Donate to us!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Tuesday, October 16, 2018
 Need Help?
Members Online
Total Online: 120
Guests Online: 117
Members Online: 3

Registered Members: 107157
Newest Member: Misaki
Latest Articles

Securing Linux (ESSENTIALS)

Arrow Image Important to do before surfing the net, or making a connection across your own bubble-wrapped LAN.

Securing Linux (ESSENTIALS)

Important to do before surfing the net, or making a connection across your own bubble-wrapped LAN.

STEP#1: Basic file permissions

Make /root and /var/log Have Stricter Permissions by:

chmod -R og-rx /root
chmod -R o-rx /var/log
ulimit -c 0
/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv

Step#2: Shut down services which are not required

This is very important. Services open ports on your computer - and open ports are potential ways for a hacker to penetrate your system.
The first thing to take a look at is the /etc/inetd.conf file. Most TCP and UDP services are initialized from this file.

-- sample inetd.conf section --

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
#shell stream tcp nowait root /usr/libexec/rshd rshd
#login stream tcp nowait root /usr/libexec/rlogind rlogind

-- sample inetd.conf section --

Any services preceded by a \"#\" are taken as commented out and will not be started at boot time.

Inetd is a daemon which listens for TCP or UDP connections, and on connection, passes control to the appropriate service. Becoming familiar with the /etc/inetd.conf file is a good idea, as it is a likely place that an intruder would put a backdoor.

So, after opening the file you will need to comment out (using \'#\') the services that you don\'t need. After commenting out unnecessary services inetd needs to be restarted so the changes just made will take effect.

Step#3 - Remove un-needed system users

Take a look at your /etc/passwd file, you will see that there are a lot of users on your system. Why do you want \'games\' or \'guest\'?

Remove these users with \"userdel -r username\" command.

Step#4 - Prevent lilo from booting in \"Linux 1\"

Open /etc/lilo.conf

Add the following lines:


Just replace \'somepassword\' with a password of your choice (make it a good one).
Basically, this will make lilo ask for a password whenever someone tried to pass additional parameters to it, like \"linux 1\".

Next thing to do is secure the /etc/lilo.conf file a bit better so that people can\'t just log in with their guest accounts and change the password. At the shell, type the following:

chown root.root /etc/lilo.conf
chmod 600 /etc/lilo.conf

That will make sure that root is the owner of the file, and that the permissions are set more tightly.

Step#5 - Use a basic firewall

A firewall is essential if you plan to prevent remote attacks. Redhat Linux comes with a firewall called ipchains which can filter and redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you with basic security and logging.

/sbin/ipchains -F
/sbin/ipchains -A input -i eth0 -p tcp -d 53 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 69 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 87 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 111 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 111 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 2049 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 2049 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 512 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 513 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 514 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 515 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 540 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 2000 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 2000 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 6000 -j DENY -l

These rules block connections to certain services which cert says are bad and dangerous.
If you are on a dialup, replace eth0 with ppp0.

Step#6 - Look at your logs

The logs on your system are your way of knowing what is, and has been going on. Logs are located in /var/log.

Step#7 - Check for updates regularly

You will need to visit the homepage of your Linux distro regularly to get all recommended patches and updates. This will ensure that any vulnerabilities in the software are patched quickly. or Also, go to your shell and depending on which package manager you have do either:
\"yum upgrade\" or \"apt-get update; apt-get upgrade\" as root (fyi:command is \"su\").

Always Remember!
1: Netfish is RIGHT.
2: If {you think Netfish is WRONG} then SLAP YOURSELF, and goto the FIRST POINT.


PlagueZon January 29 2007 - 17:46:16
yeah, that's very informative, good job, learnt a lot Wink
s0l1dsnak3123on January 29 2007 - 20:36:16
I found that helpful, although I do not use suse (I recommend pclos - thats what I use)
Mr_Cheeseon January 29 2007 - 21:24:56
very useful actually. this could help me out a bit with work. thanks for that.
darkparad0xon March 13 2007 - 16:59:35
Very useful, although for some distro's such as Kubuntu "su" doesn't work. Instead you need to do "sudo -s".
Zephyr_Pureon October 05 2007 - 03:39:15
Ubuntu / Kubuntu / Xubuntu are the exceptions, not the rule. Regardless, this is a great article for people starting out in Linux... coming from a Windows world, people will find material like this easy to read. Good job, man.
fire_saleon November 04 2007 - 16:11:34
Thanks very much, Just installed my first Linux distro today.
elsuenieroon August 07 2008 - 05:03:15
Good article Netfish, and Tnxs. It was very useful! B)
Infopirateon January 06 2009 - 07:08:43
remember. 1. netfish is right! Grin very niice sir.
idlecometon November 19 2010 - 18:40:18
Awesome! And just as relevant today as it was 4 years ago, at least if you use a proper distro like Slackware, or no distro at all Smile
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.