[2496] in SIPB_Linux_Development
Linux security one-sheet
daemon@ATHENA.MIT.EDU (Kevin Fu)
Thu Feb 4 21:41:05 1999
To: linux-dev@MIT.EDU
Reply-To: security-internal@MIT.EDU
Date: Thu, 04 Feb 1999 21:40:51 EST
From: Kevin Fu <fubob@MIT.EDU>
Do you have any comments on this security one-sheet for Linux? We
plan to use it as a stock answer from net-security.
--------
Kevin E. Fu (fubob@mit.edu)
PGP key: finger fubob@monk.mit.edu
Security One-Sheet for Linux-Athena
On a Running System
-------------------
Most Linux distributions come with a number of vulnerable services
enabled by default. The first thing you want to do after installing a
linux system is to turn them off.
Many of the vulnerable services are run by your inetd. To turn them
off, edit /etc/inetd.conf to comment out any lines that start with the
following:
shell
login
pop-2
pop-3
imap
systat
netstat
time
linuxconf
To comment out a line, all you need to do is put a # at the beginning of
it. For example, to turn off imap, you should change the line
imap stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd
to
#imap stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd
Don't worry if the lines in your inetd.conf don't look exactly like this
one, it's the 'imap' at the beginning of the line that's important.
Many linux installations also include an NFS server by default. To
disable it, you need to move the server binaries so they won't be found.
Again as root, do the following:
cd /usr/sbin
mkdir disabled
mv portmap rpc.nfsd rpc.mountd disabled
Linux-Athena also installs mount and umount as setuid root programs.
While there are no known problems with them, it's probably not a bad
idea to clear the setuid bit. As root, do
chmod 755 /bin/mount /bin/umount
At this point, the best way to make all these changes take effect is to
restart your linux system.
Maintaining Your System
-----------------------
As a general rule, you should look through your system log files
occasionally for any suspicious activity. You should also take a look
at them if you suspect your system may have been broken into. You can
find the log files in the /var/log directory.
/var/log/messages -- general system messages
/var/log/secure -- connections to the machine
/var/log/xferlog -- ftp file transfers to and from the machine
/var/log/wtmp -- log of user logins (read by 'last')
Also, bugs and security problems are discovered in linux all the time.
You should keep your system running the newest available versions of all
software. To keep track of this, you should add yourself to the
linux-announce mailing list on athena. Do the following at the athena
prompt:
blanche linux-announce -a $USER
This is a low-traffic mailing list which is reserved for important
announcements only.
If you're running a Linux-Athena system, you should also regularly run
the 'update' script out of the linux locker. This script will go
through your system and upgrade any software which is out of date. To
run it, become root and do
attach linux
/mit/linux/update.pl
You should also regularly check the web pages at
http://www.redhat.com/errata
for information on any packages that you need to update.
