Linux Security Basics - Service Configuration and Update andPpatch Management
Keep Linux patched and up to date
Security updates are essential to ensuring that a Linux system is not vulnerable to attack. Apply updates regularly by configuring Linux to automatically install updates when they are made available (or to notify you that updates are available so you have the option to decide before applying the update). Update settings and procedures differ between Linux distributions and versions of distributions. To configure updates on Ubuntu systems, select System then Administration then Software Sources then select the Internet Updates tab and then in the Automatic Updates section click the ‘Check for Updates’ box to enable automatic updates. For more detailed information click here.
The Fedora Linux distribution provides a similar mechanism however it automatically downloads updates but does not install them until installation is triggered by the user. To enable automatic download of updates, depending upon the version of Fedora, click System then Preferences then Startup Applications and there you can enable or disable the update application on boot up. To enable the update process itself click System, then Preferences, then Personal, then Sessions and then click the ‘Packagekit Update Applet’ checkbox or System, Preferences, System, Software Updates and enable the automatic update feature
Disable Unnecessary Services
Services are programs that run in the background. Typically they listen on the network for connection requests using an assigned ‘port’ number which is essentially an ID number used by the operating system to identify the service to which network traffic is forwarded. To determine which services are running on a Linux PC and listening for network connections, open a command line terminal and type:
and press Enter and the output will list services by name and include the port number if they are listening for network requests.
Services that should be disabled and are most likely not in use include NFS, rsh, rlogin, rexec, rcp (the ‘r’ services), telnet server, ftp server, BIND, sendmail, exim, postfix, qmail (email services).
If services are listed that should not be running they should be disabled so that they do not run on startup. So to disable a service, first stop the service by typing:
service stop service-name
replacing ‘service-name’ with the name of the service you wish to stop. Then once the service has stopped, identify the exact name of the startup script for the service by typing:
ls -l /etc/rc.d/rc3.d/S*
and press Enter and then type:
ls -L /etc/rc.d/rc5.d/S*
and press Enter. The output of both commands will show services that start at run level 3 and 5 (run level 5 being graphical mode services). Then use the chkconfig utility to disable the service startup script from starting at boot up by typing the following:
chkconfig -levels 2345 script-name off
replacing ‘script-name’ with the name of the script to be disabled. Note that these command line operations require superuser permissions and also assume that the command line shell configuration includes the path to binaries for the commands specified. For some distributions such as Ubuntu, it is necessary to start each command with ‘sudo’ and then type the root or superuser password in order to execute the command. It may also be necessary to provide the full path to the utility binary in order to issue the command, for example:
rather than simply typing the command in order for the command to run.
Note that the Xinetd service is special in that it listens for requests on specified ports and when a connection request is received on one of the ports it starts the service associated with that port in order to handle the request. So to disable a service controlled by Xinetd navigate to the /etc/xinetd.d directory and find the file with the same name as that service then open the file and change the ‘disable = no’ attribute to ‘disable = yes’ and then save the change and then reboot the Linux PC or on the command line type:
service xinetd restart
in order for the changes to take effect.
Also, depending upon the distribution of Linux that is installed, it may be easier to access the graphical version of these same utilities. Look under the System or Administration section of the menus for the Services utility then open it and deselect services that should not run at startup and then save the setting.
Strong passwords that are changed regularly, comply with a minimum password length, and apply password complexity rules all help to ensure that the computer is safe from attackers. General rules to follow for password policies include a minimum length of 10 characters, require a password change every 90 days (and ensure that the new password is different than the previous password), and enforce password complexity (which means requiring all passwords to contain at least one lower case and one upper case letter, and a number or special character such as a question mark). Setting the password policy, like most Linux settings, will vary between distributions. For most distributions the password policy is controlled by the PAM service. The configuration file that controls password policy for PAM can usually by found in /etc/pam.d/common-password (for Ubuntu and Debian distributions) and in /etc/pam.d/system-auth for Fedora and Red Hat distributions. Enter and save the following line into the PAM configuration file to set password complexity for 10 character length, a 3 retry limit (when the password is entered incorrectly), and requires at least one upper case, one lower case and one digit according to the rules above:
password requisite pam_cracklib.so retry=3 minlen=10 difok=4 dcredit=-1 ucredit=-1 lcredit=-1
Also, to enable mandatory password change every 90 days, open the login.defs file that can be found in the /etc directory and configure the following value:
Root is the superuser account that has access (permissions) to change anything on a Linux PC. If an attacker were to gain root access they would possess full control of the system. In order safeguard root access, configure the system to allow root access only through the use of the sudo utility. Most distributions now make use of sudo however if yours does not, then follow the steps here to configure sudo on your Linux PC.
Secure SSH Configuration
SSH or ‘Secure Shell’ is a useful service that runs on nearly every Linux distribution and provides an encrypted tunnel through which a command line terminal or other applications can be accessed. It does however have a history of security issues when not fully patched and must be properly configured to ensure that it is not vulnerable to attack. If not using SSH then it is best to disable the service altogether. However, if you are using SSH, ensure that the configuration is secure by applying the following settings to the SSH configuration file that is usually located in /etc/ssh/sshd_config :
Protocol 2 (ensures that only version 2 of the SSH protocol is used)
Print Motd (the /etc/motd file message will display when a user connects)
AllowUsers (specify users allowed separated by a comma)
MaxStartups 10 (limits the number of unauthenticated connections to prevent denial of service attacks)
Enable the Firewall
Most Linux distributions are now preconfigured with the iptables firewall enabled by default. Leave the firewall enabled and only allow exceptions for programs and network traffic when absolutely necessary. Linux distributions provide several different ways to access the firewall configuration in order to make changes. The most common methods include accessing the graphical utility typically located under System, Administration, Firewall in Red Hat/Fedora distributions (refer to this web site for more information), or the lokkit tool on Ubuntu/Debian distributions (click here for more information). There is also an ‘iptables’ command line utility. For information on iptables command line configuration type
and press Enter or click here.
Included and enable on most Red Hat related distributions, SELinux (which stands for Security Enhanced Linux) was designed by the NSA for the purpose of enabling system wide security configurations based upon NSA requirements. While SELinux will make Linux more secure, it can also have unwanted side effects such as hindering programs that are used regularly and administration of SELinux can be complex. To gain a better understanding of how SELinux is installed and and configured on Fedora and similar Red Hat based distributions click here.
My recommendation is to leave SELinux disabled until you have a firm understanding of how it works and determine whether or not the additional security measures it provides are necessary for your Linux PC.
Bastille Linux is a system hardening program. It assesses the purpose of the system by asking the user a series of questions to determine what measures should be taken in order to properly secure the system. It will then generate a policy that is applied to harden the system and also provide a report on the changes made to the system. Bastille Linux is designed to run on Red Hat Enterprise, Fedora, SUSE, Debian, Gentoo, and Mandrake/Mandriva distributions. If you are looking to harden a system and are not all that familiar with Linux, the Bastille Linux tool is highly recommended and simplifies the process of securing the system. Click here to refer to the Bastille Linux web site for downloads and additional information.
Other Security Measures
Files shares, whether NFS, SMB or another protocol, should always be password protected as should login to the desktop. Linux antivirus such as ClamAV which can be found here. is a good idea for additional protection however, just as with Microsoft Windows computers, it will require additional resources that may slow system performance.
Applying the aforementioned basic security measures, and regular maintenance including security patches and updates will help to ensure that your Linux systems are a more secure from intruders and malware.