Re: Locking Down a Linux Box

Mon, 07 Jan 2002 06:35:36 -0800 

2001-12-21-08:30:45 Kevin Robitaille:
> Any one out there know good reference for securing a 
> Linux 7.2 Server OS.

The general pattern I use (with some success) is to disable vendor
daemons, add ones I need, then finish off with packet filtering.
This applies nicely on all platforms I've used. I expand this out a
bit for modern Red Hat distributions.

A. Do not run any daemons shipped by the vendor that listen on the
   net.

(1) Find out what daemons are listening on network ports:

        lsof -Pni

(2) For each of those daemons, make it stop, then either remote it
    entirely from the system, or at least make sure it doesn't start
    again; e.g.

        rpm -e linuxconf sendmail
        chkconfig --del netfs

B. Add good daemons for services you must have that must listen on
   the net. E.g. get the latest OpenSSH[1] (and make sure you track
   updates pretty closely, since it's had a some security alerts
   against it in the last year). If you need to have an MTA, use
   either qmail[2] or Postfix[3]. If you need to do anything related
   to DNS, either a caching nameserver (AKA recursive resolver) or
   an authoritative nameserver, use djbdns[4]. If you must serve
   data via http, consider a really small and simpler server like
   one of Jef Poskanzer's daemons[5].

C. Suspenders and a belt: add packet filtering

   Configure up ipchains. Make sure the rules in
   /etc/sysconfig/ipchains match your needs, then enable packet
   filtering with

        chkconfig --add ipchains

   I like a configuration where everything is blocked unless I
   actually must allow it, and packets that are blocked are also
   logged --- this makes it easy to diagnose when I need to tweak
   the rules to allow something I'd overlooked.

   This last step is more than just protection against inadvertent
   config changes that re-enable daemons, it also makes it possible
   to use components that include network listeners even though
   they're only needed locally. Most RDBMSes seem to include network
   listeners. So far I've always been able to figure out how to bind
   the listener to localhost only, but you still want to add packet
   filtering --- including anti-spoofing rules so people can't send
   to your localhost from the network.

-Bennett

[1] <URL:http://www.openssh.com/>
[2] <URL:http://www.qmail.org/>
[3] <URL:http://www.postfix.org/>
[4] <URL:http://www.djbdns.org/>
[5] <URL:http://www.acme.com/software/thttpd/>
    <URL:http://www.acme.com/software/mini_httpd/>

Attachment: msg00088/pgp00000.pgp
Description: PGP signature

Reply via email to