Locking Down a Linux box part V (conclusion)

This will be the final piece on this subject for the time being. In my look at the initial things to look at when securing a Linux box.

This post is going to follow-up on the find command which searched for setuid & setgid permissions. Vulnerabilities in the setuid/setgid binaries can often lead to root compromise, so they should only be used when necessary. Once again after running the find / -perm +6000 -type f ls command we will be given a list of the different files which are ran with root priveleges. The US-CERT site covers this topic as well as looking at the ncheck command.

The root privileges should be removed from unnecessary binaries with the chmod command using the -s flag.

Which permissions to remove this from are dependent on if your system has untrusted local users and which applications are required to run with system privileges from non-root users. In a future post I'll try and look at the different files which are given root privileges by default and wether they actually need the priviliges or not.

Locking Down a Linux box part IV

Today I'm going to go back to the netstat command that I talked about a couple of days ago. Essentially it will show you all the sockets that are in the LISTEN state and the programs that are listening on each port. The big issue here is what services should this particular Linux box be listening for. If this box is being used as a Web server should there be a printer hooked up & should the box be running an lpd daemon in the back ground -- NO!! This is why it is important to only have essential services and daemons running on a Linux box.

There is a good article at the Techrepublic web site titled "Improve your Linux security: Stop unnecessary services". Which talks about the same issues. A sample of the /etc/initd.conf file can be found at the userlocal.com web site.

some other good sites with a good overview of the security implications are found on the Redhat site, YoLinux.com site, and the resnet.ubc.ca site.

Locking Down a Linux box part III

In this third entry into my Locking down items I want to look at the commands which tell
the Linux box to run programs under a different user id or group id. The SETUID and SETGID commands are very powerful commands in that they allow a program to be ran under a different user id or group id. Why is this important - a program which doesn't need to be running on a server can be given ROOT privileges for no reason and can create a security hole that can be exploited. as any good admin knows the only services which should be running are those that need to be running on that particular box.

The fastest way to find these files is to use the FIND command with a few particular options. The command is find / -perm +6000 -type f ls what this command will do is search from the root partition for any file with permissions of 6000 or higher, is a file, and is executable. Obviously any executable file which runs with ROOT privileges should have the interest of the Administrator.

Locking Down a Linux box part II

Continuing with my look at different tools to monitor a Linux box, the next command I want to look at is the netstat command. Before I look at the netstat cpmmand I want to look at the file which determines which services get started at boot time. This file is the /etc/initd.conf, this file manages all the incoming connections into the Linux box. When a connection is made, inetd starts a copy of the appropriate daemon for that port. These are the services which are running in the background and which can potentially be security risks on a system. Running the command cat /etc/initd.conf and looking for uncommented lines will show you which services are running.

netstat command
Prints network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Essentially it will show you all the sockets that are in the LISTEN state and the programs that are listening on each port. Netstat prints information about the Linux networking subsystem.

OPTIONS

(none)
By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of all configured address families will be printed.

--route , -r
Display the kernel routing tables.

--interface=iface , -i
Display a table of all network interfaces, or the specified iface).

--verbose , -v
Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.

--numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or user names.

-p, --program
Show the PID and name of the program to which each socket belongs.

-l, --listening
Show only listening sockets. (These are omitted by default.)

-a, --all
Show both listening and non-listening sockets. With the --interfaces option, show interfaces that are not marked