6.7 Network Security

6.7 Network Security

Because Linux is a very popular Unix flavor on the PC platform, it attracts more unpleasant characters who try to break into computer systems. Section 5.13 talked about firewalls, but this isn't really the whole story on security.

Network security attracts extremists. Those who are interested in breaking into systems do so because they really like to, and those who come up with elaborate schemes to protect themselves do so because they really like to swat away people trying to break into their systems.

Most people would rather just not have to deal with it, but that attitude and a broadband connection will get your system compromised in no time. Fortunately, you don't need to know very much to keep your system safe. Here are a few basic rules of thumb:

  • Run as few services as possible Intruders can't break into services that don't exist on your system. If you know what a service is, and you're not using it at the moment, don't turn it on just in case you might want it sometime.

  • Block as much as possible with a firewall Unix systems have a number of internal services that you may not know about, such as TCP port 6000 for the X Window System server. No other system in the world needs to know about these services, and no other system in the world should know about them, either. Furthermore, it is very difficult to track and regulate the services on your system, because many different kinds of programs listen on ports. You can prevent intruders from discovering internal services with effective firewall rules. Refer to Section 5.13.1 for an example firewall.

  • Keep on top of the services that you offer to the entire Internet If you run an SSH server or Postfix or other services, make sure that you have the ability to stay up to date with the software and get appropriate alerts. See Section 6.7.4 for some online resources.

  • Don't give an account to anyone who doesn't need an account It's much easier to gain superuser access from a local account than it is to break in remotely. In fact, given the huge base of software (and the resulting bugs and design flaws) available on most systems, it's almost laughably easy to gain superuser access to a system after you get to a shell prompt. Don't assume that your friends know how to protect their passwords (or to choose good passwords in the first place).

  • Avoid installing dubious binary packages They can contain Trojan horses.

That's the practical end of protecting yourself. You should know a few basics on why it is important to do so. There are three basic kinds of network attacks:

  • Full compromise This means getting superuser access (full control) of a machine. An intruder can accomplish this by trying a service attack, such as a buffer overflow exploit, or by taking over a poorly protected user account, and then trying to exploit a poorly written setuid program.

  • Denial-of-service (DoS) attacks These prevent a machine from carrying out its network services, or they force a computer to malfunction in some other way without any special access. These attacks are harder to prevent, but they are easier to respond to.

  • Virus or worm Linux users are mostly immune to email worms and viruses, simply because their email clients aren't so stupid as to actually run programs that they get in message attachments, and Linux isn't as attractive a target as Windows. However, you can create a Linux virus; it's been done before, and as Linux gains popularity, it will happen with increasing frequency. Avoid binary software distributions, especially from places that you've never heard of. Some network services have been susceptible to worms before, and history is doomed to repeat itself.

6.7.1 Where Linux Distributions Stand

Not long ago, installing certain Linux distributions on easily accessible networks (such as university networks) practically ensured security compromises. These distributions activated every single service by default and had no default firewalling. It wasn't just Linux, either — Solaris was remarkably good at leaving the door open, not to mention the hundreds of Windows exploits, and so on.

Linux distributions are better now; they do not activate every possible service, and they tend to come with preconfigured firewalls. There is no doubt that the firewalls do most of the work. Programmers delight in adding new network services, especially for GUI applications and support, but security often takes a backseat. Better authentication (such as the Kerberos system) would help tremendously, but this happens to be one of the weakest and most disorganized areas of most applications.

A firewall isn't necessarily the ideal solution, but it does offer a uniform way to block all network traffic. The only thing that ever came close to this in the past was the TCP wrapper system, but that only worked for inetd servers and applications that specifically included wrapper support.

In a perfect world, programmers would write invulnerable code, but while you wait for a perfect world, you need to know what to look out for.

6.7.2 Typical Vulnerabilities

There are two important kinds of vulnerabilities that you need to worry about: direct attacks and clear-text password sniffing. Direct attacks just try to take over your machine without being terribly subtle. The most common type of direct attack is a buffer overflow exploit, where a careless programmer doesn't check the bounds of a buffer array. The attacker fabricates a stack frame inside a huge chunk of data, dumps it to the remote server, then hopes that the program overwrites its program data and eventually executes the new stack frame. It's a somewhat complicated attack, but easy to replicate.

On the other hand, clear-text passwords can allow intruders to log in to your machine. From there, they will inevitably try to gain superuser access locally (which is much easier than making a remote attack), try to use the machine as an intermediary for attacking other hosts, or both.


If you have a service that you need to encrypt, but the service offers no native support, you can try Stunnel (http://www.stunnel.org/), an encryption wrapper package much like TCP wrappers. Like tcpd, Stunnel is especially good at wrapping inetd services.

Some servers are chronic targets of attacks because of poor implementation and design. You should deactivate the following services if you ever come across them:

  • sendmail I would usually not rail against a specific program, but Sendmail has an exceptionally long history of exploitation. There are two very good alternative mail servers, Postfix (http://www.postfix.org/) and qmail (http://www.qmail.org/).

  • ftpd For whatever reason, all FTP servers seem plagued with vulnerabilities. In addition, most FTP servers use clear-text passwords. If you have to move files from one machine to another, consider an SSH-based solution or an rsync server.

  • telnetd, rlogind, rexecd All of these pass remote session data (including passwords) in clear-text form. Avoid them unless you happen to have a Kerberos-enabled version.

  • fingerd Intruders can get user lists and other information with the finger service.

6.7.3 Port Scanning

Listing your open ports and firewall configuration with netstat and iptables is a good start for staying on top of unwanted traffic, but you may want to go a step further with Nmap (Network Mapper), a program that scans all of the ports on a machine or network of machines, looking for potential vulnerabilities. Nmap gives you a view from the outside and eliminates guessing which ports are open. Most intruders use Nmap, and you can get it at http://www.insecure.org/.


If someone else controls the network that you want to Nmap (or run Nmap from), ask that person if it's all right that you do so. Network administrators watch for port scans and delight in stomping on any machine that runs a scan.

Just run nmap host to run a generic scan on a host. Here's an example scan:

Starting nmap 3.30 (http://www.insecure.org/nmap/) at 2003-08-04 16:25 PDT
Interesting ports on host (
(The 1636 ports scanned but not shown below are in state: closed)
Port       State       Service
9/tcp      open        discard
13/tcp     open        daytime
22/tcp     open        ssh
37/tcp     open        time
111/tcp    open        sunrpc
113/tcp    open        auth
6000/tcp   open        X11

Nmap run completed -- 1 IP address (1 host up) scanned in 0.594 seconds

The host in this example probably doesn't have any kind of firewall running, because it has quite a few open ports.

Nmap can do much more — have a look at its manual page and the considerable online resources.

6.7.4 Security Resources

Here are three good security sites:

  • http://www.sans.org/ Offers training, services, a free weekly newsletter of the top current vulnerabilities, sample security policies, and more.

  • http://www.cert.org/ A place to look for the most severe problems.

  • http://www.insecure.org/ This is the place to go for Nmap and pointers to all sorts of network exploit testing tools. It's much more open and specific about exploits than many other sites.