How to make Linux more secure?

This is not a post to discuss whether or not Linux is more secure than Microsoft Windows. Instead, I am curious to know what people have done in order to make their Linux workstations more immune to compromise and/or attack.

If you believe that the various Linux organizations are just more proactive in generating and distributing patches than is Microsoft and all you do is apply patches as soon as they are released, just say so.

I will go first:

Devices
SMC Router w/SPI
No direct access to Windows partition (In Linux extended partition, created FAT32 volume to move files back and forth)

OS Hardening
No servers (file, database, web, mail, etc.) (MySQL/PostgreSQL started and stopped manually when needed)
TCP services, /etc/host.allow and /etc/host.deny, allow for local access only
No root logon
Logon requires both login name and password
Use sudo via /etc/sudoers and visudo command
Apply kernel patches approx. twice per week
/etc/fstab set so that /tmp and /home aare noexec and nosuid (I toggle /tmp when necessary, e.g., for Netbeans install)

Applications
Safe hex.
Firestarter firewall GUI for iptables
AIDE (Advanced Intrusion Detection Environment) runs daily and cron send me mail
Periodically review system logs, services and running processes
Thunderbird Bayesian filtering for spam
Apply application updates approx. twice per week (Manually reinstall as necessary, e.g., Opera)
Trojan-scan (A poor man's trojan detector in the form of a script)
NMAP
Weekly (approx.) rootkit scans with rkhunter and chkrootkit
F-Prot Anti-Virus for Linux (Infrequent system virus scans along with scan of all manual downloads from web and email attachments)
Update AV signatures manually every week or two
Update rkhunter database manually every week or two
Terabyte Unlimited's Image for Windows create partition images with frequency of 1 to 4 weeks
Firefox and Opera clear history, cookies and cache on application exit.

Regards,

bktII

 

Two utilities -

Bastille - http://www.bastille-linux.org/

and if you like logs and checks - Tripwire - http://sourceforge.net/projects/tripwire

 

In addition to what said above, this http://www.puschitz.com/SecuringLinux.shtml gives a lot of good advice. And this book http://www.amazon.com/gp/product/0596003234/104-8006145-6577524?v=glance&n=283155 , although old, is still essential. And use systrace for untrusted applications (like a browser).

 

dog and TNT,

Thank you both for your replies. However, I'm afraid I did a poor job of posing my question.

What is was after was a Linux version of the current MS Windows OS thread at Wilders entitled "What is your security setup these days?" located here:

https://www.wilderssecurity.com/showthread.php?t=111264

Regards,

bkt

P.S. to dog I currently use AIDE in lieu of Tripwire. Are you recommending Tripwire over AIDE? Also, after installing Linspire 3-4 months back (I use Ubuntu and Fedora Core now), I tried Bastille and ended up locked out of both my root and non-root accounts! Clearly I am a klutz. I read an online review of Bastille beforehand where, after running Bastille, some guy was getting 25 emails per second coming into his mailbox! Clearly I am not the only klutz! There are at least two of us.

P.S to TNT I will spend some time this weekend reviewing the links you provided.

 

The only things that i use at the moment are a router and spamassassin with evolution mail and no connection to the windows-partition
I (try) to practice safe hex, but i've always done that, it's a powerfull weapon.

Lamehand

 

I've never tried AIDE ... Bastille disables somethings you may not think of/consider, but the discriptions have to be carefully read, or you'll disable more than you want (Like mounting CDs/DVDs) ... I've never seen an option for any kind of emails with Bastille (Are you sure you're referring to the right program? I think you mean Tripwire) - Screenshot of Bastille Below).

Currently I'm not using Tripwire, I'm using the Security Audits available in Mandriva - Which sends the odd email. I also use Kiosk for disabling settings for users, run WXChecksums once a blue moon in addition to the audits, and one or two that I can't think of ATM off the top of my head. But that's it really ... The Software Firewall I use is Guard Dog, and Clam is installed as an AV, but never used. Thats about it.

Steve

 

dog,

Yes, I'm sure it was Bastille; however, my recollection is that the mail flood experienced by this user was a "consequence" of one of the Bastille options he selected rather than an explicit mail-related option in Bastille of which you correctly state there are none.

I did a quick search to try and locate this user's review and came up empty. It may have been removed or I may not be using the same keywords I used to locate the review several months ago. If I find it I will post.

Thanks for the information on Kiosk and WXChecksums, I'll take a look at these.

Regards,

bktII

 

Here's a screen of Kiosk ... the WXChecksums is the same as any other checksum utility ... it does have a nice frontend.

