Basic Security Fixes

From SlackWiki
Revision as of 17:43, 5 October 2010 by Rworkman (talk | contribs) (s/too/to/)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Small tips to increase the security of your Slackware box:

  • Use strong passwords! The most common way Linux systems get hacked is through weak user passwords and SSH.
  • Use a firewall! Freshmeat.net has lots of automatic tools to help with configuration, and we have some example scripts posted here.
  • Tell X not to listen for TCP connections:
    • KDM: Add "ServerArgsLocal=-nolisten tcp" under section [X-:*-Core] to /opt/kde/share/config/kdm/kdmrc
    • XDM: Add "-nolisten tcp" to the line calling X in /etc/X11/xdm/Xservers.
    • Console: Use 'startx -- -nolisten tcp' rather than 'startx', possibly with the aid of an alias.
      • You can also edit startx and, at line 168 (where it calls xinit), append '-nolisten tcp' at the end, but this is a dirty hack.
  • Close any services you do not require, especially since most run as root. Think about what you will use them for. For instance, would you really want to run an sshd 24/7 when you will only perhaps access it remotely once in a blue moon, of which you will most likely know about in advance at which point you can run the required deamon prior to accessing remotely.
    • To disable startup services in /etc/rc.d, unset the executable bit of the rc script. You can still start and stop services by executing the rc script later using 'sh'.
    • You can also edit /etc/rc.d/rc.M directly and comment out lines that calls the other rc scripts.
  • Disable the "time" service, by commenting out lines 22 and 23 in /etc/inetd.conf - you will need to restart inetd after making the changes. (If you need to run inetd at all!)
  • Look for any services/daemons that you don't know about by running "netstat -luntp".
  • Run 'ps -e u' several times and become familiar with your usual processes to establish a "baseline". Then keep monitoring regularly to spot when something doesn't seem right.
  • If you suspect intrusion or have suspicious files, scan your system for rootkits with 'chkrootkit'. You can also scan for win32 "malware" with 'clamav' for instance if you're using your system as a mail/ftp server.
  • Add the following line to hosts.deny to disallow access by any host to your system... 'ALL: ALL' - note that this only affects services built with libwrap (tcpwrappers), but it's one layer of security. A further layer would be to add the following to /etc/hosts.allow... 'ALL: ALL: DENY'
  • Fine tune logrotate by editing /etc/logrotate.conf and add more log rotations in /etc/logrotate.d/
  • If you want to restrict who is able to use the su command to switch to certain users, you can use /etc/suauth. The basic format for /etc/suauth is "to-id:from-id:ACTION"
Example:
   root:foobar:DENY 
would stop the user foobar from using su to become root.
Another example:
   root:ALL EXCEPT GROUP wheel:DENY
would only allow users in the wheel group to su to root.
You can also allow users to su with no password required (why you would do this is beyond me), and can require that a user enter their OWN password before switching users. For more information, please consult the man page for /etc/suauth.
(Thanks to cubicool for informing me of the existence of /etc/suauth)
A similar, though perhaps not as fine-grained, way to control who can use su is to change ownership and permissions of /bin/su. First, add the user(s) that you want to be able to use su to the wheel group in /etc/passwd. Next, change the ownership of /bin/su to group wheel, and change its permissions to 4750.
chown root:wheel /bin/su
chmod 4750 /bin/su
This makes /bin/su executable *only* by members of the wheel group.
  • Another way to restrict the users who can become root is to edit the file /etc/login.defs and change the value of SU_WHEEL_ONLY to yes.