Linux Inside: Ramping up Linux Security
by Gene Wilburn
(The Computer Paper, October 1999. Copyright © Wilburn Communications Ltd. All rights reserved)
Computer security is a many-faceted issue that encompasses everything from securing your system from external "crack" attempts to protecting your system from yourself.
With so much connectivity to the Internet these days, security has become a vital issue for everyone. In the companion column, Linux for Newbies we'll soon be looking at fundamental security procedures, such as activating shadow passwords, choosing good passwords, employing unique group ID's for each user account, and disabling unnecessary services. In this month's Linux Inside we'll look at more sophisticated security measures.
Let's begin with the most fundamental measure you can take: backup. Let's say you've got your system patched, updated, configured to your needs, and humming along smoothly. Suppose you have a disaster? Your hard disk crashes irreparably, or your system is compromised by a successful crack attempt. If you have to rebuild your system from scratch will you remember all those special tweaks you made? Not likely.
For this reason, a good base backup ranks as your critical last resort before rebuilding from scratch.
The best time to make this backup is at a time when you know your system to be clean--before it has been left unattended on the Internet. If you have a CD-R you can simply copy your base system onto a CD. Otherwise a tape backup will do. Put this master backup aside and, if possible, offsite. If it's for your home machine, keep this backup at work or at someone else's home as an extra precaution.
Two very important files to back up on a regular basis, if you're using an RPM-based Linux system, are /var/lib/rpm/fileindex.rpm and /var/lib/rpm/packages.rpm. You can restore these two files to run the command rpm -Va to verify your RPM packages if you think your system might be compromised. These files are too large to fit onto floppies, but an Iomega ZIP drive will hold them nicely.
The next most important thing after backup is updates. You should apply all the recommended updates for your distribution. Get on your distro's announcement and/or security alert mailing list and watch updates like a hawk. Sadly, the majority of successful security breakins happen on systems with out-of-date programs for which there were readily available security fixes.
Inspecting your logs
Whenever your Linux system is attached to the Internet it is vulnerable to attack. If you're permanently connected to the Net via DSL or Cable modem, your liability increases dramatically.
Most crackers attack your system by probing known vulnerabilities, hence the need to keep your system up to date with security fixes. Unless the intruders are successful on their first attempt, however, they often leave footprints. Traces of their work show up in your system logs, in the /var/log directory. With diligence you can inspect various logfiles for suspicious-looking activity.
The problem is that most of us get too busy to stay diligent about manually inspecting files or grep'ing for suspicious patterns. To automate the inspection process, obtain the latest release of Psionic Logcheck, a program that is specially designed to scan log files for unusual activity and send email alerts to root. Logcheck can be set to run daily or hourly. (See www.psionic.com/abacus/)
By invitation only
One of the readily available security measures you can utilize is tcp_wrappers, a program that gets installed with all Linux distros. This program controls service access via two files--/etc/hosts.deny and /etc/hosts.allow--and it logs all activity. You can edit these files to set a base level of access rights to things such as who is authorized to try to telnet into your system. To read up on these, type man hosts.allow and man hosts.deny.
Excellent companion products to Psionic Logcheck are Psionic PortSentry and HostSentry (www.psionic.com/abacus/). PortSentry, which was known simply as sentry in its previous incarnation, will actually try to block intruder activity in real time. HostSentry looks for suspicious looking patterns in the form of logins and other user account activity and emails reports to root.
I have personally been astonished, after installing these programs, at the number of times my systems have been probed. There is more unauthorized activity going on on the Net than you might think. Programs like these help alert you to crack attempts.
Another recommended security program is tripwire (www.visualcomputing.com). It keeps a checksum of all the files on your system and can alert you about any files that have been tampered with. Slipping in a Trojan Horse, a modified version of an existing program, is one of the cracker's favourite ploys. The tripwire database is frequently kept on a write-protected floppy disk so a cracker can't erase it or alter it. Unfortunately the latest Tripwire does not work with some of the latest Linux distros due to changes in system libraries. Watch their website for updates.
Locking the doors
Once an intruder gains access to your root account, it's game over. Hence the need to protect all passwords--if an intruder can get even one password, he or she can stick around and try to plant things in your system, often without your knowledge.
If your system has several users, you may want to enforce good passwords. You can download Crack, the same program used by crackers to break passwords, and use it to test the passwords on your system to ensure they're not easily broken. Check rufus.w3.org or the ftp contrib directory for your Linux distro for a copy.
