Linux Administrator’s Security Guide LASG - 0.1.7 By Kurt Seifried ([email protected]) copyright 1999, All rights reserved. Available at: https://www.seifried.org/lasg/ or http://www.seifried.org/lasg/. This document is free for most non commercial uses, the license follows the table of contents, please read it if you have any concerns. If you have any questions email [email protected]. A mailing list is available, send an email to [email protected], with "subscribe lasg-announce" in the body (no quotes) and you will be automatically added. 1 Table of contents License Preface Forward by the author Contributing What this guide is and isn't How to determine what to secure and how to secure it Safe installation of Linux Choosing your install media It ain't over 'til... General concepts, server versus workstations, etc Physical / Boot security Physical access The computer BIOS LILO The Linux kernel Upgrading and compiling the kernel Kernel versions Administrative tools Access Telnet SSH LSH REXEC NSH Slush SSL Telnet Fsh secsh Local YaST sudo Super runas Remote Webmin Linuxconf COAS 2 PAM System Files /etc/passwd /etc/shadow /etc/groups /etc/gshadow /etc/login.defs /etc/shells /etc/securetty Log files and other forms of monitoring General log security sysklogd / klogd secure-syslog next generation syslog Nsyslogd Log monitoring Psionic Logcheck colorlogs WOTS swatch Kernel logging auditd Shell logging bash Password security Cracking passwords John the ripper Crack Saltine cracker VCU Software Management RPM dpkg tarballs / tgz Checking file integrity RPM dpkg PGP MD5 Automatic updates RPM AutoRPM rhlupdate RpmWatch dpkg apt 3 tarballs / tgz Tracking changes installwatch instmon Converting formats alien slurp File / Filesystem security Secure file deletion wipe ([email protected]) wipe ([email protected]) Access control lists (ACL’s) Linux trustees (ACL) project User security and limitation PAM Bash Quota ttysnoop TCP-IP and network security IPSec IPv6 TCP-IP attack programs HUNT Project Monitoring users UserIPAcct PPP security IP Security (IPSec) IPSec network setup Manual connection keying Automatic connection keying Commercial IPSec products Routing routed gated zebra Basic network service security What is running and who is it talking to? PS Output Netstat Output lsof Basic network services config files inetd.conf 4 TCP_WRAPPERS Network services Telnetd SSHD Fresh Free FiSSH Tera Term putty mindterm LSH Secure CRT RSH, REXEC, RCP Webmin FTP WU-FTPD ProFTPD NcFTPD HTTP / HTTPS Apache / Apache-SSL Red Hat Secure Server Roxen AOL Server SQUID squidGuard DeleGate SMTP Sendmail Qmail Postfix Zmailer DMail POPD WU IMAPD (stock popd) Cyrus IDS POP Qpopper IMAPD WU IMAPD (stock imapd) Cyrus WWW based email readers Non Commercial IMP AtDot acmemail IMHO Commercial DmailWeb WebImap Coconut WebMail Pro DNS 5 Bind Dents NNTP INN Diablo DNews Cyclone Typhoon DHCPD NFSD tftp tftp utftpd bootp cu-snmp Finger Cfingerd PFinger Identd ntpd CVS rsync lpd LPRng pdq CUPS SAMBA SWAT File sharing methods SAMBA NFS Coda Drall AFS Network based authentication NIS / NIS+ SRP Kerberos Encrypting services / data Encrypting network services SSL HTTP - SSL Telnet - SSL FTP - SSL Virtual private network solutions IPSec PPTP 6 CIPE ECLiPt Stunnel Encrypting data PGP GnuPG pgp4pine HardEncrypt Encrypting your harddrive CFS TCFS PPDD Encrypted Home Directory Sources of random data Firewalling IPFWADM IPCHAINS NETFILTER Rule Creation ipfwadm2ipchains mason firewall.sh Mklinuxfw kfirewall fwconfig Firewall Manager Kernel security patches Secure Linux – kernel patch International Kernel Patch Scanning / intrusion testing tools Host scanners Cops SBScan Network scanners Strobe nmap MNS Bronc Buster vs. Michael Jackson Leet scanner Soup scanner Network Superscanner Portscanner Queso Intrusion scanners Nessus Saint Cheops 7 Ftpcheck / Relaycheck SARA BASS Firewall scanners Firewalk Exploits Scanning and intrusion detection tools Logging tools Psionic PortSentry Host-based attack detection Firewalling TCP_WRAPPERS Klaxon Psionic HostSentry Pikt Network-based attack detection NFR Host monitoring tools check.pl bgcheck Sxid ViperDB Pikt DTK Packet sniffers tcpdump sniffit Ethereal Snort SPY Other sniffers Viruses, Trojan Horses, and Worms Disinfection of viruses / worms / trojans Virus scanners for Linux Sophos