 

hi, what do you do to "toggle /tmp" to noexec? i'd do the same if there's a one click solution.

i've done loads of stuff to harden Ubuntu, but i can't rememebr it all. these are things i can remember.

disabled/uninstalled un-needed stuff like bluetooth

put ALL: ALL in deny.hosts although i have nothing in allow.hosts

added these lines to /etc/security/limits.conf to spot Fork Bombs
@users soft nproc 100
@users hard nproc 150

run rkhunter on a daily cron, i think that's it's default

i have a script to encrypt files
http://rob.pectol.com/myscripts/encryption.sh.txt

i'm thinking of installing Libsafe, although it's not maintained atm and there are some problems with libc5, but i don't have that lib.

this is where i found alot of the stuff i've done
http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html#contents
alot of the stuff i like from above is mentioned here under Password hygiene and login security
http://www.debianhelp.co.uk/security.htm

i've got some nice network tools too.
traceproto
ethereal
etherape
there's some nice CLI tools i got but i can't remember them right now.

 

dog,

I found the article referenced above. My memory is more or less intact; you can decide whether it is more or less! On second reading, it appears to be more related to user error than Bastille. Here is an excerpt and the link:

http://yellowbugcomputers.com/techdocs/lessonslearned.html

Iceni,

Thanks for the reply. I was playing with words a bit wrt "toggle". Here is an excerpt of my /etc/fstab file for the /tmp partition:

# /etc/fstab: static file system information.
/dev/sda8 /tmp ext3 defaults,nosuid,noexec 0 2
#/dev/sda8 /tmp ext3 defaults 0 2

My normal operating state for /tmp is currently uncommented (i.e., nosuid, noexec). If I need to do an install that must use /tmp, I comment the first one and uncomment the next one and reboot. Then I install the software (netbeans comes to mind, maybe Sun's jdk too?). Once installed, I reverse the changes in the /etc/fstab file and reboot again.

I read in one of the many tutorials on securing Linux that /tmp left unsecured has been a significant security hole. This is probably more true for Linux servers than a workstation. I believe that another option would be to make /tmp ececutable only for root.

Regards,

bktII

 

A couple of other tips ... to shred files within a folder (ie temp folder - as it shred ever file within the folder you have ownership of) ... open console in that directory ... and use

find -type f -execdir shred -u -v -z '{}' \;

then

rm -rf *

EDIT: For single file shredding use shred command with whatever options (-u = remove -v= verbose -z find write zeros) and then the path/file (dthe default number of passes is 25 unless specified otherwise. example: shred -u -v -z /home/user/documents/example.pdf

*******

Now if you're using a journaled FS ... simple shredding isn't enough ... you need to overwrite all free space - which has to be done from root because of the reserve held for it. Use either

cat /dev/urandom > DELETEME ; sync ; sleep 1 ; rm -f DELETEME

or

cat /dev/zero > DELETEME ; sync ; sleep 1 ; shred -un1 DELETEME

The second is slightly faster.

 

Now i'am confused, i've read this thread on the ubuntu forums about implementing a firewall and antivirus and the people 'in the know' say ; nonsense, you don't need it just keep your packages up to date because that is the way to keep the core protected against mishaps like bufferoverflows and such.
They say outbound protection from a firewall is useless because in a standard install there are no ' strange' services running and antivrus is not needed because there are no viruses in the wild for linux, on top of that, if you get a virus it would take four or five contious steps to install it.

So what to do?, who is right about this?

regards
Lamehand

 

No I'd agree generally, neither are all that important ... the AV I could do completely without. The firewall isn't important either, ip tables are more than enough. I use the firwall more as a restriction ... only allowing connections out of certain ports.

 

Oke, i understand it, this would be getting more important if i where running a service of some kind with outbound connections, and then you want to keep tabs on those connections ofcourse.

Lamehand.

 

Lamehand and dog,

This is my take and please understand that I am no security expert, but have read a bit about linux security, probably much like yourself. I am also a bit paranoid, perhaps a carryover from MS Windows.

The vast majority of signatures in Linux AV products are for MS Windows. Only a very small, or even tiny, fraction are for Linux.

I run an on-demand AV in Linux for three reasons:

(1) to be a good "net" citizen as I may send out emails with attachments to others and I would not want to send an infected file and contribute to the spread of malware. Also, even if the recipient's ISP scans attachments with an AV, no AV is perfect.
(2) to protect myself. Sometimes if I am surfing in Linux I run across I file that I will want to use in Windows and I download it. Ditto for email attachments. I scan the file immediately after downloading and before placing in my FAT32 shared partition. I also scan the same file again, with a different AV, when I return to Windows. This provides a bit better coverage than a single AV in Windows; again no AV is perfect.
(3) to protect myself against the very small chance of encountering a Linux virus. Again, there aren't many of these.

Your mileage may vary on this. It is purely a risk management decision.

Regarding inbound protection, as you already have a router, I assume with SPI, a software firewall would be redundant. However, one of my two PCs that I use to multi-boot is a notebook. If I travel, I leave my router behind and use a dial-up modem to access the internet. In this case, I already have an iptables-based firewall up and running. There is not much of a memory or CPU hit. Of course, at home it is truly redundant. I also have it operational on my desktop PC (see below).

