From: Bill Parker

First of all, to secure a Linux box which is available to the outside world isn't hard, but requires some basic work (and some head scratching):

• If you control access to your edge router, you should deploy a inbound access control list (applied to all inbound data links) to deny traffic going to ports 135/tcp, 137-139/tcp, and 445/tcp (Windows-based RPC and file services, which are usually the biggest headaches). If your router is made by Cisco, a good book by O'Reilly is Hardening Cisco Routers (ISBN: 0-596-00166-5, Feb 2002).
• Other measures could be the use of NAT (network address translation) and PAT (port address translation) to translate public IP addresses on your network (visible to the Internet) to private ones (which are inside your network).
• Subscribe to CERT or Securityfocus/BUGTRAQ and read all security bulletins. Important Web sites include:
  • CERT
  • SecurityFocus
  • Internet Storm Center
  • SANS
• Obtain the latest RPM's for your distribution and install them (if your distro is RPM based, Debian uses apt-get). If you like using tarballs instead, use them (and make sure you read the warnings about security issues or fixes).
• Make sure you are running a Linux Kernel of at least 2.0.38 or higher (older kernel), or 2.2.23 or higher, or 2.4.2x series kernel...stay away from development kernels on production boxes.
• Turn off all services in /etc/inetd.conf (ftp, telnet, finger, and then stop and start inetd (location is in /etc/rc.d/init.d). In addition, turn off any un-needed services in /etc/rc.d/init.d or /etc/init.d for runlevels 2, 3, 4 and 5 (sendmail, nfs, portmapper, etc).
• If you run BIND make sure you are running 8.4.x or 9.2.x.
• If you must use shell accounts, get and install sshd (OpenSSH 2.4 or better on linux, or a commercial product if you need a SSH server under Windows XP/NT/2000 or 2003. If you use windows-based systems, obtain SecureCRT 4.x, Teraterm + ssh, or Putty (the last two are free, SecureCRT costs about 100 bucks). SecureCRT and the other allows forwarding of X11 packets, so it is a very good bargain, even though it costs.
• Most SSH clients for windows (and ssh clients for linux) will allow the use of port forwarding to secure communication between ports over a untrusted medium (like the internet), I use port fowarding to encrypt VNC sessions over the internet (but you could secure SMTP, POP3, or a host of other applications by use of port forwarding as well).
• If your box serves SMTP/POP3 users, see if you can install a client which handles POP3 mailboxes without the need to create entries in /etc/passwd. (I use qmail + vpopmail which allows for virtual domain hosting, and handles users who need to have pop3 accounts.) There are other mail servers such as Exim and Postfix that may also fill your needs (exim and postfix come with most linux distros these days).
• Make sure you are using shadow passwords (most, if not all current linux distros use this method).Download and install NMAP (or Nessus), which will let you look for open ports on your linux box, and to tell you what services are open, filtered, or closed to end users.
• Use TRIPWIRE after installing your linux distribution to make checksums of all installed packages to be able to verify file/package integrity in the event of a system compromise (do NOT store the results of the checksem generation on the systems hard drive, but rather store it elsewhere, CD-ROM, Floppy, etc).
• Read your system logs every day for activity and port scans (it is a good idea to set up a centralized logging server in your office, and have it record all activity generated from linux boxes and other devices). (See also SxS on PortSentry and Logcheck) - cisco systems bought out psionic, the makers of these two packages, but source code can still be found on sourceforge.com.

Search