SECURING THE HOME LINUX SYSTEM: VERSION 1.2
Linux has certainly made quite an explosion in the computer field and is becoming more and more popular each day. Linux boasts the full power of UNIX operating systems, and it is much more stable and faster than Microsoft's operating systems. But the best deal of all is that it is free for download, or costs little to nothing when bought. For programmers and hackers , Linux contains it's own source code, blueprints to how it was written [TRANSLATION: Computer geeks love Linux because they can take it apart and rebuild it]. Mastering Linux takes time, and learning to secure it properly requires an intimate knowledge of the operating system. Something that new Linux users will not have. And so this is why this article exists. In the hope that new Linux users will be able to secure their home system without too much hassle and for the cost of nothing but a little time.

WHAT DOES THIS ARTICLE DISCUSS?
Basic Linux security will be discussed in this article, that is:

* securing passwords.
* preventing the curious from logging into your system.
* securing daemons.
* encrypting sensitive files.
* trojan horses and viruses.
* file permissions.
* port scanning.
* security programs.
* further reading.

This article will assume a few things:

* You use a Linux system for personal and home use. Not as a server.
* You know basic Linux commands and you know how to read path names.
* You are actually using Linux and not some other UNIX variant, eg: FreeBSD.
* You know how to use a text editor, eg: vi, emacs, pico, etc...
* You know that the man command will do you good.

HOW MUCH SECURITY DO YOU NEED?
The questions is how much security do you need on your system. You can have a tightly secured system but that would prevent you from doing certain things. You have to know what you are protecting. Do you have sensitive credit card numbers or certificates on your computer? Do you care if someone actually breaks into your system? Ask yourself these questions before actually implementing the security measures discussed below [TRANSLATION: Secure only what you need, else you may find that you yourself are restricted from running programs you like].

SECURING PASSWORDS
Passwords are your first line of defense, and is normally the first thing that will be under attack from a cracker [TRANSLATION: Clueless computer vandals like to try guessing passwords in the hope of breaking in]. The root password is very important and should be very secure. How do you make it secure? Here are a few pointers:

* It should use up the maximum password length allowed.
* It should contain numbers, letters, and special characters.
* It should contain upper case an lower case characters.
* It should be memorized and not written down.
* It should not make sense to anyone but you.
* It should not be found in a dictionary.
* It should be a non-existent word.

Okay, now that you have generated a secure password for yourself, what do you do? You download a password cracker and attempt to crack your password [TRANSLATION: Linux will automatically encrypt your passwords, that is, make it unreadable. Password cracking is the process of decrypting an encrypted password, that is, making an unreadable password readable]. If your password gets cracked, generate a much more secure one. Password crackers are widely available. You can download a few at http://www.rootshell.org. If you want to generate a cryptic password, you can play around with /dev/urandom. Here is one way to do it:

root# head -c 6 /dev/urandom | uuencode - | cat
-n | grep 2 | cut -f2 | cut -c 2,3,4,5,6,7,8,9

That will generate some cryptic password for you. You are not done yet. The next step is to shadow your password files [TRANSLATION: Shadowing extracts the world readable encrypted passwords in /etc/passwd and stores them in a file called /etc/shadow which is only readable by root]. Your Linux system may already have shadowed your passwords by default. To check, do:

root# cat /etc/passwd | grep root

If you see something like

root:x

then your passwords are already shadowed. Otherwise, they are not shadowed. To have them shadowed, just run the command pwconv.

