A quick way to secure a Linux system

The first step in securing your system is to determine what the function of that system is going to be. For example, if the system is going to be dedicated to being an ftp server,then there is little reason to having samba or sendmail installed because the more services that are running, the more vulnerable the system is going to be. This cannot be stressed enough. You do not want services running that you won’t be using.

So we begin with a fresh install of the system with the Linux distribution of your choice, and in that installation process we’ll choose the security settings for “High” or whatever the equivalent is if the option is available. This should enable package filtering, regulating what is and isn’t allowed to connect to your system.

Now whether the Linux system that you are working to secure is a home based ultimate desktop workstation or a firewall that is intended to protect an internal LAN from the outside world, one of the the most important concerns is making sure the system is brought up to date and kept up to date with the current errata, preferably an a freshly installed system so that it can be guaranteed that the system wasn’t previously compromised. The errata is basically a list of items containing significant information discovered after the release of the current version of the operation system. This information includes security advisories as well as as other software that could effect the smooth operations or security of the system in question.The errata can be downloaded from the website that maintains the distribution.

After you have determined what the systems purpose is going to be and the system has been installed with errata updates are in place, attention can be turned to tightening the system up.

Connectivity is the first thing I check for. After setting up the network settings, try pinging the system.

ping 192.168.1.10

You should see results like this:

64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.446 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.155 ms

After I have confirmed that the system is online, the very first thing I do is run nmap. This is one of the most common scanners and there is a fair chance that if someone is running a port scan on the system, they are using nmap.

With my security setting having been set for “High” in the installation process, below is my first scan with nmap using the

#nmap 192.168.1.10

Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-03-19 08:41 PST

All 1611 scanned ports on system.foobar.com (192.168.1.10) are: filtered

That’s pretty good. It shows that the security settings that you chose are working. But let’s double check. We’ll run nmap again with an argument that passes through package filters, just like someone who may be looking at getting into your system.

#nmap -sF 192.168.1.10

Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-03-19 09:07 PST
Interesting ports on system.foobar.com (192.168.1.10):
(The 1608 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
6000/tcp open X11

nmap run completed -- 1 IP address (1 host up) scanned in 3.147 seconds

It reports that there are three ports open on your system.

Now we come to the utility to harden the system so that we don’t have to go through and change all of the config files by hand. For this we will use Bastille Linux.

You can read more about what Bastille is on their website before you download it. By following the install instructions, you will be offered a series of questions in regard to the security of your system. Each question will have a brief description regarding the question if you are unclear with some of the context. There are several different security modules that you will need to address such as file permissions, account security, firewalls, etc.

A couple of questions to pay particular to are listed under security modules SecureInetd and ConfigureMiscPam. The first is “Would you like to set a default-deny on TCP Wrappers and xinitd?” and the second is “Would you like to put limits on system resource usage?”

Now that we have Bastille Linux on the system, we’ll run nmap again.

#nmap -sF 192.168.1.10

Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-03-19 09:50 PST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 nmap run completed -- 1 IP address (0 hosts up) scanned in 12.048 seconds

Now we’ll try with the -P0 option like it says.

#nmap -P0 192.168.1.10

Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-03-19 10:00 PST
All 1611 scanned ports on system.foobar.com (192.168.1.10) are: filtered

So now the system is reporting no ports that are open and if you try to ping your system you should be getting no response.

Don't miss