Browse archive

Latest news

The CSO perspective on healthcare security and compliance

Jailed hacker designs device to thwart ATM card skimming

U.S. Congress has questions about Google Glass and privacy

Cyber espionage campaign uses professionally-made malware

Form-grabbing rootkit sold on underground forums

Large cyber espionage emanating from India

Over 45% of IT pros snitch on their colleagues

U.S. DOD decides iPhones and iPads can connect to its networks

Digital Government Strategy progress and challenges

Barracuda updates web application firewall

Thoughts on the need for anonymity

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

Linux Security - Is it Ready For The Average User?

by Bob Toxen - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 1 August 2005.

Pick good passwords. A password should be at least 10 characters long and should not consist solely of one or two words in any dictionary. It should not consist solely of lower-case letters or solely of digits. Do not get around the one- or two-word prohibition via the trivial changing of the letter 'o' to the digit '0' or the letter 'l' to the digit '1', etc. Hackers know that trick too.

Do not use obvious numbers such as 3.1416 or 42, words like secret, root, or wheel, a word repeated, names from science fiction, or names or other data from your current personal life, such as your girlfriend's or pet's names, automobile tag, or phone number. Use two or three unrelated words or names interspersed with two or three non-alphanumerics or something equally hard to guess or brute-force crack.

Don't Blame Sendmail

The third key to good Linux security is not using programs in an insecure way and not using insecure programs. After a less than stellar security history, Sendmail now rarely suffers a security vulnerability being discovered. In defense of Sendmail, it predates the modern Internet and widespread hacking by about 20 years.

Sendmail now will check for obvious configuration errors when it starts up and will refuse to operate until the poor configuration is fixed or if you set the "dontblamesendmail" flag. This is a very clever solution to allow someone who really wants to - and presumable knows what he is doing or has a death wish - to disable Sendmail's minimum security checks. Yet, one hardly could set this flag accidentally.

Most of the major subsystems that come with Linux, such as Sendmail, the Apache web server, and the Samba file server come with abundant documentation and default configuration files that usually need just a tiny bit of tweaking to help you configure the subsystem correctly.

Some programs cannot be made secure and must not be used, no way, no how. Heading this list is NFS and its cohorts, portmap, and the Sun Remote Procedure Call (RPC) library that still are turned on by default on some Linux Distros. Unless NFS and portmap are thoroughly protected with firewalling, they should not be used. Period. Number two on the list is PHP. I realize that many web sites have lots of time invested in PHP but I'm sorry, it continues to have security bugs discovered frequently and these affect even those using it "properly". Find another solution or risk being hacked. I have dealt with such a likely hacked site as recently as last week.

These days, most systems other than mail servers do not receive email via SMTP (TCP/IP port 25). Thus, please do not allow Sendmail to listen on port 25. This is done by not including the "-bd" when invoking Sendmail. For Red Hat and Mandrake, edit the /etc/sysconfig/sendmail file and change:

DAEMON=yes

to

DAEMON=no

and restart sendmail with the command:

/etc/rc.d/rc3.d/*sendmail* restart