Securing Linux servers isn’t as hard as you think-as long as you think defensively from the get-go.
You may well have chosen to migrate to Linux servers to support your business due to the cost savings. Or perhaps your move to Linux was brought about by the seemingly never-ending security holes and related patches associated with the Windows operating system.
The move to Linux is a wise one, given both economics and security concerns. However, adopting Linux doesn’t mean you can neglect security. Regardless of the operating system or whether the server is privately or publicly accessible, any server should be installed with security in mind and maintained within the context of a security process over time.
That said, how do you secure your Linux servers? Do you have to be an expert? Hardly. Start by thinking about the role of your Linux server before you install the operating system. Will your Linux server host a Web site, or will it act as a file-and-print server on your network? Maybe you’re using a Linux server to host your company’s intranet or to serve up other company applications. Defining the server role up front helps you determine the type of installation to do. It also helps you decide which portions of the operating system and associated applications will require security configurations.
Next, think about physical security. It may sound simplistic, but you need to maintain your Linux server in a secure room where only authorized administrators can access it. Aside from the potential for the administrative log-on information falling into unauthorized hands, you need to prevent accidental power loss (as in: oops, I tripped over the power cord) and secure the server power switch to prevent unauthorized server reboots.
With your server in a secure room, you next need to add some password protection. You’ll want to implement both a BIOS password and a boot password. To set these passwords, you’ll need to enter system setup. When most systems start up, a message tells you which key(s) to press to access system setup. Some servers have a separate BIOS configuration program, whereas the boot password might be set using system setup.
For example, you might need to press F1 on start-up to access the BIOS configuration, while accessing system setup might require a press of the INS key. You want to password-protect your BIOS to prevent unauthorized changes to hardware. Don’t forget the password, but don’t write it down and post it next to the server, either.
Setting the boot password protects your server because a password prompt will be enabled before any operating system is loaded. Only authorized administrators should reboot the server, and the boot password only serves to insure that an unauthorized power-up is prevented.
One other item to note is the boot order. Many systems frequently default to a boot-up sequence that starts with the floppy drive, then the CD-ROM drive, and finally the hard drive(s). You can further secure your server by changing the boot order to go only to the hard drive, where your Linux operating system is installed. This will prevent someone with a floppy or CD from making unauthorized changes to your server. The boot order is usually found in the system setup, which is accessible during server startup.
When you’re ready to install Linux, be certain to split the file system tree across multiple partitions. Many popular Linux distributions make it easy simply to install Linux in a single partition and, though it may seem a hassle, you should create separate partitions for various parts of the operating system (e.g., /boot, /(root), /tmp, /usr, /home).
A number of benefits underscore the importance of doing this. First, attackers often use writable directories like /tmp to gain root (or administrative) access on the system. Isolating publicly accessible directories is always a good idea.
Furthermore, having separate partitions lets you protect your server from users who may accidentally (or purposely) launch executables from their user directories (/home) or /tmp. You can set user accessible partitions with a noexec flag to prevent authorized executable launches.
Another benefit to separate partitions is the ability to start certain partitions as read-only. For example, the directories /sbin, /bin, and /etc rarely change and should be mounted as read-only. You might also want to make /(root) read-only.
Only what you need
When you install Linux on your server, be sure that you only install the software that you need. For example, if your server is going to act as a firewall and a router between your LAN and the Internet, you won’t need to install a Web server or a graphical user interface.
Likewise, don’t load the X Window System on a server machine. The X Window System uses a network protocol to communicate, thereby offering attackers an access point. Use only the command line on the server.
After you have your operating system installed and customized for the role of your server, you should check with the supplier of your Linux distribution for any security updates. Many distributions include automated tools that can check for updates, but configure these tools to let you inspect the updates prior to installation, so that you can determine if the new software is applicable to your setting. Moreover, you should schedule a time once a week (at least) to check for security updates from your vendor.
Remember how earlier we added a password to secure the server boot-up process? You can also password-protect or use the restrict keyword to protect the Linux boot loader (e.g., LILO, GRUB). The former is pretty straightforward, and the latter is useful if you wish only authorized server administrators to pass parameters to the operating system kernel on start up.
Services, users, and files
Next, disable any services that you don’t need in order to fulfill the role of your server. Many Linux distributions start a lot of services by default, and many of these services provide entry points for attackers.
Before configuring any user accounts on your server, be sure that shadow passwords and MD5 encryption are installed on the server. Most Linux distributions support these items by default, but check to be sure they are installed. Without this support, user IDs and passwords are not encrypted and can be read by anyone who can get access to the files that house them.
The next thing to inspect is the file system. More specifically, you want to set the ownership and access rights for files. To add rights, you’ll want to use the chmod command. To set default permissions, you’ll want to use the umask command. Check the documentation for both of these commands (e.g., man chmod) before making changes to file permissions. Enable write and execute permissions sparingly. You also might want to use access control lists to further secure file access.
Although most Linux distributions ship with Pluggable Authentication Modules (PAM)–libraries that support authentication services–in a fairly secure manner, you might wish to inspect and modify the authentication configuration. At a minimum, inspect the configuration of PAM to see if you do want to make changes. For example, you might wish to limit access to the su command (used to assume the ID of another user, often the administrator account). You could change the authentication configuration for su to only allow members of a specific user group to execute the command, and you might enforce and log user IDs and passwords for the command.
It is beyond the scope of this article to try to cover all aspects of Linux server security. Obviously, there is plenty of documentation available for the Linux platform. However, if you are new to security and Linux administration, you might want to read about Linux security options in more detail.
On such book is “SAMS Teach Yourself Linux Security Basics in 24 Hours.” This book is useful because it provides an overarching approach to treating security as a process rather than an event. Aside from discussing initial installation and configuration of security, it also covers how to audit your system–which you should do regularly–and how to monitor your server and determine how you will respond in the event of an attack.
Checking it off
Linux servers need to be configured from the start with security in mind.
Linux Server: Security Checklist
Clearly define the role of the server (e.g., Web, file and print, application) Split the file system tree across multiple partitions Make the root partition read-only Install only the software you need to fulfill the server’s role Download and install all security updates from your Linux supplier Password-protect your BIOS Change system setup to boot only to the first hard drive Be sure server is located in a physically secure area Secure the boot process Perform a system and user audit Secure the file system Use Pluggable Authentication Modules Secure X Windows access Safeguard TCP/IP Secure Web services (e.g., Apache, FTP, SMTP) Examine DNS and Bind Protect NFS and Samba Implement data encryption Set up an auditing and monitoring plan Establish a recovery plan