[Linux for Newbies]

Linux for Newbies: Part 6 -- Basic Security

by Gene Wilburn

(The Computer Paper, January 2000. Copyright © Wilburn Communications Ltd. All rights reserved)

Last month's installment covered setting up the X Window System. This month we'll focus on basic security. (For any newcomers, this series is based on Red Hat Linux 6.)

If you intend to connect your Linux system to the Internet via telephone, ADSL, cable modem, ISDN or T1, you should give serious consideration to the security of your system. Linux provides a number of built-in security measures but you need to learn how to make them work. Being proactive about security is smart. Before you get into the bells and whistles of Linux, you should learn good system administration practices.

Good security starts with good passwords. By themselves, good passwords are not enough to keep crackers from gaining control of your system, but they're a critical first line of defense. After looking at passwords we'll take a look at services. If Linux has one fault, it is the tendency for distributions to install a number of services you may not need to be running. These can lead to security weaknesses. We'll learn how to turn off unnecessary services.

Root, Users, and Passwords

The root, or superuser, account is your Linux master account. This account is not only the most important one on your system, it's also the account from which you can do the most shoot-yourself-in-the-foot damage. Here are three strategies for making this account less vulnerable.

First, log in as root only to perform administrative tasks. Do not use the account as your general login. Create a standard user account for yourself, with a different password, and use that for all your normal work, even if you're the only user on your workstation. The reason is simple: as the master account, root can do anything, including anything bad, such as accidentally deleting critical system files.

Second, never include the current directory "." in root's path. Some users add this for convenience but it's a known security risk. (Red Hat treats this correctly. You won't have this security weakness unless you create it yourself.)

Third, if your Linux box is on the Internet or on a LAN, change the root password frequently. And make it a Good Password[tm].

Okay, what's a good password? One that can't be easily cracked. It should be at least six characters long and a mix of alphanumeric and special characters. It should not be based on a word or a name. Pet names and names of family members are easily guessed and crackers use dictionaries to try to crack password files.

A bad password would be something like frostie (a fictitious cat). Even changing it to fr0st1e, inserting a zero and a one, is not much help. Password cracking algorithms take this simple ploy into account.

Good passwords should be difficult to crack but easy to remember so you're not tempted to write them down. Phrases can supply you with good mnemonics for a good password. For instance, "Frostie eats tuna" can be turned into something like fr0}{et, a relatively easy to remember seven-character password that is considerably more difficult to crack.

Intruders love to get at your /etc/passwd file because it often contains encrypted passwords for your system which they can run through a password cracking program to look for accounts they can exploit. To make things more difficult for them, use shadow passwords. On Red Hat systems you can enable shadow passwords by typing /sbin/pwconv while logged in as root. This moves the encrypted passwords into a separate file that only programs with root access can read.

If your system has more than one user with an account, you may want impose some kind of group-oriented security so that files created by one user cannot be read by another user. Some distributions, such as Red Hat and Debian, use a separate default group for each user, which automatically makes group access more secure. Other distros, such as Caldera and SuSE, lump everyone into a default users group, which is not as secure.

Another thing you can do to protect all users (including root) from themselves is to put "safety bumpers" on some important Linux commands. One of the assumptions Linux (and Unix) makes is that when you type something at the command line, you mean it. It doesn't prompt you with "do you really want to do this?" type responses.

Consequently it's quite possible make a horrible mistake such as rm * .txt when you meant to type rm *.txt. Linux will happily and instantly delete everything in the directory because of the inadvertent space in the command. Remember that Linux does not have an undelete command. What's gone is gone.

To help prevent this common mishap, add the following lines to either your /etc/bashrc or your /etc/profile file to make it the default for all users.

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

This invokes the delete, copy and move/rename commands in interactive mode, with "y/n" prompts for every overwrite or deletion. This trick has saved my bacon on several occasions. Some Unix purists dislike these safety features, but I prefer to protect myself against the inevitable lapses of concentration that occur during a long programming session. You can override the interactivity by using the "-f" (force) flag when you're absolutely sure of what you're doing.

Apply All Recommended Updates

For convenience most of us install Linux from CD-ROMs. The distribution on CD, however, is seldom as up-to-date as the version on the distribution website. This has security implications.