DISABLING DAEMONS
At its first installation, your Linux system will have a lot of daemons running by default. Normally, many of these daemons are unnecessary. A daemon is a program that listens and waits for a specific event to happen [TRANSLATION: A daemon is a program that runs in the background waiting for it to be called up]. When the event happens, the daemon acts accordingly. For instance, your finger daemon will wait until it receives a connection. When it does, it will either present the remote computer with the information queried for, or refuse a connection. You will find most of your daemons in your /etc/inetd.conf file. [TRANSLATION: inetd is the Internet Super Server. It controls all the available daemons in your system. When a client requests a connection to a daemon, inetd will pass the connection to the respective daemon it is in charge of]. The finger daemon will look something like this:

finger stream tcp nowait /usr/etc/in.fingerd in.fingerd

In this case, the finger daemon is up and running. When someone tries to finger root on your system, this is what it would show:

xconsole$ finger root@localhost.
Login: root Name: root
Directory: /root Shell: /bin/bash
On since Sun Mar 7 00:43 (EST) on ttyp0 from :0.0
Mail last read Sun Feb 28 20:58 1999 (EST)
No Plan

This is normally viewed as a security risk. There is no reason why anyone would need to view root's status. Disabling the finger daemon, is therefore a good idea. This can be done simply by commenting it out with a hash (#) symbol.

#finger stream tcp nowait /usr/etc/in.fingerd in.fingerd

Save the file, and then run

killall -HUP inetd

to reset inetd. When you try to finger root now, this is what you get:

xconsole$ finger root@localhost.
[localhost]
finger: connect: Connection refused

The finger daemon has been successfully shut off. Having a daemon shut off does not mean that you cannot use finger. You can still finger other computers, but they cannot finger yours. You will want to shut off other daemons that you do not need. Some good candidates are:

* echo
* discard
* daytime
* chargen
* ftp
* telnet
* gopher
* shell
* login
* exec
* talk
* tftp
* finger
* netstat
* systat

[TRANSLATION: Having unnecessary daemons running is always a bad idea]. What if you want to leave the finger daemon activated, but at the same time, you want to see who is fingering you? That is when tcp_wrapper comes in. tcp_wrapper logs in all connections for whichever daemon you have it monitor. tcp_wrapper also restricts certain IP addresses from logging into your system. You can obtain tcp_wrapper from ftp://ftp.win.tue.nl/pub/security/. After you install it, you can have /etc/inetd configured as such:

finger stream tcp nowait /usr/sbin/tcpd in.fingerd

Notice that the finger daemon is now controlled by tcpd. Any connections made to finger will be logged into a file of your choice. Check /etc/syslog.conf to see how logging is controlled and man syslog.conf to see how to modify /etc/syslog.conf. I suggest you have tcp_wrapper watching over all your daemons regardless of whether they are active or not. Most of the latest Linux distributions already come with tcp_wrapper installed, so you do not have to worry too much about setting it up.

CONTROLLING LOGIN
You can control the ttys that root can log into by editing the /etc/securetty file [TRANSLATION: You can control the terminal consoles that root can log into, thus minimizing the risk of a cracker breaking in]. If you want to restrict user login completely and use root all the time (bad idea by the way), run the following command:

root# touch /etc/nologin

This file will prevent all users except root from logging in. The contents of the file /etc/nologin will be presented when a non-root user attempts to login. So if you do:

root# echo "Down for upgrade." > /etc/nologin

User's who log in will get this message:

Linux 2.2.5

Down for upgrade.

The connection will then be killed. Be wary of this. This maximizes security quite a bit, but as root, Linux will follow your every command and not prevent you from running dangerous commands. You may actually damage your system [TRANSLATION: If you accidentally run

rm
-rf /

as root, you will spend the next hour re-installing Linux].

CONNECTING TO OTHER COMPUTERS
Normally you can use telnet to connect to another computer. The problem with this is that your session can be listened on, which you do not want [TRANSLATION: Crackers can spy on your telnet session and see what you are typing]. To solve this problem, install SSH, the Secure Shell. SSH encrypts your sessions so that eavesdropping becomes useless. You can download SSH from http://www.ssh.fi/. You should also uninstall your r-utilities (rsh, rlogin, etc...). They are not secure and leave files like .rhosts which are notorious candidates for cracker break-ins. When you install ssh, be sure you disable telnetd in /etc/inetd.conf [TRANSLATION: shut of the telnet daemon].