Regarding outbound protection, my concern (and it may be pure paranoia) is MIRRORS and other download sites I visit via a web browser. Linux updates and installs hit mirrors located all over the planet. The Linux package mangers I use employ checksums which monitor whether a file has been modified or not. Thus, I believe that there is some substantial built-in protection. I also use MD5 checksums when I download a file from a web site, provided an MD5 value is available. But they are not always available.

For outbound protection I do two things:

(1) visually monitor TCP/UDP connections on my GUI front-end to iptables (Firestarter) with built-in WhoIs capability. An alternative is to periocially use the Linux command netstat.

(2) monitor TCP/UDP connections with a script called trojan-scan that sends me local mail if executables unlisted in a config file (this is simplified) initiate TCP/UDP connections. This script is more of a very simple firewall log than anything else.

Also, see TNT's post above (I have repeated here):

Again, your mileage may vary on this. It is purely a risk management decision.

Hopefully, some of the more knowledgable forum posters will respond to my take on this as well.

Regards,

bktII

 

No mention yet of the biggest Linux security tool, but more for experts/tweakers - GRSecurity.

For outbound application filtering, TuxGuardian seems to be the only option in Linux. Such filtering still has a role in cases where you wish to control or limit an application's Internet access (e.g. restricting a browser to access via an anonymising proxy only to prevent any exploits that could otherwise cause it to make a direct connection with a website or blocking email clients from web access to prevent them from downloading embedded web bugs).

With regard to file shredding, those who consider themselves at risk of forensic examination (which is what shredding addresses) should find encrypting their entire filesystem (and swap partition) a more secure option which would likely involve fewer overheads. A script that constantly writes data to disk can have its downsides.

 

Hello,
I'm by no means a great Linuxian, but I find that firewall and av are more than enough security. I use built-in firewall product with Suse 10 and BitDefender / AVG anti-virii, more out of habit than anything else.
Mrk

 

For me SELinux is the way to secure Linux machines. You can create your own rules for it, and compares with "behaviour blocking" on Windows.

You need some knowledge of Linux to integrade it in your favorite distribution. Red Hat (Fedora) include SELinux in their official releases. I've managed to equip Ubuntu with SELinux some months ago.

http://www.nsa.gov/selinux/

 

Never tried TuxGuardian ... it seems interesting, for now GD does what I need it to ... I'll give it a try eventually. Thanks

P2K ... even encrypted files need to be shredded. (I could be forced to give up the key ) Yes what I mentioned isn't a daily task, but a monthly one for me.

I have FC5 installed to play with it. We'll see how it goes.

 

I can just picture the interrogation session:

"Here boy! Nice big bone for you if you drop that key! No, don't bury it, just drop it there - gooooood doggie!" *pat pat*

 

A question regarding TuxGuardian:

From the TuxGuardian link, package requirements for tuxguardian are as follows:

For the most recent Ubuntu Linux kernel, 2.6.12-10, I have all required packages except for the kernel-source. The kernel-source file I do have is kernel-source-2.6.11-7, for an older version of the kernel. Is there a lag between the kernel and the kernel-source?

Which is more secure, staying with the current kernel w/o TuxGuardian or going back to the 2.6.11-7 kernel and implementing TuxGuardian?

I am inclined to stick with the most recent kernel w/o TuxGuardian as that includes recent patches as well. SecurityFocus.com has lots of issues wrt the linux kernel that generally get patched pretty quick.

bktII

 

i've looked at GRSecurity but it looks like it needs to be build using a 'vanilla' kernel and could conflict with the Ubuntu patches, i'm too scared to try it out incase i have problems. have you ever tried it with a debian based distro?

there are other kernel patches too like paxctl which is used in GRSecurity and has an Ubuntu version, i might try that.
http://packages.ubuntu.com/breezy/admin/paxctl

 

No, you will need to update your kernel source to match your kernel. If TuxGuardian needs to compile against the source, this has to match the code you are running or things will likely break.

Not done anything with grsecurity aside from perusing its documentation and cowering at its possible complexity... That's why I've suggested it here, to let others do the hard work of installing and testing it!

 

iceni,

I've had libsafe installed for awhile now on Ubuntu; forgot to mention it.

Here's some output:

$ ldd /bin/ls
/lib/libsafe.so.2 (0xb7fde000)
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0xb7fc7000)
libacl.so.1 => /lib/libacl.so.1 (0xb7fc0000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e92000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7e8e000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7e7b000)
/lib/ld-linux.so.2 (0xb7fe7000)
libattr.so.1 => /lib/libattr.so.1 (0xb7e77000)

bktII

 

hmm, it seems we had the same idea

it's quite hard getting help for Linux security, most users are just happy with the defaults. when i do searches at Ubuntuforums for a security program i've found half the time there are no search results. although the mailing list seems to have more knowledgeable people.
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

thanks, i might try it then if you haven't found any problems using it. i'll do some reading. it would be good to know when it's being used to test it out. does it look like it's used alot, or with just afew things like ls?