The problem with passwords is that they can easily be 'sniffed'--that is, with the right kind of easily obtainable software an intruder can simply eavesdrop on the packets coming from your system, waiting to catch your plain-text passwords as they fly by. Cable modem neighbourhoods are one of the places crackers like to hang out.
So, the irony is that you can batten down your system with all the best security tools and procedures, and some cracker can simply lift your passwords right off the wire. Hence the desirability of encrypted sessions.
If you're going to be regularly telnet'ing to another system, or telnet'ing into your home system from the outside, arrange to have ssh, or Secure Shell (www.ssh.fi), installed. Ssh creates an encrypted session that, in most circumstances, protects passwords and other data from being sniffed off the wires. It's a far safer way to communicate across the Net.
Replacing the postman
One of the most widely used programs on the Internet is sendmail, a reliable old war horse of a mail transfer agent (MTA) that ships with most versions of Unix and Linux. Unfortunately, it has also been the source of many security breaches over the years. It gets compromised, then fixed, compromised, then fixed, in what seems to be a never-ending cycle, though recent releases have had fewer problems. If you are using sendmail keep up to date with the latest release.
Many security advisors advise ditching sendmail altogether. Debian GNU/Linux, for instance, ships with exim (www.exim.org), a newer MTA that, presumably, is less liable to exploitation. It is also easier to configure than sendmail.
Another widely used swap-in for sendmail is qmail (www.qmail.org), highly regarded for its speed, ease of configuration, and beefed-up security features. Have a look at this if you're setting up a departmental mail server.
Security is a large topic and this only skims the surface. An excellent starting point is the Linux Security-HOWTO, which should be installed on your system. If not, you can read it at www.linux-howto.org.
There a number of good security sites on the Net. Set your browser to www.google.com and enter "Linux Security" to list a number of helpful pages.
One book I recommend highly for your Linux library is Garfinkel and Spafford, Practical Unix & Internet Security, 2nd ed., O'Reilly (ISBN 1-56592-148-8 Cdn$56.95). This well written volume covers a broad range of security topics, with valuable tips on making your system more secure.
Linux Kernel 2.4 Update
Just as we're settling into the Linux 2.2 kernel with all its advances over 2.0, the Linux 2.4 kernel is about to be released. The Linux development team has decided to release kernel series more frequently in order to get new developments into the hands of end users.
According to the "Wonderful World of Linux 2.4" by Joe Pranevich (linuxtoday.com), here are some of the new things that may be available as early as fall 1999:
- Process Threads. Linux 2.2 is limited to 1024 process threads. Linux 2.4 will implement a scalable limit (as many as 16 thousand processes at once.) This improvement will be important for enterprise servers that frequently have up to 1Gb or more of RAM.
- Improved SMP Support. Linux 2.4 will introduce several subsystem changes to significantly improve support and performance for multiple processors. Eight-way scalability should be quite good.
- USB Support. Partial USB support will be included in Linux 2.4. There will be support for USB keyboards and mice initially and support for other devices will forthcoming.
- Improved IDE Support. Changes in the 2.4 kernel will implement support for up to 8 IDE controllers in a single PC.
- Filesystem Support. There will finally be read/write access to HPFS OS/2 volumes and 2.4 continues support for FAT, FAT32, NTFS, and HFS (Macintosh) filesystems. There will be some preliminary support for Irix EFS as well as improvements in support for SMB (Microsoft Network) volumes.
- Parallel Port Subsystem. Linux 2.4 will add some additional parallel port support. It will support "generic" parallel port devices, and console output can be redirected to parallel port, allowing system administrators to log console messages directly to a parallel-port printer.
- Networking Layer. Linux 2.4 includes a completely rewritten networking layer that will scale better than any previous release of Linux. Included, for the first time, will be support for DECNet protocols.
- Multimedia. In addition to many new and updated drivers for sound cards, TV and radio tuners and video output devices, Linux 2.4 will add support for the DoubleTalk speech synthesizer card, the first hardware of this type supported by Linux.
The jump from Linux 2.0 to Linux 2.2 was greater than the more incremental jump to Linux 2.4 but, as always, Linux users everywhere will benefit from the new developments.
With such rapid development on Internet time, it may be more useful to check a stopwatch, rather than a calendar, for the latest Linux developments.
Gene Wilburn (firstname.lastname@example.org) is a Toronto-based IT manager, musician and writer who operates a small farm of Linux servers.