Securing Red Hat Linux

After you have defined a security policy, you can proceed to secure the system according to the policy. The exact steps depend on what you want to do with the system-whether it is a server or a workstation and how many users must access the system.

To secure the Red Hat Linux system, you have to handle two broad categories of security issues:

Host security issues that relate to securing the operating system and the files and directories on the system.
Network security issues that refer to the threat of attacks over the network connection.

Understanding the Host Security Issues

Here are some high-level guidelines to address host security (The 'Securing the Host' section covers some of these topics in detail):

When installing Red Hat Linux, select only those package groups you need for your system. Do not install unnecessary software. For example, if your system is used as a workstation, you do not need to install most of the servers (Web server, news server, and so on).
Create initial user accounts and make sure all passwords are strong ones that password-cracking programs can't 'guess.' Red Hat Linux includes tools to enforce strong passwords.
Set file ownerships and permissions to protect important files and directories. In particular, understand which programs are set-UID and set-GID and remove such permissions from files where they are not needed. Use the new access control lists (ACLs) to manage who gets to use which files and directories.
Use the GNU Privacy Guard (GnuPG) to encrypt or decrypt files with sensitive information and to authenticate files that you download from Red Hat. GnuPG comes with Red Hat Linux, and you can use the gpg command to perform the tasks such as encrypting or decrypting a file and digitally sign a file.
Regularly apply patches and upgrades that correct known security problems. When downloading and installing upgrades, check the MD5 checksums and digital signatures to ensure the integrity of the downloaded files.
Use file-integrity checking tools, such as Tripwire, to monitor any changes to crucial system files and directories.
Periodically check various log files for signs of any break-ins or attempted break-ins. These log files are in the /var/log directory of your system.
Install security updates from Red Hat, as soon as they become available. These security updates fix known vulnerabilities in Red Hat Linux.

Understanding Network Security Issues

The issue of security comes up as soon as you connect your organization's internal network to the Internet. This is true even if you connect a single computer to the Internet, but security concerns are more pressing when an entire internal network is opened to the world.

If you are an experienced system administrator, you already know that it's not the cost of managing an Internet presence that worries corporate management; their main concern is security. To get your management's backing for the website, you need to lay out a plan to keep the corporate network secure from intruders.

You may think that you can avoid jeopardizing the internal network by connecting only the external servers, such as Web and FTP servers, to the Internet. However, this simplistic approach is not wise. It is like deciding not to drive because you may have an accident. Not having a network connection between your Web server and your internal network also has the following drawbacks:

You cannot use network file transfers, such as FTP, to copy documents and data from your internal network to the Web server.
Users on the internal network cannot access the corporate Web server.
Users on the internal network do not have access to Web servers on the Internet. Such a restriction makes a valuable resource-the Web-inaccessible to the users in your organization.

A practical solution to this problem is to set up an Internet firewall and to put the Web server on a highly secured host outside the firewall.

In addition to using a firewall, here are some of the other steps you should take to address network security (the 'Securing the Network' section explain these further):

Enable only those Internet services you need on a system. In particular, do not enable services that are not properly configured.
Use secure shell (ssh) for remote logins. Do not use the 'r' commands, such as rlogin and rsh.
Secure any Internet services such as FTP or Telnet that you want to run on your system. You can use the TCP wrapper access control files-/etc/hosts.allow and /etc/hosts.deny-to secure some of these services.
Promptly fix any known vulnerabilities of Internet services that you choose to run. Typically, you'd do this by downloading and installing the latest server RPM file from Red Hat.

Learning Computer Security Terminology

Computer books, magazine articles, and experts on computer security use a number of terms with unique meanings. You need to know these terms to understand discussions about computer security (and to communicate effectively with security vendors). Table 22-1 describes some of the commonly used computer security terms.

