This article originally appeared in issue 80 of Linux User & Developer and was written by Swayam Prakasha

by Swayam Prakasha
Over the last few years, system security has gained a lot of momentum and software professionals are focusing heavily on this aspect. Linux is often treated as a highly secure operating system. However, the reality is that Linux too has its own share of security flaws. And these security flaws allow external hackers to get into your system and modify or even destroy your important data. But there’s no need to panic, since there are various mechanisms by which these flaws can be removed.
The security system is in two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted. Let’s take a look at the major causes for security problems in Linux…

Local security
Local users can create a lot of problems for your system. It is bad policy to provide accounts to people you don’t know or for whom you have no contact information. It is better to follow some rules of thumb when offering access to your Linux machine: give users minimum privileges, monitor when and where they log in, remove inactive accounts and prohibit the creation of group user IDs.

Root security

Since the root account has authority over the entire machine, you should use it only for specific tasks. Even a small mistake made while logging in as a root user can lead to significant problems. Follow the simple rules below and they will help you.
• When running complex commands, first run them in a non-destructive manner. A simple example is to do an ‘ls’ before doing an ‘rm’ so that you are sure about the files you are going to delete.
• Give users an interactive rm for deleting the files.
• Become ‘root only’ to do specific tasks. If you want to experiment with something, go back to a normal user shell.
• The command path, which specifies the directories in which the shell searches for the programs, is very important. Limit the command path and never include ‘.’ (signifying the current directory) in your command path.
• The /etc/securetty file contains a list of terminals that root can log in from. Be careful while adding an entry to
this file.

File system security
Keep in mind the following points to help protect your systems and data stored on them.

If you are exporting file systems using NFS, configure /etc/exports with the most restrictive access possible. Do not use any wild cards.
/var/log/wtmp and /var/run/utmp contain the log-in attempts for all users. Their integrity needs to be maintained, as they help in determining when and from where a user has entered your system.
World-writable files can serve as a security hole. Also, world-writable directories are dangerous as they allow an intruder to add/delete files. You must locate the world-writable files on your system and make sure that you know why they are writable.
It is also important to locate the unowned files. The presence of unowned files might also be an indication that an intruder has accessed your system. You can locate such files by using the following command:
$ find / \( -nouser -o -nogroup \) -print
You should be able to find the .rhosts file. Use this command to locate that file :
$ find /home -name .rhosts -print.
Before you change the permission on any system files, make sure you know what you are doing. NEVER make changes to the permission on a file just because it is the easy way to get things working.

File permissions
Make sure that your system files are not open for casual editing by users and groups who do not have the appropriate permissions. The Linux operating system distinguishes the access control based on three characteristics: owner, group and other. Access to a file will be determined by permission bits and these bits are ‘rwx’ – where ‘r’ identifies ‘read’, ‘w’ identifies ‘write’ and ‘x’ identifies ‘execute’. We can set or reset these three permission bits based on the kind of access that we are interested in giving to a user. This is considered as a basic level of preventing access to a file from unauthorised sources.

Integrity checking
There is a very good mechanism to detect local attacks on your system. This is referred to as ‘integrity checking’. Tripwire, Aide and Osiris are some of the popular integrity checkers. These integrity checkers will run a number of checksums on all important binaries and configuration files and compare them against a database of former, known values as a reference. Thus any changes in files can be easily flagged. Based on these signals, a system administrator can make appropriate changes so that integrity of important files is maintained.

Password security

Most Linux distributions come with ‘passwd’ programs that do not allow you to set a password that can be easily guessed. Thus, it is necessary to make sure that your passwd program is up to date. Linux uses a one-way encryption algorithm known as DES (Data Encryption Standard), which is used to encrypt your passwords. The encrypted password is stored in /etc/passwd. When you try to log in, the password you type again gets encrypted and is compared with the entry in the file that stores your password. A match means you have entered the same password and you are given access to the system.
Shadow passwords are a means of keeping your encrypted password information secret from the normal users. Recent versions of both Red Hat and Debian Linux use shadow passwords by default. Shadow passwords are saved in /etc/shadow and they can be read only by privileged users.

Kernel security
As the kernel controls your machine’s networking, it is essential to keep it secure. Let’s look at some popular kernel configuration options that relate to security.
IP forwarding: If you enable IP forwarding, your Linux box becomes a router. You can enable or disable IP forwarding by using these commands:
root# echo 1 > /proc/sys/net/ipv4/ip_forward /* for enabling */
root# echo 0 > /proc/sys/net/ipv4/ip_forward /* for disabling */

IP firewalling: This option is very useful if you want to protect your dial-up workstation from someone entering via your PPP dial-up interface.
IP firewall packet logging: This option displays the information about the packets your firewall receives.

Other security implementations
The one to consider here is the implementation of IPSEC for Linux. IPSEC is a mechanism to create cryptographically secure communications at the IP network level. The main idea here is to provide authentication, integrity, access control and confidentiality for your information.

Security guidelines
Among all the concerns surrounding the writing of good code, security necessarily comes at the top. Security problems can come from people actively trying to penetrate your security or from simple issues such as someone providing unexpected inputs to a program or running some wrong commands. Too much access to systems can mean that users – even with legitimate access – can cause trouble, either accidentally or on purpose.

Security best practices
Let us say that you have tested your system and found that it is most secure. And thus it is ready to go online.

It is important to follow the following guidelines so that
you can minimize the impact if an intruder tries to attack your system:
• Make sure that your entire system is backed up.
• Choose a good back-up schedule.
• Make sure you test your backups to ensure they’re working as you expect.
• Apply all new system updates quickly so that everything is up to date.
• Track the system accounting data. Make sure that files in /var/log have read and write access only to a limited number of users.

Why should I use security event logs?

Hopefully you keep your computers patched and updated and your network is secure. However, it is fairly inevitable that you will at some point be hit by malicious activity: a virus, worm, Trojan horse, hack attack or otherwise. When that happens, if you have done the right things before the attack, you will make the job of determining when and how the attack succeeded that much easier.
Some systems have various auditing and logging functions built in. You can also install additional software to monitor and log various actions on the computer (see ‘Security monitoring’ box below). If it’s possible to use a dedicated hard drive and/or hard drive controller, you will have less performance impact because the log files can be written to the disk without having to fight with the applications you’re trying to run for access to the drive. If you can direct the log files to a separate computer – possibly dedicated to storing log files and with completely different security settings – you might be able to block an intruder’s ability to alter or delete the log files as well.
A final note is that you should not wait until it’s too late, and your system has already crashed or is compromised, before viewing the logs. It is best to review the logs periodically so you can know what is normal and establish a baseline. That way, when you do come across erroneous entries, you can recognise them as such and take proactive steps to harden your system rather than doing the forensic investigation after it’s too late.

This article originally appeared in issue 80 of Linux User & Developer and was written by Swayam Prakasha