Protect Your Computer - Linux Security

This material is based on a presentation given by Brian Edmonds of UBC's Computer Science Department, who has graciously allowed us to use it here.

Disable Unused Services

Most Linux distributions come with more daemons enabled than most people need. Edit /etc/inetd.conf and comment out those services you don't need - imapd, talkd, popd, rusersd, shell, login, netstat, systat should all be disabled. You should also disable ftpd and telnetd and replace them with secure services such as sshd and scp if you need to provide remote access services. When you have edited inetd.conf, save the file and use kill -HUP <pid> (where <pid> is inetd's process id) to have inetd reread the configuration.

Next, use 'ps aux' to find daemons such as sendmail, named or nfsd with normally run outside of inetd. Unless you absolutely need to provide SMTP, DNS or NFS services, it is a good idea to disable these daemons. As root, use kill <pid> to kill these daemons and edit your system's rc/init scripts to prevent them from being restarted when your computer next reboots.

Also check whether you are running any unnecessary RPC services - the command rpcinfo -p will give you a list of what RPC services are running. In general, if you don't know what the service does or if you don't need it, disable them. If the only RPC service running is portmapper, disable the portmap daemon.

Finally, run `netstat -a $|$ fgrep LISTEN' and look for unusual ports. Unless you're very familiar with Unix, you may have trouble figuring what daemon is using which port. The tool lsof may be handy if this is the case.

If you do plan on running HTTP/FTP/telnet services, make sure you keep the daemons updated. Learn how your vendor provides software updates! Many packages have security problems which are only discovered after release, and Linux vendors will release new versions to fix these.

Use Secure Authentication

Most authentication protocols in use today (telnet, ftp, POP, rlogin, etc.) transmit usernames and passwords across the network over clear, unencrypted channels. This means that an attacker could obtain your username and password by "sniffing" the network. On ResNet, this concern is somewhat lessened because the ResNet network is (theoretically) immune to sniffing, but there is a risk that if you connect to a compromised computer, your password for that computer could be captured. So, in general, it is a good idea to use secure authentication wherever possible.

The Netinfo and Interchange hosts support SSH, which is used for secure, encrypted logins. Other departments may also use SSH, though you may have to contact the departmental system administrator to find out for sure.

There are currently two versions of the SSH protocol available - SSH1 and SSH2. The original SSH protocol (SSH1) is more widely supported, especially on-campus, though you may need to download both versions.

Once you have downloaded the source, unpack, compile and install it using the following commands:

tar -xzof ssh-x.x.xx.tar.gz (where x.x.xx is the version you are using)

cd ssh-1.2.26

sh configure

make

make install (as root)

You may also wish to install SSH version 2 after version 1.

Check the ssh man page (man ssh) for more information on using SSH.

The scp command allows you to copy files like rcp. You should use this instead of FTP, where your username and password can be intercepted.

SSH can also be used to set up a secure POP tunnel for checking mail. Normally, POP (the protocol used when checking mail) transmits username and password information in cleartext - SSH allows you to redirect your POP connection through a secure, encrypted tunnel.

Packet Filtering

Packet filtering allows you to control what packets reach your machine from the network, thus ensuring remote users can use only those services you intend to offer. It can also help prevent attackers from determining what services are running on your machine via portscans, etc.

Note that packet filtering requires a solid understanding of TCP/IP and Unix services.

For Linux 2.0.x, packet filtering is configuring using the ipfwadm tool. For Linux 2.2.x, use ipchains. For more information see X/OS IP Firewall Administration.