Slashdot Mirror
Hardening Linux
davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to
secure your server as well as how to solve them manually and via automated tools like Bastille."
yes but does it run my favorite rootkit?
I know people seem to find it all trendy to bash Novell these days, but AppArmour is a a pretty damn good tool for containing the behaviour of applications. Use a handy little utility to monitor your application (apache, bind, postfix, anything else..) being used in a controlled environment, then apply that ruleset at kernel level and if access isn't defined in the AppArmour profile, it ain't happening.
For those not wanting to read the article, that "basic how to" is:
1) Disable unwanted services (done via the CLI in this day of GUIs)
2) Keep the OS patched
3) Install and run Bastille to do everything else for you.
Linux hardens You
In this regard I'm very impressed with the work the Ubuntu developers have done: a netstat -tupa post-install reveals a very small attack-surface where ports are concerned. That said, it would certainly be interesting to see a per-distro comparison at some point.
Anyone know of such a project - even if just comparing a few top-tier distributions?
This is mainly for those who roll their own using LFS, but Hardened Linux From Scratch should give some tips, and practical advice, which critical areas need patching, plus proper practices.
Did you see where it mentioned nmap? No? Because it didn't. Wouldn't you expect it to tell you to run nmap from a different machine to you can what your outside profile looks like?
/etc/init.d/service_name stop? Just use the package manager to remove it.
It reads more like someone who's just discovered Bastille and now considers himself "informed" on "security issues".
Step #1. Limit the avenues of attack. This is where you'd use nmap.
Step #2. Remove anything you don't absolutely need. Come on, most people out there will be running some distribution now. At least he could have covered dpkg, rpm, etc.
What's this with the "Enter kill -9 xxx where xxx is the PID."? How about just
And editing xinetd.conf / inetd.conf? Again, just use the package manager to remove it.
And he doesn't even go into how each distribution handles package updates? What the fuck? Nothing about "apt-get update"? No "apt-get upgrade"?
No, this article is about someone's discovery of Bastille and how it helps an old, stock installation of Red Hat.
The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.
Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.
The article isn't very useful or accurate.
UNIX? They're not even circumcised! Savages!
That is correct. By default, they are all closed.
But you may have changed that. If you've installed any P2P or such apps, you may have open ports from that.
As the other poster suggested, use nmap to determine what your outward profile looks like. Even better, have a friend scan your address from their location. That will tell you what your machine looks like from the Internet.
That's without a firewall.
Before making a claim like that, the writer should come up with at least three examples, from current versions of major distros.
Reminds me of a local woman who said "We must have a town-wide neighborhood watch, because there's a child sexual predator on every block." In the several years since she raised that hysteria, there's been exactly one serious case in town: one of her best friends had his extensive child porn collection found by the police. He hired the state's most expensive lawyers and got off with probation. She's still his best friend.
Back to the topic. The article mentions telnet. Is there a single current distro that comes with telnetd enabled? Let's help the sloppy author. Has anyone here installed any current distro and found "open ports and unpatched vulnerabilities"?
"with their freedom lost all virtue lose" - Milton
Seriously. As someone else mentioned, this article has been outdated for about a decade. Good installers will pull in all the latest stable versions (assuming a net connection), but any popular Linux distro is trivial to update immediately after. And I can't recall the last time I've seen a default workstation/desktop install with any open ports. Maybe SSH.
LOAD "SIG",8,1
This article makes no mention of grsecurity. Surely closing off unused services and patching vulnerabilities can certainly prevent a penetration, but what happens if a penetration is successful? grsecurity is the answer.
Don't read TFA then. The advice it gives is barely relevant to any distro released in the past decade.
"I've got more toys than Teruhisa Kitahara."
There is more to being an IT Geek than pushing Linux to the world.
There are other kinds of FOSS products than Linux btw - so why is Linux the only one to get 30% of the index page?
Allthough I like and use Linux, I think the point is valid.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Can you tell us the story about how you came to write this article?
Here's how I'm picturing it:
(editor) Mr. Williams, we need a techie article on Linux.
(mr. williams) Okay... I haven't touched linux since I played around with my RedHat 7.2 box 3 years ago.
(editor) Do you still have it?
(mr. williams) Yes, what would you like me to write about it?
(editor) Write something up on securing its "holes and vulnerabilities", and we'll sensationalize it a bit by making it look like Linux is insecure out of the box.
