12.6 Summary

A network connection lets your computer communicate with the outside world, but it can also permit attackers in the outside world to reach into your computer and do damage. Therefore:

  • Decide whether the convenience of each Internet service is outweighed by its danger.

  • Know all of the services that your computer makes available on the network and remove or disable those that you think are too dangerous.

  • Pay specific attention to trap doors and Trojan horses that could compromise your internal network. For example, decide whether or not your users should be allowed to have .rhosts files. If you decide that they should not have such files, delete the files, rename the files, or modify your system software to disable the feature.

  • Educate your users to be suspicious of strangers on the network.

Bringing Up an Internet Server Machine Step by Step

Although every site is unique, you may find the following step-by-step list helpful in bringing up new servers as securely as possible. A much more detailed checlist is available from CERT at http://www.cert.org/tech_tips/unix_security_checklist2.0.html.

  1. Don't physically connect to the network before you perform all of the following steps. Because some network access may be needed to download patches, for example, you may need to connect as briefly as possible in single-user mode (so there are no daemons running), fetch what you need, disconnect physically, and then follow steps 2-12.

  2. Erase your computer's hard disk and load a fresh copy of your operating system.

  3. Locate and load all security-related patches. To find the patches, check with both your vendor and with CERT's web server, http://www.cert.org.

  4. Modify your computer's /etc/syslog.conf file so that logs are stored both locally and on your organization's logging host.

  5. Configure as few user accounts as necessary. Ideally, users should avoid logging into your Internet server.

  6. If your server is a mail server, then you may wish to have your users read their mail with POP. You will need to create user accounts, but give each user a /bin/nologin (or a shell script that simply prints a "no logins allowed" message) as their shell to prevent login.

  7. Check all /etc/rc* and other system initialization files, and remove daemons you don't want to run. (Use netstat to see which services are running.)

  8. Look through /etc/inetd.conf and disable all unneeded services. Protect the remaining services with TCP Wrappers or a similar program.

  9. Add your own server programs to the system. Make sure that each one is based on the most up-to-date code.

  10. Use nmap to identify every open port. Make sure you know why every port is open.

  11. Use ps to identify every running process. Make sure you know why every process is running.

  12. Get and install Tripwire (either the freeware version or the commercial version) so you can tell if any files have been modified as the result of a compromise. Take a backup of your installed and patched system at this point so you can save yourself this process later if you are compromised and have to reinstall it. (See Chapter 20 for details.)

  13. Get and run some current vulnerability-scanning programs to look for other problems.

  14. Monitor your system. Make sure that log files aren't growing out of control. Use the last command to see if people have logged in. Be curious.

Remember: network servers are the portals through which the outside world accesses the information stored on your computer. By their design, many servers must run with root privileges. A bug or an intentional back door built into a server can therefore compromise the security of an entire computer, opening the system to any user of the network who is aware of the flaw. Even a relatively innocuous program can be the downfall of an entire computer. Flaws may remain in programs distributed by vendors for many years, only to be uncovered some time in the future.

Furthermore, many Unix network servers rely on IP numbers or hostnames to authenticate incoming network connections. This approach is fundamentally flawed, as neither the IP protocol nor DNS were designed to be resistant to attack. There have been many reports of computers that have fallen victim to successful IP spoofing attacks or DNS compromise.

Given these factors, you may wish to adopt one or more of the following strategies to protect your servers and data:

  • Disable all services that you are not sure you need, and put wrappers around the rest to log connections and restrict connectivity.

  • Use encryption to protect your data; if the data is stolen, it will do your attacker no good. Furthermore, making alterations in your data that you will not notice will be difficult, if not impossible.

  • Use DNSSEC to provide for DNS security.

  • Avoid using passwords and host-based authentication. Instead, rely on tokens, one-time passwords, and cryptographically secure communications.

  • Use a firewall to isolate your internal network from the outside world. Also use host-based firewalls on machines to isolate them from one another as well as to provide a second layer of protection.

  • Put servers on separate, highly secure machines to isolate failures and reduce exposure.

  • Create a second internal network for the most confidential information.

  • Disconnect your internal network from the outside world. Set up separate network workstations to allow people to access the Web, email, and other Internet services.

    Part VI: Appendixes