TROJAN HORSES AND VIRUSES

Trojans are programs that appear to do one thing, but secretly have a hidden and usually malicious intent. It follows the myth of the Trojan Horse, where the Trojans accepted the gift from the Greeks, and it became the cause of their defeat. Trojan have unpredictable results, ranging from creating a backdoor to your system, to destroying your entire system. A cracker who breaks in to your system will most likely leave a trojan behind. An example of one would be to replace ls with a tainted ls trojan:

#!/bin/sh
# tainted ls program
rm -rf /

Do not run this program unless you want to re-install Linux. What it will do is basically delete everything when you run ls. As you can see, trojans are hard to spot. A tainted ps program may only show you what the cracker wants you to see, thus leaving them completely hidden. Your best bet to avoid running a trojan is to never accept files from any untrusted source [TRANSLATION: Trust no one]. Linux allows you to compile source code before installing them, and that is what you should do before running binary files. If you can, read the source code to make sure it is safe [TRANSLATION: Check the blueprints for the program and look for suspicious code. This can be difficult if you do now know how to program, or if the blueprint is very long]. The best way to detect trojans is to install Tripwire. Tripwire checks the integrity of your system with its database and if it finds an altered file, it will notify you so that you can check it out [TRANSLATION: Tripwire will have a database of your system when you first installed Tripwire and continuously monitor your system from then on. If a new program is installed, or if an existing program is changed, Tripwire will alert you]. Tripwire is available at http://www.tripwiresecurity.com.

Viruses are programs that attach themselves to other executables and eventually infect your entire system [TRANSLATION: When you run a program infected with a virus, it will infect other programs]. They can be very destructive, or simply print annoying messages to your screen. Fortunately, Linux is almost immune to viruses because of the way each file is given permissions [TRANSLATION: Linux is secure enough to fend off viruses because users are restricted to handling files belonging only to them and not to other users]. Of course it never hurts to have a defense for viruses. AntiVir can be downloaded from http://www.hbedv.com/.

PORT SCANNING
Port scanning is the method of checking what ports are currently opened in a given system [TRANSLATION: Think of a port as a door where information goes in and out of. Port scanning is the method of checking what doors are open for breaking into]. These ports are sometimes vulnerable against exploits, especially if they are not updated. So the next thing to do is to check what ports you have open. Generally, if you've disabled your finger daemon, you've disabled your finger port. Of course, there are other ports and that is what you want to check for. You will want to download the port scanner Nmap for this. Nmap is available at http://www.insecure.org/nmap/index.html. One feature it contains is the ability to "fingerprint" the operating system it scans, so it will tell you what operating system is being scanned. The less ports Nmap detects, the more secure your system is.

FILE PERMISSIONS
File permissions are very important. If you should have others using your Linux system, you will want to give them user accounts and restrict their access to certain files. Make sure that important files are readable and writable only to root. Do not change the permissions for /etc/passwd! It is important that /etc/passwd is world readable for certain programs to work. If you do not know how to change permissions, do a man chmod for help. Learn how to use umask. ummask will ensure that newly created files will have the permissions you desire. For example, if you have a umask of 077, newly created files will have permissions of

-rw-------

. Add it to your startup script like

~/.bash_profile

so you can be sure that newly created files are for your eyes only.

SUID (Set-User-ID) and SGID (Set-Group-ID) programs are dangerous, because when executed, the user executing them gains the privileges of the user who set the permissions [TRANSLATION: This means that if root makes a program SUID, a normal user who runs that program, will temporarily become root while the program is in session]. Here is an example: As root, do:

root# cp /bin/bash /bin/root_shell
root# chmod 4755 /bin/root_shell

Now log in as a normal user, and run /bin/root_shell You will notice that your prompt has changed to '#'. Then do the following:

root# whoami
root

You have now become root. SGID programs are the same as SUID programs, except that they affect groups instead of individual users. To find all SUID and SGID programs, run the following command:

root# find / -type f \(-perm -04000 -o -perm -02000
\)

Make sure that you run this as root. Otherwise you may not be able to find SUID and SGID programs in directories you do not have permissions in. Be aware that some programs need to be SUID root in order to work! Programs like passwd, which allow users to change their password, needs to be SUID root as it writes to the /etc/passwd file, which is only writable by root. To give a program SUID permissions, do a chmod 4755 The 4 gives the SUID permission. The remaining three numbers follow the normal user-group-world permissions. For SGID, the permissions is chmod 2755. 2 gives the SGID, and as with SUID, the remaining numbers are user-group-world.

