In the past few years, linux vendors have worked hard to make linux usable by appealing to a larger user base. As a result, the number of linux boxes sitting on desktops has increased dramatically in the university as a whole and the School of Engineering in particular. Most users need to manage the security on their systems unless they have a system administrator taking care of it for them.
Maintaining a secure Linux box is an ongoing process rather than something that you do only once and forget about, so it is important to have an understanding of Linux security. In order to help VUSE users avoid the inconveniences of computer break-ins we offer this document as a starting point for learning how to manage security on Linux boxes.
A simple yet comprehensive guide to security on linux systems can be found at http://www.linuxdoc.org/LDP/lasg/
A more technical guide with comprehensive examples can be found at http://www.linuxdoc.org/LDP/gawlso/Securing-Optimizing-Linux-RH-Edition-1_3.pdf
Both of these sources come from the Linux Documentation Project (LDP). This organization has lots of good, well indexed documentation on all things Linux. The LDP can be found at http://www.linuxdoc.org
Even without reading the above documentation, the security of a linux box can be greatly increased by performing a few simple actions. Following the recipe below will go a long way in increasing the security of your linux box, but it is not as comprehensive as either of the of the two guides mentioned above.
The file /etc/inetd.conf contains several lines defining services that can be run on you Linux box. Every line that begins with '#' is a comment. It is important that the only lines that are not comments are lines that describe services that you want running on your machine. The reason for this is that outside attacks often target specific services and by turning unnecessary services off, you are eliminating your risk of being attacked through those services.
Disabling a service only stops those types of connections from being made to your machine. For example, if you disable ftp, you will not be able to ftp to your machine from another host, but you will still be able to ftp from your machine to a ftp server.
In general, for non-server machines, the only service that needs to be enabled in inetd.conf is telnet. We recommend against enabling ftp since there are several known attacks against the default ftp daemon (WU-FTP). If you require ftp access to your Linux box, download and install the most recent version of either ProFTP from http://www.protftp.net or one of the other many free ftp servers available.
Two files are used to control what IP addresses can use services enabled on your machine: /etc/hosts.allow and /etc/hosts.deny. If these files do not exist or if they are empty, all IP addresses are allowed access to your enabled services.
We recommend denying access to all IP addresses in the hosts.deny file and then explicitly allowing those addresses that you want to able to use services on your system.
To deny all IPs, the only uncommented line in /etc/hosts.deny should read:
ALL: ALL
To enable specific IPs, the only uncommented line in /etc/hosts.allow
should read:
ALL: <list of IPs here>
An example /etc/hosts.allow that allows 129.59.100.1 and 129.59.100.2
access would read:
ALL: 129.59.100.1, 129.59.100.2
Entire ranges of IPs can be specified by leaving off end triplets. For example, '129.59.' would specify all IPs in the Vanderbilt Domain. '129.59.100.' would specify all IPs whose first three triplets are 128, 59, and 100.
It is a good idea not to allow the root account to login from anyplace other than the console of the machine. Securing root login in this way does not prevent you from doing remote maintanence as root since you can always login with a user account and then su to root, but it does make certain attacks on your system more difficult.
By default, the file /etc/securetty is not empty. By making the file zero length (deleting the contents of the file), you make it impossible for the root account to login except from the console.