All operations described below require that you know the root password and can su in as root.
Linux Security Overview
One of the main advantages of choosing Linux is that it is very secure and it is very rare to hear of major viruses, worms, or hackers which target Linux systems. That being said, Linux is not perfect and there are many things that need to be done in order to ensure that your Linux distribution is running as securely as possible. First, controlling how users can remotely access your machine is vital to its security. Secondly, a major security issue for any system is running unneeded services in the background that open holes for attackers to gain access. Linux is no different and disabling any services you are not using is also critical in securing Linux.
Remote Access Protocols- SSH2 and telnet
The ease of use of the Linux remote access protocols is one of the strong points of Linux, but not all the protocols are created equal. There are three main remote access protocols that can be found in nearly every Linux distribution
* Telnet- The oldest and least secure of all the remote access protocols, telnet should only be used if it is the only option. All information and especially passwords are sent in plain text, so anyone could intercept the information sent across the network.
* SSH- The first version of a encrypted client found on nearly every Linux machine. This client encrypts all data sent through it and is a secure option.
* SSH2- A revised version of SSH that strengthened the encryption as well as added new features such as scp and sftp which make it easy to transfer files securely over the remote connection.
* OpenSSH- A version of SSH2 that was rewritten for the General Public License (SSH2 is free for non-commercial use only) which has all of the same features as SSH2.
If you wish to allow users to connect remotely to your machine, we recommend that SSH2 (www.ssh.com) or OpenSSH (www.OpenSSH.com) is used to provide a secure connection as well as a secure method of transferring files to remote machines (the old ftp protocol also sends passwords and data in clear text like telnet). An important note is that if you use OpenSSH as you SSH daemon, you will have to force your ssh client to use the SSH2 protocol with the -2 option. To see what version you currently have installed, simply access the SSH man page by typing:
ComputerName:~# man sshd
We also highly recommend that if you do not plan on using some or all of the above services that you disable the corresponding services as described below as well as disable the corresponding ports in your firewall (Linux Firewall Page).
Disabling Unneeded Services
Services are small programs that run in the background that perform many vital operations for both servers and workstations. During a normal install of Linux, many of these services are installed and activated during the boot process by default. Historically, some of these services have had security problems or flaws that have allowed hackers, viruses, and worms to use them as doors into unsuspecting machines. Many of these services, however, are not needed by common users and can be turned off, closing security holes and recovering system resources. Listed below are some common Linux services as well as a method for disabling services that are not needed.
A Description of Common Linux Services
There are a good number of services that Linux uses and it is not possible to discuss them all here. A list containing a short description of many Linux services can be found at http://www.hosef.org/wiki/LinuxServiceDescriptions along with the author's opinion on whether or not the various services should be on or off. Below is a list of common services and our recommendation on whether or not they should be turned off or on. Please note that these service names are slightly different for each version of Linux and some of the services listed below may or may not appear in your listing of services.
* cron, anacron- Cron is responsible for running scheduled system jobs and anacron is responsible for running any missed jobs due to system downtime. Some versions of Linux use these two services to perform housekeeping chores, so they should be left on.
* ftpd- This is the File Transfer Protocol daemon that allows a FTP server to run. If you do not have an FTP server or do not know what that is, turn it off.
* httpd- This is the HTTP daemon that allows a web server to run. If you do not run a web server on your machine, turn it off.
* iptables- One of the major Linux firewall tools. Since it is used to implement many of the standard firewalls, this service should be left enabled.
* isdn- A service for people using ISDN to access the internet. If you do not use ISDN, disable this service
* lpd- The Linux printing daemon. If you do not have a printer, turn it off.
* nfs, nfslock, portmap- Three services required for the old style Linux Network File System format. Unless you are using this format, disable these three services.
* pcmcia- The services for controlling laptop pcmcia devices. Disable this service unless you are running Linux on a laptop
* samba, smb, smbd, nmbd- Various services related to Samba servers for allowing Windows machines to connect to printer or disk shares on your machine. These can be turned off unless you would like to access your Linux shares from Windows.
* sshd, sshd2- These two services allow remote access to your machine from the SSH and SSH2 protocols respectively. If you would like to remotely access your machine, we recommend that you leave sshd2 on and turn off sshd, otherwise both can be turned off (Please note that OpenSSH appears as sshd even though it can use the SSH2 protocol, so if you want to use OpenSSH, leave sshd enabled).
* telnet, telnetd- These services all you to remotely access your machine through telnet. This is very insecure and we recommend disabling telnet.
Using the chkconfig Command to Disable Unneeded Services
One of the easiest ways to disable unneeded services in Linux is the utility chkconfig. It is installed by default in almost all distributions, but an RPM version and a .DEB file for Debian users can also be downloaded. Services in Linux are usually run through two different structures: inetd or the newer xinetd. Inetd is an older super-server that listens for any incoming calls and directs them to the correct service depending on which services it is configured to use. The default services that inetd starts are dependent on what run level the system is in (the default graphical run level is 5). The newer xinetd runs services independent of the current run level and is supposed to be a more secure replacement for inetd. Most distributions Linux mix and match services between the two. The chkconfig utility can be used to manage services run in both types. To view the current configuration of the services, we simply have to type:
ComputerName:~# chkconfig --list
If chkconfig is installed, then a printout similar to the one below should appear:
cron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
...
xinetd based services:
daytime on
daytime-udp off
time off
...
Once you have decided which services you would like to disable, you must check if the services is run through xinetd or inetd and enter the appropriate command. For xinetd services, the command format is simply chkconfig
ComputerName:~# chkconfig daytime off
Typing in chkconfig --list a second time will now show us that daytime is off. For inetd services, the run levels you wish to change must also be included, making the general command structure look like : chkconfig --level >
ComputerName:~# chkconfig --level 345 httpd off
Now, when chkconfig --list is typed in, the following list should appear:
cron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
...
xinetd based services:
daytime off
daytime-udp off
time off
...
The chkconfig utility is an easy way to manage services that run at boot time, but it is important to remember that any services you disabled will still be running until you either reboot or manually kill the service.
Niciun comentariu:
Trimiteți un comentariu