Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #19: Linux tips

Published: 2007-10-19
Last Updated: 2007-10-20 04:41:42 UTC
by William Stearns (Version: 9)
0 comment(s)

Picture yourself sitting down with a first time Linux user.  This is someone with a lot to learn over the next few years.  *smile*

What straightforward suggestions would you give them about how to secure their Linux system?  Obviously, there's overlap between the different operating systems ("Use a strong password" applies just as well to Linux boxes as to the others), but we're particularly interested in Linux-specific tips.

I'll update the diary with your tips; please submit them at http://isc.sans.org/contact.html

1. Set up regular updates for your particular Linux distribution (links for other distributions welcome):

- Debian: http://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
- Fedora: http://docs.fedoraproject.org/yum/en/sn-updating-your-system.html
- SuSE: http://itg.chem.indiana.edu/inc/wiki/os/linex/148.html


2. Lock your system when you step away from it.  To lock the Gnome graphical desktop, run the following command, part of the "gnome-screensaver" package:

gnome-screensaver-command --lock

From a text console, run this, part of the vlock package:

vlock -a

For KDE, right click on the desktop and select "Lock Session".  In Ubuntu, press Ctrl-Alt-l (the letter "Ell", configurable in System/Preferences/Keyboard shortcuts).  All require the password of the logged-in user to continue work.

 

3. Do your day-to-day work with a non-root account.  When you need to do root-level tasks, become root with "sudo" or "su" long enough to do the task (alternately, log in as root on a text console for this task).

http://www.stearns.org/doc/sudo.current.html

4. Kevin Fenzi and David Wreski wrote the Linux Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO/ .  It's a good coverage of security issues, and good background on many of the hints we cover here.  The document hasn't been updated since 2004; even though some of the solutions may be a little outdated, the issues have largely not changed.

 

5. - Run Bastille Unix to clean up some vulnerable configuration choices in your Linux distribution.  It's a great learning tool; it explains _why_ it wants to make a configuration change, and lets you decide which ones to make.  http://www.bastille-unix.org/  From the web site:

"The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works.
Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX. Full Mac OS X is ready for download today."

Some of these start to get slightly more advanced, but I'll include them so you know where to look for more information.

6. Set up a firewall, IDS, tripwire/AIDE right after install (store database off-system, update database after patching system)
Shorewall: http://www.shorewall.net
Firestarter: http://www.fs-security.com
Snort IDS: http://www.snort.org
Tripwire: http://sourceforge.net/projects/tripwire/
AIDE: http://www.cs.tut.fi/~rammer/aide.html

7. Turn on Selinux if included in your distribution to limit applications to just the system calls they're supposed to make.
http://www.nsa.gov/selinux/

8. Use Clamav and Spamassassin to filter viruses and spam from incoming mail.
http://www.clamav.net
http://spamassassin.apache.org/

9. Use fail2ban to block ssh and Apache dictionary attacks.
http://www.fail2ban.org/

10. Run a rootkit detector (chkrootkit, others) before connecting to a network, and regularly.
http://www.chkrootkit.org
        
11. Turn off - or completely remove - unneeded services.  Identify with "netstat -pant".  Disable with chkconfig.  Check that the services are actually closed by running nmap (included in most Linux distributions) on a second system, scanning the first.
http://www.linuxjournal.com/article/4445
To check for open ports, run:
nmap -n -sV -p 1-65535 ip.of.system.to.check
nmap -n -sU -sV -p 1-65535 ip.of.system.to.check
The second command will take a _long_ time to run - good for letting run over a weekend.
  
12. Set up regular backups.  Using a raid array will drastically reduce your exposure if a hard drive dies, but will do nothing for intentionally deleted files.
 
13. Remove, or restrict access to, compilers and other development tools on the system.  This won't stop a determined human attacker, but can stop an automated tool or worm.
 
14. Always use encrypted connections between machines (ssh, https, scp, rsync over ssh, sftp, imaps, pop3s, stunnel, cryptcat).  Move to ssh keys when you can.  Disable direct root login: /etc/ssh/sshd_config,
"PermitRootLogin no".  Disable ssh1 ("Protocol 2" in that same file).   Running ssh on a port other than 22 will stop SSH dictionary scanners.
 
15. Install new software from your OS vendor, or additional repositories available for your distribution if they have the features you need.  If you need a custom feature that you can only get from custom compiling,
do so, but remove the vendor package, and keep track of these as you need to update them manually.  Only download software from trusted sources, and check the signatures on packages from your vendor.
 
16. Physical security; lock system to something that can't be removed from the room.  Lock the case.  Password protect BIOS and boot loader so people can't boot into single-user mode.
 
17. Encrypt any partitions that have sensitive data.  dm-crypt, LUKS, and fuse-encfs can all encrypt individual files or entire partitions.
http://www.saout.de/misc/dm-crypt/
http://luks.endorphin.org/
http://arg0.net/wiki/encfs/
 
18. Linuxquestions.com has a good collection of past questions and answers and is a great place to ask new questions. 
http://www.linuxquestions.org/questions/linux-security-4/ , in particular, deals with security questions.

Many thanks to Robert, Greg, Gilbert, Bas, Ned, Tiago, Brian, William, Matt, Brian, Steve, Chris, Don and Ron for their contributions.

-- William Stearns, http://www.stearns.org

Keywords:
0 comment(s)

Realplayer vulnerability with active exploit

Published: 2007-10-19
Last Updated: 2007-10-19 23:01:09 UTC
by William Stearns (Version: 2)
0 comment(s)

We're getting multiple reports of a fresh vulnerability in RealPlayer.  We understand there is some active exploitation of it.  Details:
http://www.securityfocus.com/bid/26130
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319

http://www.symantec.com/avcenter/threatcon/

http://www.avertlabs.com/research/blog/index.php/2007/10/19/realplayer-zero-day-exploit-hits-the-web/

Many thanks to Matt, Jay, Lars, Nate, John, and Jim for bringing this up.

Keywords:
0 comment(s)

Firefox 2.0.0.8 released

Published: 2007-10-19
Last Updated: 2007-10-19 19:52:03 UTC
by William Stearns (Version: 2)
0 comment(s)

Firefox 2.0.0.8 has been released with support for Mac OS/X 10.5 (Leopard) and fixes for a number of bugs.  There are more details at http://en-us.www.mozilla.com/en-US/firefox/2.0.0.8/releasenotes/ and http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8 .  Thanks to Paul, Jerry, Roseman, and Gilbert for sending this in.

Keywords:
0 comment(s)

(Currently unpatched) iPhone vulnerability with exploit

Published: 2007-10-19
Last Updated: 2007-10-19 19:43:50 UTC
by William Stearns (Version: 3)
0 comment(s)

Secunia has put out an advisory about a vulnerability in the iPhone and iPod touch.  Viewing a malformed TIFF image can cause attacker-supplied code to be run.  As of 10/19/2007, it does not appear that Apple has released a patch for this; the only workaround of which we're aware is not viewing TIFF images from unknown sources.  We understand there is active exploit code in the wild for this vulnerability.

There are more details at http://secunia.com/advisories/27213/ .  The Metasploit project has more specifics on the exploit and a link to exploit code at http://blog.metasploit.com/2007/10/cracking-iphone-part-21.html .  The CVE entry can be found at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5450 .

Keywords:
0 comment(s)
Diary Archives