USA India
Home Articles UserTV Press Releases Dictionary Books Education Careers B-Channels Resources Forums Blogs Classifieds
Sunday 6 Jul, 2008 eNewsletter Register Login
Archives
Articles By Date
Articles By Category
 
 
 Archives >> Details
Securing your world
Securing Linux servers isn't as hard as you think-as long as you think defensively from the get-go.
Posted by : Maggie Biggs

You may well have chosen to migrate to Linux servers to support your business due to the cost savings. Or perhaps your move to Linux was brought about by the seemingly never-ending security holes and related patches associated with the Windows operating system.

The move to Linux is a wise one, given both economics and security concerns. However, adopting Linux doesn't mean you can neglect security. Regardless of the operating system or whether the server is privately or publicly accessible, any server should be installed with security in mind and maintained within the context of a security process over time.

That said, how do you secure your Linux servers? Do you have to be an expert? Hardly. Start by thinking about the role of your Linux server before you install the operating system. Will your Linux server host a Web site, or will it act as a file-and-print server on your network? Maybe you're using a Linux server to host your company's intranet or to serve up other company applications. Defining the server role up front helps you determine the type of installation to do. It also helps you decide which portions of the operating system and associated applications will require security configurations.

Next, think about physical security. It may sound simplistic, but you need to maintain your Linux server in a secure room where only authorized administrators can access it. Aside from the potential for the administrative log-on information falling into unauthorized hands, you need to prevent accidental power loss (as in: oops, I tripped over the power cord) and secure the server power switch to prevent unauthorized server reboots.

With your server in a secure room, you next need to add some password protection. You'll want to implement both a BIOS password and a boot password. To set these passwords, you'll need to enter system setup. When most systems start up, a message tells you which key(s) to press to access system setup. Some servers have a separate BIOS configuration program, whereas the boot password might be set using system setup.

For example, you might need to press F1 on start-up to access the BIOS configuration, while accessing system setup might require a press of the INS key. You want to password-protect your BIOS to prevent unauthorized changes to hardware. Don't forget the password, but don't write it down and post it next to the server, either.

Setting the boot password protects your server because a password prompt will be enabled before any operating system is loaded. Only authorized administrators should reboot the server, and the boot password only serves to insure that an unauthorized power-up is prevented.

One other item to note is the boot order. Many systems frequently default to a boot-up sequence that starts with the floppy drive, then the CD-ROM drive, and finally the hard drive(s). You can further secure your server by changing the boot order to go only to the hard drive, where your Linux operating system is installed. This will prevent someone with a floppy or CD from making unauthorized changes to your server. The boot order is usually found in the system setup, which is accessible during server startup.

When you're ready to install Linux, be certain to split the file system tree across multiple partitions. Many popular Linux distributions make it easy simply to install Linux in a single partition and, though it may seem a hassle, you should create separate partitions for various parts of the operating system (e.g., /boot, /(root), /tmp, /usr, /home).

A number of benefits underscore the importance of doing this. First, attackers often use writable directories like /tmp to gain root (or administrative) access on the system. Isolating publicly accessible directories is always a good idea.

Furthermore, having separate partitions lets you protect your server from users who may accidentally (or purposely) launch executables from their user directories (/home) or /tmp. You can set user accessible partitions with a noexec flag to prevent authorized executable launches.

Another benefit to separate partitions is the ability to start certain partitions as read-only. For example, the directories /sbin, /bin, and /etc rarely change and should be mounted as read-only. You might also want to make /(root) read-only.

Only what you need

When you install Linux on your server, be sure that you only install the software that you need. For example, if your server is going to act as a firewall and a router between your LAN and the Internet, you won't need to install a Web server or a graphical user interface.

Likewise, don't load the X Window System on a server machine. The X Window System uses a network protocol to communicate, thereby offering attackers an access point. Use only the command line on the server.

After you have your operating system installed and customized for the role of your server, you should check with the supplier of your Linux distribution for any security updates. Many distributions include automated tools that can check for updates, but configure these tools to let you inspect the updates prior to installation, so that you can determine if the new software is applicable to your setting. Moreover, you should schedule a time once a week (at least) to check for security updates from your vendor.

Remember how earlier we added a password to secure the server boot-up process? You can also password-protect or use the restrict keyword to protect the Linux boot loader (e.g., LILO, GRUB). The former is pretty straightforward, and the latter is useful if you wish only authorized server administrators to pass parameters to the operating system kernel on start up.

Services, users, and files

Next, disable any services that you don't need in order to fulfill the role of your server. Many Linux distributions start a lot of services by default, and many of these services provide entry points for attackers.

Before configuring any user accounts on your server, be sure that shadow passwords and MD5 encryption are installed on the server. Most Linux distributions support these items by default, but check to be sure they are installed. Without this support, user IDs and passwords are not encrypted and can be read by anyone who can get access to the files that house them.

The next thing to inspect is the file system. More specifically, you want to set the ownership and access rights for files. To add rights, you'll want to use the chmod command. To set default permissions, you'll want to use the umask command. Check the documentation for both of these commands (e.g., man chmod) before making changes to file permissions. Enable write and execute permissions sparingly. You also might want to use access control lists to further secure file access.

Although most Linux distributions ship with Pluggable Authentication Modules (PAM)--libraries that support authentication services--in a fairly secure manner, you might wish to inspect and modify the authentication configuration. At a minimum, inspect the configuration of PAM to see if you do want to make changes. For example, you might wish to limit access to the su command (used to assume the ID of another user, often the administrator account). You could change the authentication configuration for su to only allow members of a specific user group to execute the command, and you might enforce and log user IDs and passwords for the command.

Next steps

It is beyond the scope of this article to try to cover all aspects of Linux server security. Obviously, there is plenty of documentation available for the Linux platform. However, if you are new to security and Linux administration, you might want to read about Linux security options in more detail.

On such book is "SAMS Teach Yourself Linux Security Basics in 24 Hours." This book is useful because it provides an overarching approach to treating security as a process rather than an event. Aside from discussing initial installation and configuration of security, it also covers how to audit your system--which you should do regularly--and how to monitor your server and determine how you will respond in the event of an attack.

Checking it off

Linux servers need to be configured from the start with security in mind.

Linux Server: Security Checklist

Clearly define the role of the server (e.g., Web, file and print, application) Split the file system tree across multiple partitions Make the root partition read-only Install only the software you need to fulfill the server's role Download and install all security updates from your Linux supplier Password-protect your BIOS Change system setup to boot only to the first hard drive Be sure server is located in a physically secure area Secure the boot process Perform a system and user audit Secure the file system Use Pluggable Authentication Modules Secure X Windows access Safeguard TCP/IP Secure Web services (e.g., Apache, FTP, SMTP) Examine DNS and Bind Protect NFS and Samba Implement data encryption Set up an auditing and monitoring plan Establish a recovery plan
 
 
Archives by Date
 
 
 
 
 
Copyright © 2008 ComputerUser Inc.
About us | Terms of use | Privacy Policy | Legal | Trademark/Copyright | Awards | Advertise | Writer guidelines | Sitemap | Contact | FAQ's | Feedback  | Link to us

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services