(mr. williams) I don't know how to do that.
(editor) Find something on google. Try it on your RedHat machine.
(mr. williams) I'm going to look really stupid.
(editor) You're a journalist.
Just disrupt the deflector shield with a tachyon burst.
Seems to me the article is just pimping bastille Linux. Years and years ago, most distros did indeed ship with some pretty crack-worthy options enabled by default. It took a small amount of prodding by the community, but most distros, these days, lean towards a default disable policy:
/etc/hosts.deny ALL:PARANOID
- [KU]buntu
All services off by default. netfilter rules are default allow however, but there is
nothing to connect to.
- Fedora/RHEL/CentOS
Choose during install what services you want enabled/open/firewalled.
SELinux enabled by default.
- Knoppix 5.1.1
Only Port 68 for dhcp client listener.
- Mandriva 2007 Bootable CD
Port 6000 is all that's open (X server. Ok this is dumb, why?)
Other distros follow similar suit. You can find out what's running on your linux box with:
- netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
- locate iptables; sudo iptables -nvL (show iptables chains for netfilter)
Chances are, if you've not mucked around with the default services things are pretty tight.
TFA is a bit inaccurate for linux systems these days.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Yep. That's why I prefer hitting it from a different machine. Multiple machines if possible. One on the same LAN segment and one from somewhere on the Internet.
That way you'll see what a would-be-attacker will see.
Sure, I might be running SMTP on port 25, but bound to 127.0.0.1 instead of eth0. An attacker would have to FIRST gain access to my machine through some other means to be able to attack my SMTP service.
Sure, that first hurdle might be set very, Very, VERY, VERY high, but if someone can get over it
And that's what "security" is all about to me. It's the PROCESS of evaluating threats and reducing their effectiveness.
The obvious problem with this article is they mention using "Bastille" and forget to mention grsec. I don't really care about Bastille, but I do care about using grsec. Just because you turn off some services doesnt mean someone is not going to pop an xterm off your apache web server from some random cgi vulnerability... At least when someone compromises your web server in this way (which is probably how most linux web servers get compromised these days anyway), the attacker wont be able to do anything besides navigate the directory tree maybe. The attacker wont be able to view processes that are outside their own uid. The attacker wont be able to execute binaries outside of the standard bin directories (so custom scripts/binaries wont execute), and stack overflows do not allow execution of arbitrary code.. Its not a very fun environment to work in, most attackers will just look around and exit when confined to this type of environment...
and "netstat -putin" secretly terminates all applications and pretends there's no open ports?
The best way to predict the future is to invent it
Maybe it does. Maybe it does not. But that is immaterial. This is about what an attacker would see. Not what your machine can see from itself.
It is possible to set up a system that allows access to those services from eth0 & localhost, but not from any other addresses.
You are not concerned about what you can see from your machine. You are concerned about what an attacker can see. They are NOT the same.
NO it will NOT.
Your statement is only accurate for the condition in which NO ports are open. That is a single scenario and does NOT account for the various possibilities. Therefore the ONLY way to know what an attacker would see is to scan the way the attacker would.
No. Again, the system can be set up so that the ports are visible from localhost and eth0. The only way to know EXACTLY what the attacker can see (other than in the specific scenario of all ports being closed) is to scan the way the attacker would.
No, the list given by nmap would not be accurate. Because the list given by nmap would show ports open (and therefore vulnerable) when there would be no way for an attacker to see those ports.
Again, the only time your statement would be accurate is the single case of all ports being closed.
I've given multiple, specific examples where such would not be the case. I've shown where your statement is correct ONLY FOR A SINGLE SCENARIO where all the ports are closed.
Again, I've provided specific examples that illustrate where the information gained by scanning from an attacker's position would be different than scanning from the machine itself.
You can claim that such is impossible all you want.
But the facts contradict you.
You are taking a single case and claiming that it is the same for ALL the possible configurations. It is not. The only way to know what an attacker will see is to perform the scan as an attacker would.
I would install a Debian server using the minimum install cds and then apt-getting just the services I need from the mirrors (which should have current patches). I mean, if it is going to be a server it should have a somewhat fast internet connection, right?
Why do "security experts" like these folks always suggest using nmap to determine what services you are running? Have these folks never heard of netstat?