ENCRYPTION
Encryption is the method of using various algorithms which manipulate the bits in a readable file, making it unreadable [TRANSLATION: Encryption jumbles up a readable file so no one can read it]. In the event that your system does get compromised, you will want to have the last laugh when the cracker finds out that your files are encrypted. The best encryption program currently available is Pretty Good Privacy (PGP). There are others as well, but I recommend getting PGP. It is secure and easy to use, and you may get it at http://www.pgpi.com.

BACKUP
Always keep backups of all important files. Whether it be in the form of floppies, or tapes. When your system gets compromised, you want to have a clean copy of your entire system. Use tar to archive and compress your files. If you want to backup your entire system to floppy disks, do the following:

root# tar cvMf /dev/fd0 /

When one floppy is filled up, you will be prompted to enter another floppy. If you are backing up to tapes on a tape drive running from a floppy controller, the command is:

root# tar cvf /dev/rft /

These are just a few ways to backup your system. If you have a separate partition you can back it up there as well. You want to read the manual for tar for further information.

INTRUDER DETECTION
It would be nice if you received a warning of some sort every time someone tried to connect to some port on your computer, or tried to su to another account. Fortunately, it is possible to set up your Linux system to do this! This can be accomplished by configuring your /etc/syslog.conf file. /etc/syslog.conf tells syslogd where to log each kind of event to. For instance, whether the event should be logged into a file of some sort, or printed to the screen. I will not go into depth on the syntax needed to write a syslog.conf file. I think the manual page for it accomplishes that rather nicely. Basically the syntax is:

type_of_warning.level_of_severity
log_file

In order to log any possible attempt to su or to capture incorrect logins, that is, a cracker trying to guess passwords, add the following to your /etc/syslog.conf file:

auth.* /dev/console

authpriv.* /dev/console

This is of course assuming that you are the only one using your Linux system. Any attempt at authorization will immediately be printed to /dev/console. If you are using X-Window, this will be printed to xconsole (if you have it running), and if you are using the command line, to your screen. Do this only if you are not planning on having users connecting to your computer. Otherwise, they will see authorization messages being logged to their /dev/console as well. Take the time to study your /etc/syslog.conf file. It shows you where everything is being logged to. Once you have made the modifications, run the following command to reset syslogd:

root# killall -HUP syslogd

With that done, you should now try to su to another account. You should immediately see a warning message pop up on your console telling you that an authorization event is taking place. If you are not expecting anyone logging into your system, the only time this message should pop up is when you are running su. Any other time it runs probably means that someone is attempting to crack into your system.

CONCLUSION?
This article is by no means complete. Covering Linux security to the whole would fill up a big book. This is barely half of that book. You will notice that I left out physical security and lot on network security. New security holes are always being uncovered, and new defenses are always being developed. You will want to keep up to date with what is happening, because the script-kiddies and crackers are. To defeat them, you have to know how they think and work. I have compiled a small list of sites that will be of good help:

* http://www.cert.org
* http://www.rootshell.com
* http://www.insecure.org
* http://www.hideaway.net
* http://www.hackers.com
* http://www.linux-howto.com/LDP/HOWTO...ity-HOWTO.html
* http://www.linux-howto.com/LDP/HOWTO...ord-HOWTO.html
* http://www.securityfocus.com

There is so much more to learn and to cover. The information provided in this article will keep most script-kiddies out, but only for so long. A determined cracker will find a way to break in. There is no way to completely secure any system. You can only make it more difficult to break into.