Anti-Virus AntiVir Scanning Email AMaViS Sendmail Postfix Password storage Gpasman Strip Conducting baselines / system integrity 8 Tripwire AIDE L5 Gog&Magog nannie Confcollect Backups Conducting audits Backups Tar and Gzip Noncommercial Backup programs for Linux Amanda afbackup Commercial Backup Programs for Linux BRU Quickstart CTAR CTAR:NET Backup Professional PC ParaChute Arkeia Legato Networker Pro's and Con's of Backup Media Dealing with attacks Denial of service attacks Examples of attacks Secure Linux distributions Bastille Linux kha0S Secure Linux Distribution / Vendor specific information Red Hat Red Hat Linux 6.0 SuSE SuSE Linux 6.1 Caldera Caldera OpenLinux 2.2 TurboLinux TurboLinux 3.6 Debian Debian 2.1 Slackware Slackware Linux 4.0 9 Vendor contact information WWW server specifics FTP access Samba access WWW based access FrontPage access Mailing lists SmartList Majordomo Minordomo Sympa Listar Database security MySQL PostgreSQL mSQL Informix Sybase Oracle DB2 Internet connection checklist Secure programming Secure UNIX Programming FAQ Secure Internet Programming Contributors Appendix A: Books and magazines Appendix B: URL listing for programs Appendix C: Other Linux security documentation Appendix D: Online security documentation Appendix E: General security sites Appendix F: General Linux sites Version History 10 License Terms and Conditions for Copying, Distributing, and Modifying Items other than copying, distributing, and modifying the Content with which this license was distributed (such as using, etc.) are outside the scope of this license. The 'guide' is defined as the documentation and knowledge contained in this file. 1. You may copy and distribute exact replicas of the guide as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the guide a copy of this License along with the guide. You may at your option charge a fee for the media and/or handling involved in creating a unique copy of the guide for use offline, you may at your option offer instructional support for the guide in exchange for a fee, or you may at your option offer warranty in exchange for a fee. You may not charge a fee for the guide itself. You may not charge a fee for the sole service of providing access to and/or use of the guide via a network (e.g. the Internet), whether it be via the world wide web, FTP, or any other method. 2. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to copy, distribute or modify the guide. These actions are prohibited by law if you do not accept this License. Therefore, by distributing or translating the guide, or by deriving works herefrom, you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or translating the guide. NO WARRANTY 3. BECAUSE THE GUIDE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE GUIDE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE GUIDE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK OF USE OF THE GUIDE IS WITH YOU. SHOULD THE GUIDE PROVE FAULTY, INACCURATE, OR OTHERWISE UNACCEPTABLE YOU ASSUME THE COST OF ALL NECESSARY REPAIR OR CORRECTION. 4. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MIRROR AND/OR REDISTRIBUTE THE GUIDE AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE GUIDE, EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 11 Preface Since this is an electronic document, changes will be made on a regular basis, and feedback is greatly appreciated. The author is available at: Kurt Seifried [email protected] (780) 453-3174 My Verisign class 2 digital ID public key: -----BEGIN CERTIFICATE----- MIIDtzCCAyCgAwIBAgIQO8AwExKJ74akljwwoX4BrDANBgkqhkiG9w0BAQQFADCB uDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxNDAyBgNVBAMTK1Zl cmlTaWduIENsYXNzIDIgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwHhcNOTgx MDIxMDAwMDAwWhcNOTkxMDIxMjM1OTU5WjCB6TEXMBUGA1UEChMOVmVyaVNpZ24s IEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsT PXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYu LExJQUIuTFREKGMpOTgxJzAlBgNVBAsTHkRpZ2l0YWwgSUQgQ2xhc3MgMiAtIE1p Y3Jvc29mdDEWMBQGA1UEAxQNS3VydCBTZWlmcmllZDEkMCIGCSqGSIb3DQEJARYV c2VpZnJpZWRAc2VpZnJpZWQub3JnMFswDQYJKoZIhvcNAQEBBQADSgAwRwJAZsvO hR/FIDH8V2MfrIU6edLc98xk0LYA7KZ2xx81hPPHYNvbJe0ii2fwNoye0DThJal7 bfqRI2OjRcGRQt5wlwIDAQABo4HTMIHQMAkGA1UdEwQCMAAwga8GA1UdIASBpzCA MIAGC2CGSAGG+EUBBwEBMIAwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlz