Fedora 19 Security Guide A Guide to Securing Fedora Linux Johnray Fuller John Ha David O'Brien Scott Radvan Eric Christensen Adam Ligas Murray McAllister Scott Radvan Daniel Walsh Security Guide Dominick Grift Eric Paris James Morris Fedora 19 Security Guide A Guide to Securing Fedora Linux Edition 19.1 Author Johnray Fuller [email protected] Author John Ha [email protected] Author David O'Brien [email protected] Author Scott Radvan [email protected] Author Eric Christensen [email protected] Author Adam Ligas [email protected] Author Murray McAllister [email protected] Author Scott Radvan [email protected] Author Daniel Walsh [email protected] Author Dominick Grift [email protected] Author Eric Paris [email protected] Author James Morris [email protected] Copyright © 2007-2013 Fedora Project Contributors. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries. All other trademarks are the property of their respective owners. The Fedora Security Guide is designed to assist users of Fedora in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, the Fedora Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative Security Guide knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods. Preface xi 1. Document Conventions ................................................................................................... xi 1.1. Typographic Conventions ..................................................................................... xi 1.2. Pull-quote Conventions ........................................................................................ xii 1.3. Notes and Warnings ........................................................................................... xiii 2. We Need Feedback! ..................................................................................................... xiii 1. Security Overview 1 1.1. Introduction to Security ................................................................................................. 1 1.1.1. What is Computer Security? ............................................................................... 1 1.1.2. SELinux ............................................................................................................ 3 1.1.3. Security Controls ............................................................................................... 3 1.1.4. Conclusion ........................................................................................................ 4 1.2. Attackers and Vulnerabilities ......................................................................................... 4 1.2.1. A Quick History of Hackers ................................................................................ 4 1.2.2. Threats to Network Security ............................................................................... 5 1.2.3. Threats to Server Security ................................................................................. 6 1.2.4. Threats to Workstation and Home PC Security .................................................... 8 1.3. Vulnerability Assessment .............................................................................................. 8 1.3.1. Thinking Like the Enemy ................................................................................... 8 1.3.2. Defining Assessment and Testing ....................................................................... 9 1.3.3. Evaluating the Tools ........................................................................................ 11 1.4. Common Exploits and Attacks ..................................................................................... 13 1.5. Security Updates ........................................................................................................ 15 1.5.1. Updating Packages .......................................................................................... 15 1.5.2. Verifying Signed Packages ............................................................................... 16 1.5.3. Installing Signed Packages .............................................................................. 17 1.5.4. Applying the Changes ...................................................................................... 17 2. Basic Hardening Guide 21 2.1. General Principles ...................................................................................................... 21 2.2. Physical Security ........................................................................................................ 21 2.3. Why this is important .................................................................................................. 21 2.4. Networking ................................................................................................................. 21 2.4.1. iptables ........................................................................................................... 22 2.4.2. IPv6 ................................................................................................................ 22 2.5. Keeping software up to date ....................................................................................... 22 2.6. Services ..................................................................................................................... 22 2.7. NTP ........................................................................................................................... 22 3. Securing Your Network 23 3.1. Workstation Security ................................................................................................... 23 3.1.1. Evaluating Workstation Security ........................................................................ 23 3.1.2. BIOS and Boot Loader Security ........................................................................ 23 3.1.3. Password Security ........................................................................................... 24 3.1.4. Administrative Controls .................................................................................... 30 3.1.5. Available Network Services .............................................................................. 36 3.1.6. Personal Firewalls ........................................................................................... 39 3.1.7. Security Enhanced Communication Tools .......................................................... 40 3.2. Server Security .......................................................................................................... 40 3.2.1. Securing Services With TCP Wrappers and xinetd ............................................. 41 3.2.2. Securing Portmap ............................................................................................ 44 3.2.3. Securing NIS ................................................................................................... 44 3.2.4. Securing NFS .................................................................................................. 47 3.2.5. Securing the Apache HTTP Server ................................................................... 48 v Security Guide 3.2.6. Securing FTP .................................................................................................. 49 3.2.7. Securing Sendmail ........................................................................................... 51 3.2.8. Verifying Which Ports Are Listening .................................................................. 52 3.3. Single Sign-on (SSO) ................................................................................................. 54 3.3.1. Introduction ..................................................................................................... 54 3.3.2. Getting Started with your new Smart Card .......................................................