QAD 1 MJW Quick and Dirty Guide to: Network Securing Redhat 7.2 Linux >>>Version 1.0 - 3/2002 >>>Disclaimer:This guide is meant to be a quick introduction with some working examples only. I am not responsible for any damage you do to your system. >>>Requirements:Working Redhat 7.2 install with iptables. Root access. >>>Books you should own: Linux Firewalls by robert Zeigler >>>Intro:Redhat defaults to using ipchains as its default firewall application, but iptables provides a better solution. Iptables has many advantages including stateful packet inspection, syn-flood protection, filtering on MAC addresses, and many others. For a full read on iptables, visit http://www.netfilter.org. >>>Passwords:Often passwords form the weakest link in the chain of security protecting a server. Your root password should be at least 8 characters in length and composed of letters, numbers, and even symbols (like !). It is also possible to use upper and lower case letters. You should never use common words, any names of pets or family members, or your social security number (its easier to get than you think). Examples of good passwords: bl@ckb3rry1 (blackberry1), r3db3@rdp1r@t3(redbeardpirate). Examples of bad passwords: password, green, Arnold. >>>Unnecessary Services:Your server should not run any more services (ftp, telnet, pop) than necessary. The best tool for controlling what services start is ntsysv. Hit ctrl-alt-F1 to get to tty1. Login as root and enter "ntsysv" to see what is running. Here is a list of minimum services that should be running on a Linux box with XWindows (runlevel5): anacron, apmd, atd, autofs, crond, gpm, keytable, kudzu, linuxconf, iptables, network, random, sshd, syslog, xfs, xinetd. There are other services that you may need to enable such as httpd(web server), imapd (imap server), ipop2 or ipop3 (pop mail server), named (dns server), pcmcia (very important for laptops), sendmail (mailserver), smb (samba/windows server). >>>xinetd: Xinetd provides an improvement on the classic inetd "super service." In olden days (and on BSD/Solaris), inetd listened for connections on certain ports and invoked the appropriate service (daemon). For example, When inetd received traffic on port 110, it would invoke the pop3 daemon to handle the communication. In most Linux flavors, inetd has been replaced by xinetd for greater control and security. Xinetd's configuration files are found in the /etc/xined.d directory. Each configuration file is named after the service it handles. The telnet file contains: # default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { disable = yes flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID } You can see that the "disable = yes" tells xinetd to ignore any telnet connection attempts. If you change any of the xinetd configuration files, you will have to restart xinetd by typing: /etc/rc.d/init.d/xinetd restart Under a default install of Redhat 7.2, all of these files contain "disable = yes" which disables all services. >>>telnet and ftp, the evil wonder twins. In the friendlier days of the Internet, security was not a great problem. Passwords were sent across the 'Net as clear text. Anyone with a connection on your local network and the correct problem could capture your root password with some patience and luck. Both telnet and ftp use clear text. Telnet should be avoided at all costs, as most Linux flavors come with ssh (OpenSSH) installed. There are times that network administrators have to use telnet (such as routers and switches), but Linux admins should ALWAYS use ssh. If you need to transfer files, you should use scp or sftp (both have man pages.) Windows boxes can use putty (ssh) or winscp (scp) for secure connections to Linux boxes, and you can download both of these programs from Slug. The only reason to use ftp is for anonymous downloads from your Linux box. You will have to tell xinetd to allow ftp connections by modifying the wu-ftp file and setting disable = no. Redhat 7.2 defaults to allowing only anonymous transfers in the /etc/ftpaccess file with: # Don't allow system accounts to log in over ftp deny-uid %-99 %65534- deny-gid %-99 %65534- allow-uid ftp allow-gid ftp Which tells the ftp service(daemon) to only allow the "ftp" users (aka anonymous). >>>The firewall:iptables. The longer your Linux box is on the 'Net, the greater the chances someone will try to break in. Ample amounts of bandwidth, such as that provided broadband adsl or cable modems, will also increase the number of break in attempts. No matter what your OS, you should have a firewall. Iptables is the current choice due to flexibility and speed (iptables does not have to look at the entire packet to drop it). Redhat stores its configuration in the /etc/sysconfig/iptables file in a unique(argh) format. Other