backups and regular updates (patches). With Red Hat FC2-4, there is a program called yum that can automatically fetch and install Red Hat patches. Put it in a cron file and run it daily.

   Test this service carefully before using it on a production machine.

   ITC offers an update service which is a mirror of Red Hat's site. To use it login as root and do the following:

   • Make the NFS mount:

     mkdir /export
     mount -t nfs linuxload.itc.virginia.edu:/export/Fedora3 /export
     or
     mount -t nfs linuxload.itc.virginia.edu:/export/Fedora4 /export
     
     cd /export/

   • There is an automatic, error-free way to update from this site. Details are here

According to SANS, Linux Administrators should be able to:

• Plan the installation of a new Linux workstation or server.
• Implement secure password and system access policies.
• Configure secure logging using SYSLOG.
• Understand the operation of network services, and secure or disable services as needed.
• Securely configure server services such as DNS, sendmail, FTP, HTTP, and remote access (SSH).
• Understand and recommend additional tools for securing a Linux system, such as TCPWrappers, IPChains, and various intrusion detection and vulnerability scanner tools.
• Understand the purpose of audits and their role in information security.
• List critical Unix and Linux log files and explain the purpose of each.

  Below is a list of some of the more common UNIX log file names, their function, and what to look for in those files. Depending on how your system is configured, you may or may not have the following log files.

  • messages
    The messages log will contain a wide variety of information. Look for anomalies in this file. Anything out of the ordinary should be inspected. Also, look for events that occurred around the known time of the intrusion.
  • xferlog
    If the compromised system has a functioning ftp server, xferlog will contain log files for all of the ftp transfers. This may help you discover what intruder tools have been uploaded to your system, as well as what information has been downloaded from your system.
  • utmp
    This file contains binary information for every user currently logged in. This file is only useful to determine who is currently logged in. One way to access this data is the who command.
  • wtmp
    Every time a user successfully logs in, logs out, or your machine reboots, the wtmp file is modified. This is a binary file; thus, you need to use a tool to obtain useful information from this file. One such tool is last. The output from last will contain a table which associates user names with login times and the host name where the connection originated. Checking this file for suspicious connections (e.g., from unauthorized hosts) may be useful in determining other hosts that may have been involved and finding what accounts on your system may have been compromised.
  • secure
    Some versions of UNIX (RedHat Linux for example) log tcp wrapper messages to the secure log file. Every time a connection is established with one of the services running out of inetd that uses tcp wrappers, a log message is appended to this log file. When looking through this log file, look for anomalies such as services that were accessed that are not commonly used, or for connections from unfamiliar hosts.
  
  copied from CERT

• Properly configure logging to monitor login/logout activity and detect unauthorized login attempts.
• Configure and use syslog for local or remote system monitoring.
• Install and use TCPWrappers to control and monitor access to network services.
• Define an "suid" file and explain its security implications.
• Use common Unix and Linux tools to locate hidden files or disk space and to audit network connections and active processes.