Tips on basic Linux server security

If you just put your Apache web server online, and are thinking into making the first step in your system security, this brief article will help you do that. By having your own server, you must understand the responsibility behind it. While the web server itself (Apache in this example) is not a big security problem (at least not the software package itself), there are a few things you should take care on your system.

Passwords

I presume you know that having a password like ‘Mom’ or ‘girlfriend’ is not a good start for securing your system. I usually prefer passwords with both numerican and alphatbetical characters, plus some extra symbols. This is a good password: ILik3-PeN_gu1nS. Passwords should be complicated as there are a lot of ways someone can get your encrypted password. When we are talking about Linux systems with a webserver, the first thing that comes to my mind are all those numerous buggy CGI scripts that make you get /etc/passwd file from the attacked system. When that is done, a copy of Crack or John The Ripper can be used for cracking the password. Always remember: a good password is harder to crack. If you use some basic word for a password, a good wordlist will make the cracker software spit your en-encrypted password on the screen in no-time.

File transfer and remote logins

Think what software packages should run on your system, and remove the ones that you don’t need. If you are thinking about transfering files from and to your system shut the FTPd down. There is far more secure way that does the same – SCP. By quickly checking the man pages for SCP, we get: “scp copies files between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh. Unlike rcp, scp will ask for passwords or passphrases if they are needed for authentication.”

SCP clients don’t have that much good looking GUI frontends, but you can do it all from the shell by using the syntax:

scp Localfile Username@RemoteServer:RemoteFolder

I hope you don’t use the Telnet Deamon which usually sits on the port 23. If you do, remove it as SSH is a far better way of remotely doing a login into your system. The big difference between telnet and SSH, is that SSH provides significantly enhanced security for your login situations.It provides an encrypted communications path between two untrusted hosts over a potentially insecure network and thus prevents user’s passwords and other sensitive data from being transmitted across the network in clear-text form.

Access forbidden

There is no point of not using the hosts.deny and hosts.allow files for blacklisting some people, and giving others the right to connect to the system. The hosts.allow file (located at /etc/hosts.allow) describes the names of the hosts which are allowed to use the local INET services, as decided by the ‘/usr/sbin/tcpd’ server (for instajnce telnet, finger, ftp, exec, rsh, ssh, tftp, talk…). The hosts.deny file is doing just the opposite thing and is self explanatory. In most of the books I read about security on Linux systems, authors have this proposition regarding usage of mentioned hosts.* files.

First add all:all into your host.deny list, which doesn’t allow anyone to connect to your INET services, and then edit hosts.allow with all the hostnames which should be able to connect. This is the bottom line what should be done on the Linux system that is connected to the Internet, but let’s say Murphy’s Law strikes – When you add all:all to host.deny list and save the configuration, your Internet connection just crashes and you are not able to connect to the system which is physically thousands of miles from your home. Because of this I prefer first editing hosts.allow and then the hosts.deny list.

Checking the integrity

While you can use Tripwire or any other similiar solution for checking the integrity of files that reside on your system, there is another way of doing this. To tell you the truth, it is not as powerful, but it is usable. Let’s consider this seven liner:

—————-cut-here——————-

#!/bin/bash

for rpmlist in `rpm -qa | sort`

do

echo ” __ $rpmlist __”

rpm -V $rpmlist

done > /tmp/123.out

cat /tmp/123.out | mail -s “RPM Check `date +%T %A %d.%m.%Y`” admin@yoursystem.net

—————-cut-here——————-

This shell script basically makes a list of RPM files on your system, sorts them in an easily viewable format and verifies them to see what has changed. After that it mails the whole list to the administrative mailbox. Everything can of course be re-configured to suite your needs the best.

This is the snapshop of one of the e-mails sent as the result of this shell script:

Also it would be suitable to add this script in CRON, so you can receive a daily snapshot of the RPM’s on your system. In this exaple is starts every day at 10 am.

[admin@pilatus]# crontab -l

# DO NOT EDIT THIS FILE – edit the master and reinstall.

# (/tmp/crontab.1759 installed on Tue Apr 16 16:06:48 2002)

00 10 * * * /usr/local/etc/rpmcheck.sh

Checking the logs

Usually you should periodically check the logs on your system. All the vital things about the current status of your system can be seen from the logs. While manually checking all the files takes some time, and time is precious, there are a few tools that help you automate the process of checking your system logs.

I like to use LogSentry, a freeware product by Psionic Technologies.

As can be seen from the product description: “LogSentry automatically monitors your system logs and mails security violations to you on a periodic basis. It is based on a program that ships with the TIS Gauntlet firewall but has been improved upon in many ways to make it work nicely for normal system auditing.”

Setting up your copy of logcheck.sh is very easy, these are some of the main sections that must be edited:

SYSADMIN=admin@dotcom.net

As the purpose of LogSentry is to send you e-mail alerts of things happening on your system, you should point out your mailbox.

LOGTAIL=/usr/local/bin/logtail

Full path to logtail program is usually in /usr/local/bin. Logtail is custom executable that remembers the last position of a text file. This program is used by logcheck to parse out information from the last time the log was opened, this prevents reviewing old material twice.

TMPDIR=/usr/local/etc/tmp-something

This should be non public writable /tmp directory which prevents race condition and potential symlink problems.

LogCheck should also be added to CRON, so it can check the logs in desired time formats. I prefer every 30 minutes.

A few examples of LogCheck reports:

Security Violations

=-=-=-=-=-=-=-=-=-=

May 13 23:58:32 pilus sshd[2633]: Bad protocol version identification ” from 81.65.212.13

Security Violations

=-=-=-=-=-=-=-=-=-=

May 10 01:51:20 pilus su(pam_unix)[2530]: authentication failure; logname=spartacus uid=502 euid=0 tty= ruser= rhost= user=root

I hope these tips helped you answer some of your basic questions, and gave few pointers on how some things should be done. These are some useful references for the things covered in this article.

  • Stanford EDU: TCP Wrappers Information and Configuration
  • The Secure Shell TM Frequently Asked Questions
  • Snatching /etc/passwd with PHP MyExplorer
  • Snatching /etc/passwd with Multi Router Traffic Grapher
  • LogSentry 1.1.1 download

Don't miss