Securing a Linux machine on the network

Linux is convenient and powerful, but its widespread use by folks who don't really have much idea about computer security, and its availability to malicious people who want to find ways to break computers, mean it is a popular target for network-based attacks.

The best thing, of course, is to get educated about computer security in general. Failing that, here are three easy steps to take, in order of importance, that will make your Linux box an order of magnitude more secure while you figure out which services you really need and how they work.

N.B.: no warranty expressed or implied. Use at your own risk (see "the Ultimate Firewall").

  1. Enable TCP wrappers TCP wrappers are a layer of code that allow you to control and log access to network services. The goal here is to shut off access outside Princeton University. This doesn't guarantee your safety, but it drastically limits the number of jerks with access to your machine.

    As root, go to /etc and edit the files hosts.allow and hosts.deny.

    Add the following line to hosts.deny: 

    ALL:ALL

    Add the following line to hosts.allow: 

    ALL:LOCAL

    This will deny access to all machines outside of Princeton (query: restrict access to local subnet??? ). Other possibilities for hosts.allow list: 

    ALL:.princeton.edu                   (allow access from Princeton machines)
ALL:128.112.136.0/255.255.252.0      (allow access from CS 136 subnet)
ALL:cituser@arizona.princeton.edu    (allow access for particular users)
  2. Shut off services in inetd.conf The idea here is to shut off services you may not need. New security holes are discovered all the time, but if you're not running a service it doesn't matter if it has a security-related bug in it.

    Edit /etc/inetd.conf. Comment out, by putting a # at the beginning of the line, all unnecessary services. As a start, I suggest leaving only telnet, identd, and time uncommented (you can add services such as ftp later, if you decide you want them. [Note: as I was writing this, there was a new ftp security hole announced. If you don't need it, keep it turned off!] You can still use telnet and ftp from your Linux box to connect to other machines).

    After you've updated /etc/inetd.conf you have to tickle the inetd daemon so it sees the updates: 

    kill -HUP `ps aux | grep inetd | grep -v grep | awk '{print $2}'`
  3. Install security patches Install security patches for your distribution. Red Hat 5.2 has (as of this writing) a relatively small number of security patches, which are listed on the Red Hat site:

    Most of these security fixes (there are about 13 in total as of Feb. 1999) are relatively minor, and primarily accessible by local users; this is a fairly sharp contrast with RH 5.1. (For this reason I strongly recommend installing RH 5.2 instead of 5.1, and reasonably up-to-date distributions in general.) Nevertheless, you should look them over and decide which you need to install. My inexpert opinion is as follows:

    This should be enough for basic peace of mind, but you may also want to:

  4. Shut off other services (?) I'm not sure if these are on by default, but consider shutting off: NFS server; NIS; sendmail (although the urgency of all of this falls off once you've enabled tcp wrappers and installed security patches).
  5. Look at other Linux security links I haven't actually been able to find very much in the way of concrete examples for Linux, like the security checklists that are available for Solaris etc.. Here are a few reasonably good links.