Securing Linux

This discussion of securing Linux assumes Red Hat 7.3, which is the latest version officially supported by Check Point. It should be similar for other versions of Red Hat.

Make sure you have the latest security fixes applied. The latest ones for Red Hat are available at http://www.redhat.com/apps/support/errata/.

Partitioning Your Hard Drive

A recommended partitioning scheme includes the following:

  • /boot: 256MB (should be first partition)

  • / (root filesystem): everything else

  • /var: 400MB (for logging)

  • swap: larger of 256MB or twice the physical RAM

  • /var/opt: 15GB or a separate drive (FireWall-1 logs and configuration files)

Choosing the Packages to Install

Using the graphics-based or text-based installer, choose which grouping of packages to install. Choose Custom, then choose the package groups Network and Router/Firewall. Also select Choose Packages to Install.

In the graphical installer, there is a flat view that shows all the packages to load outside of their normal grouping. Ensure only the following packages are selected (you will have to disable a few):

bind-utils
ftp
gmp
gnupg
libcap
libpcap
lsof
lynx
m4
make
minicom
mtr
ncftp
nmap
ntp
perl
rdate
rmt
sash
statserial
strace
stunnel
sudo
sysinit
tcp_wrappers
tcpdump
telnet
traceroute
tripwire
unzip
vlock
wget
whois
xinetd
zip
zebra (if you need dynamic routing)

Eliminating Services

If you follow my package recommendations above, there should be almost no unnecessary services. However, sendmail gets installed by default and there is no way to prevent it from installing by default. The command rpm ?e sendmail should remove the package.

Logging and Tweaking

Tweaking involves some file administration. You should first secure your /etc/passwd file (this is the database file that holds your user accounts and passwords). Ensure that your system is using /etc/shadow, which securely stores all passwords as hashes in a file that only root can access. This protects your passwords from being easily accessed and cracked (one of the first exploits for which a hacker searches). The use of shadow passwords is the default as of Red Hat 6.0; however, it never hurts to be sure. All you have to do is type pwconv as root. This automatically converts your passwords to the /etc/shadow file.

Next, remove most of the default system accounts in /etc/passwd. Linux provides these accounts for various system activities that you may not need. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system. An example is the "news" account. If you are not running NNTP, a newsgroup server, you do not need the account (be sure to update /etc/cron.hourly because this looks for the user "news"). Also, make sure you remove the "FTP" account because this is the account used for anonymous FTP.

Create the file /etc/issue. This file is an ASCII text banner that appears for all Telnet logins.

It is recommended that you use TCP Wrappers. TCP Wrappers, although it does not encrypt, does log and control who can access your system. It is a binary that wraps itself around inetd services, such as Telnet or FTP. With TCP Wrappers, the system launches the wrapper for inetd connections, logs all attempts, and then verifies the attempt against an access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as Telnet. If the connection is rejected by the access control list, the connection is dropped.

Fortunately for Linux users, TCP Wrappers is already installed; you only need to edit the /etc/hosts.allow and /etc/hosts.deny files. The syntax is relatively simple. Put the IP addresses or networks in the file /etc/hosts.allow that you want to permit connections from. Put IP addresses or networks in the file /etc/hosts.deny that you do not want to permit access from. By default, Linux allows connections from everyone, so you need to modify these files.

The following sample /etc/hosts.allow file allows a few services from specific hosts.

# Allow a few things
sshd:ALL
ALL:10.0.0.0/255.255.255.0
ALL:10.0.1.0/255.255.255.0
ALL:10.0.10.0/255.255.255.0
ALL:10.0.43.0/255.255.255.0
ALL:10.0.69.0/255.255.255.0
ALL:192.168.43.40/255.255.255.248
ALL:127.0.0.1/255.0.0.0

This /etc/hosts.deny file denies everything not allowed by /etc/hosts.allow.

ALL:ALL:DENY