distributions of Linux use shell scripts, but not Redhat. There are two ways you can save your configurations to this file. First you can enter all the commands by hand, one at a time, at a command prompt. You then issue the command "service iptables save" and Redhat will write the iptables rules to /etc/sysconfig/iptables. Or you could just copy this: ----begin cut after this line----------- # Generated by iptables-save v1.2.5 on Sat Mar 16 23:47:36 2002 # Redhat 7.2 /etc/sysconfig/iptables file. MWARD # With thanks to everyone on the 'Net writing iptables HOWTOs *filter :INPUT DROP [23:3793] :OUTPUT ACCEPT [34:2241] :syn-flood - [0:0] # Accept ANYTHING from the lo (loopback) [0:0] -A INPUT -i lo -j ACCEPT # Syn-flood protection [0:0] -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood [0:0] -A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # Fragment packet protection - Log and drop [0:0] -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS " [0:0] -A INPUT -i eth0 -f -j DROP #Allow back in anything we initiate. [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT #Allow basic form of ICMP ping [0:0] -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT #Allow SSH tcp-22,1023 udp-1023 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 1023 -j ACCEPT [0:0] -A INPUT -i eth0 -p udp -m udp --dport 1023 -j ACCEPT #Example for web and ftp, create/uncommment as needed [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT #[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT #Log any connections greater than 30/minute [0:0] -A INPUT -m limit --limit 30/min -j LOG --log-prefix "Dropped:" #Allow anything outbound on lo [0:0] -A OUTPUT -o lo -j ACCEPT #Syn-flood protection cont [0:0] -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN [0:0] -A syn-flood -j DROP COMMIT # Completed on Sat Mar 16 23:47:36 2002 ------End cut, do not include this line----------------- I have attempted to comment this example to illustrate what is being done. You need to add any services and the ports they require to this example. Customize it as needed. You will then have to issue /etc/rc.d/init.d/iptables restart to restart iptables (duh). You should then test out all the services to make sure they still work, and then run a port mapper (nmap, etc) to see if your firewall is doing its job. Try issuing the command tail -f /var/log/messages which will print any new entries to the syslog to your screen. Run a port mapper (not from the same Linux box) and watch the log entries fly. You are now firewalled. If you have any trouble, you may need to restart your Linux box as some modules may be loaded that are not needed and causing problems. >>>Monitoring your system:logcheck. Aside from iptables, logcheck has to be one of the greatest assets for security. It will parse your log and email you organized results. You can download an rpm from Slug: http://slug.ceca.utc.edu/cgi-bin/ftp_search.pl?word=logcheck&word1=rpm Note that it will install a cron entry in /etc/cron.hourly which is (IMHO) too often for logcheck to run. I'd move the /etc/cron.hourly/logcheck to /etc/cron.daily/logcheck. The main logcheck program is a shell script that you can modify to your needs. I strongly suggest modifying /usr/sbin/logcheck so that the SYSADMIN=root actually points to a email address (yours) such as SYSADMIN=yournamoehere@moccasun.utc.edu. >>>Your best friend, the backup. As a Linux admin, you should perform regular full backups ofyour system at least monthly. I strongly suggest you also backup the /etc directory weekly. Rewritable CDs provide 660M of reusable space, which is more than any Redhat /etc needs. Buying a good IDE/SCSI CDROM burner is worth the time it will save in having backups of your /etc. It would also be a good idea to write down your root password and store it in a safe place, as you may forget it over time. >>>Proactive safety. Not many Linux viruses or worms exist, but you should never blindly trust any RPM or tarball (tar.gz) file. Arbitrarily installing software on your Linux box is VERY BAD and could allow the installation of a rootkit (prebuild binary programs that allow root access to your box over the network). Get your RPMs/tarballs from reputable sources and check the MD5s just to be safe. MD5s are 128bit checksums that provide a signature for the authenticity of a file. Most software developers included them, and you can check them using md5sum. If the sum calculated by md5sum matches the user provided MD5, that means the file has not been altered. For more on md5sum, do a "man md5sum." >>>Conclusions. Strong passwords, a firewall, no unnecessary services, no clear text services, and regular backups are the best ways to safeguard your Linux box. Dont install suspicious RPMs or tarballs. Keep it simple, keep it safe.