The open-source community is quick to find, announce and fix security holes that are found in programs. All distributions have an announcement mailing list you can subscribe to, or a website page listing security updates. All distributions also maintain web or ftp sites where updates are stored. If you're using Red Hat Linux, be sure to subscribe to the excellent Red Hat Announce list (low volume) by sending an email to redhat-announce-list-request@redhat.com with the single word "subscribe" (without the quotes) in the subject line.

If you're not using Red Hat, learn where these announcement lists are for your particular distribution and become a frequent flyer. Download and apply all security fixes as they're announced. Update any part of your system that your vendor recommends. The majority of the cracked sites on the Internet are those that have been lax about security updates. Don't be naive, or lazy, about security.

And don't let anyone try to convince you that, because it's open source, Linux is less secure than NT. Microsoft operating systems have had some horrible security holes and the availability of fixes has been slow. All systems that are exposed to the Internet are vulnerable, without exception. Open source programmers tend to more vigilant about watching for exploits and much faster to get fixes into your hands. Take advantage of that.

Turn Off Unneeded Services

Linux distributions typically activate a number of services during installation that you don't actually need. The Unix tradition is that you, as system administrator, know what you're doing and will adjust your system accordingly. Unfortunately, as a new user, you may not even know yet what's going on under the hood.

For instance, one source of recent system cracks is an older version of imap4 that was installed by default on most Linux systems. The only reason you'd even be running imap is if your Linux box is a mail server serving external users and you want them (or you) to be able to get POP mail off your Linux box. You might want to do this in a home network, but if not, why run the service at all? The fewer services you run, the fewer vulnerabilities you introduce.

There are other, similar services that are often activated by default. Many of these services are initialized in the file /etc/inetd.conf. You can disable services by editing this file (as root) and placing a pound sign ("#") at the start of the line that describes the service. Here are some good things to disable if you're not using them. If you're not sure, just comment them out. (You can always uncomment them if you change your mind.)

# Shell, login, exec, comsat and talk are BSD protocols.
#shell  stream   ...    /usr/sbin/tcpd  in.rshd
#login  stream   ...    /usr/sbin/tcpd  in.rlogind
#exec   stream   ...    /usr/sbin/tcpd  in.rexecd
#comsat dgram    ...    /usr/sbin/tcpd  in.comsat
#talk   dgram    ...    /usr/sbin/tcpd  in.talkd
#ntalk  dgram    ...    /usr/sbin/tcpd  in.ntalkd
#dtalk  stream   ...    /usr/sbin/tcpd  in.dtalkd
# Pop and imap mail services et al
#pop-2  stream   ...    /usr/sbin/tcpd ipop2d
#pop-3  stream   ...    /usr/sbin/tcpd ipop3d
#imap   stream   ...    /usr/sbin/tcpd imapd
#finger stream   ...    /usr/sbin/tcpd  in.fingerd
#cfinger stream  ...    /usr/sbin/tcpd  in.cfingerd

If you haven't yet mastered vi, you can edit this file (on a Red Hat system) by typing mcedit /etc/inetd.conf or pico -w /etc/inetd.conf. These are two simple text editors, the first from Midnight Commander (mc) and the other from Pine, a text-based email program. You must be logged in as root to edit the file.

Once the file is edited, you can activate the changes by restarting the Internet services daemon, inetd. On a Red Hat system you can do this, as root, by typing

/etc/rc.d/init.d/inetd restart

or by typing the more traditional Unix command

killall -HUP inetd

Remember, you don't have to reboot a Linux system in order to make a change. Any operating system that would make you have to reboot in order to activate a minor change would have to be considered brain damaged.

Further Study

What we've just covered barely scratches the surface of system security, but if you follow these steps and keep your system current with security updates, you'll have covered the basics. The basics take you a long way towards keeping your system protected and secure.

To learn more about security, read the Linux Security-HOWTO that should be located in /usr/doc/HOWTO (on Red Hat systems), or read it online at www.linuxdoc.org. You may also want to check out the October 1999 Linux Inside column "Ramping up Linux Security" for a look at more advanced security measures you can take. This is available on the Computer Paper website.

Next time we'll look at Linux editors.

Gene Wilburn (gene@wilburn.ca) is a Toronto-based IT manager, musician and writer who operates a small farm of Linux servers.