Securing Linux
by Aleksandar Stancin - for Help Net Security
There are various proactive password checking utilites that can simplify your job and force users to pick a right password. Shadow passwording system needs not to be mentioned, it's a must. A good practice would be to do a dictionary attack by yourself from time to time, just to check for easy retrieveable passwords. Make sure all users create a separate password for any system they access. All passwords are vulnerable to dictionary attacks and brute force attacks, it's only up to you to make the attacker's job more difficult.

Services and daemons running at boot time

All that could be briefly said is: disable anything you don't need, or don't plan on using and also don't install anything you don't need.

One thing is certain, if you need a certain service, like telnet or FTP, think about it. Are they really needed? Are they safe to use, and is there a supplement to them, even more reliable? For instance, SSH replaces telnet perfectly, and FTP is pretty much obsolete, with all those web forms
these days, and, yes, even SCP from the SSH package.

Need an MTA? Why not think Qmail or some other instead of sendmail? A lot of issues exist when planning what services you will provide, and more important how.

Think how you're going to organize your machines in production, as it's pretty much useless to setup a perfect firewall, lose a lot of time on perfecting it, just to put an FTP behind it. Deploy servers rationally, using the least possible number of services exposed to the outside of your LAN, no matter how simple or harmless the service might be. If you really need services that have known past security issues, a wise idea would be to put them in DMZ, and separate them from all other machines, in any possible way.

Using LILO

If you plan to use LILO as your boot loader, some things can be achieved by adding some extra lines to your /etc/lilo.conf, and these are 'restricted' and 'password="somepassofyourchoice"'. After making any alterations to /etc/lilo.conf make sure to re-run lilo by typing /sbin/lilo' to have them take effect when booting next time. Adding line restricted makes it neccessary for the user to provide a password when trying to pass additional boot parameters to lilo. The password option restricts the booting of linux to local users who have the password, but the password isn't encrypted so make the /etc/lilo conf owned by root and set to mode 600. That's 'chmod 600'. As always, you can 'man lilo' to find out more about additional options. The ultimate choice is to make lilo boot from a floppy, so nobody without that floppy can boot the system. Nothing like a dose of physical security measures! :) But still, be sure to have a backup lying somewhere safe because floppies aren't that reliable...

Of course, there are other ways of booting linux, so make sure that you read more documentation on the subject, so that you can make some good choices to enhance the security of your system.


Think about running a scanner on your system to check it for vulnerabilities, wrong file permissions, SUID, or other wrongly set UID's, open services, ports, etc. Network scanners test your host, as would a possible attacker do, and in most cases will, looking for any services and ports open and searching for any known vulnerability. Most scanners are easy to use and configure, so I'd recommend using the ones listed below:
Of course, there are so many others I'd need to write another article just to name them all, but the above mentioned are the most commonly used and have all the functions and options you may need. Use them cautiosly, and remember, trying to scan other hosts may be in violation of some law, or could cause an un-willing Denial Of Service attack.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th