Table 22-1: Commonly Used Computer Security Terminology
Term	Description
Application gateway	A proxy service that acts as a gateway for application-level protocols, such as FTP, Telnet, and HTTP
Authentication	The process of confirming that a user is indeed who he or she claims to be. The typical authentication method is a challenge-response method, wherein the user enters a user name and secret password to confirm his or her identity.
Backdoor	A security weakness a cracker places on a host in order to bypass security features
Bastion host	A highly secured computer that serves as an organization's main point of presence on the Internet. A bastion host typically resides on the perimeter network, but a dual-homed host (with one network interface connected to the Internet and the other to the internal network) is also a bastion host.
Buffer overflow	A security flaw in a program that enables a cracker to send an excessive amount of data to that program and to overwrite parts of the running program with code in the data being sent. The result is that the cracker can execute arbitrary code on the system and possibly gain access to the system as a privileged user.
Certificate	An electronic document that identifies an entity (such as an individual, an organization, or a computer) and associates a public key with that identity. A certificate contains the certificate holder's name, a serial number, expiration dates, a copy of the certificate holder's public key, and the digital signature of the Certificate Authority so that a recipient can verify that the certificate is real.
Certificate Authority (CA)	An organization that validates identities and issues certificates
Cracker	A person who breaks into (or attempts to break into) a host, often with malicious intent
Confidentiality	Of data, a state of being accessible by no one but you (usually achieved by encryption)
Decryption	The process of transforming encrypted information into its original, intelligible form
Denial of service (DoS)	An attack that uses so many of the resources on your computer and network that legitimate users cannot access and use the system
Digital signature	A one-way MD5 or SHA-1 hash of a message encrypted with the private key of the message originator, used to verify the integrity of a message and ensure nonrepudiation
DMZ	Another name for the perimeter network. (DMZ stands for demilitarized zone, the buffer zone separating North and South Korea.)
Dual-homed host	A computer with two network interfaces (think of each network as a home)
Encryption	The process of transforming information so that it is unintelligible to anyone but the intended recipient. The transformation is accomplished by a mathematical operation between a key and the information.
Firewall	A controlled-access gateway between an organization's internal network and the Internet. A dual-homed host can be configured as a firewall.
Hash	A mathematical function converts a message into a fixed-size numeric value known as a message digest or hash. The MD5 algorithm produces a 128-bit message digest, whereas the Secure Hash Algorithm-1 (SHA-1) generates a 160-bit message digest. The hash of a message is encrypted with the private key of the sender to produce the digital signature.
Host	A computer on any network (so called because it offers many services)
Integrity	Of received data, a state of being the same data that were sent (unaltered in transit)
IPSec (IP Security Protocol)	A security protocol for the network layer that is designed to provide cryptographic security services for IP packets. IPSec provides encryption-based authentication, integrity, access control, and confidentiality (visit www.ietf.org/html.charters/ipsec-charter.html for the list of RFCs related to IPSec).
IP spoofing	An attack in which a cracker figures out the IP address of a trusted host and then sends packets that appear to come from the trusted host. The attacker can only send packets, but cannot see any responses. However, the attacker can predict the sequence of packets and essentially send commands that will set up a back door for future break-ins.
Nonrepudiation	A security feature that prevents the sender of data from being able to deny ever having sent the data
Packet	A collection of bytes that serve as the basic unit of communication on a network. On TCP/IP networks, the packet may be referred to as an IP packet or a TCP/IP packet.
Packet filtering	Selective blocking of packets based on the type of packet (as specified by the source and destination IP address or port)
Perimeter network	A network between the Internet and the protected internal network. The bastion host resides on the perimeter network (also known as the DMZ).
Port scanning	A method for discovering which ports are open (in other words, which Internet services are enabled) on a system. Performed by sending connection requests to the ports one by one. This is usually a precursor to further attacks.
Proxy server	A server on the bastion host that enables internal clients to access external servers (and enables external clients to access servers inside the protected network). There are proxy servers for various Internet services, such as FTP and HTTP.
Public-key cryptography	An encryption method that uses a pair of keys, a private key and a public key, to encrypt and decrypt the information. Anything encrypted with the public key can be decrypted with the corresponding private key, and vice versa.
Public Key (PKI)	A set of standards and services that enables the use of public-key Infrastructure cryptography and certificates in a networked environment. PKI facilitates tasks, such as issuing, renewing, and revoking certificates, and generating and distributing public-private key pairs.
Screening router	An Internet router that filters packets
Setuid program	A program that runs with the permissions of the owner regardless of who runs the program. For example, if a setuid program is owned by root, that program has root privileges regardless of who has started the program. Crackers often exploit vulnerabilities in setuid programs to gain privileged access to a system.
Symmetric-key encryption	An encryption method wherein the same key is used to encrypt and decrypt the information
Threat	An event or activity, deliberate or unintentional, with the potential for causing harm to a system or network
Trojan horse	A program that masquerades as a benign program, but, in fact is a back door used for attacking a system. Attackers often install a collection of Trojan horse programs that enable the attacker to freely access the system with root privileges, yet hide that fact from the system administrator. Such collections of Trojan horse programs are called rootkits.
Virus	A self-replicating program that spreads from one computer to another by attaching itself to other programs
Vulnerability	A flaw or weakness that may cause harm to a system or network
Worm	A self-replicating program that copies itself from one computer to another over a network