Secure Your Linux Server
Pages: 1, 2, 3
ipchains
ipchains is Linux's answer to a firewall. There are a lot of neat tricks you can perform with ipchains, and you can search for those tricks on Google. The module itself is fairly easy to use once you get the hang of it. I hope you can stay with me on this, as it can sound a bit overtechnical. Please be careful, as you can easily lock yourself out of your own box!
ipchains actually refers to three separate chains. A typical ipchain command consists of several parts. First, it carries one of three commands:
-Fflushes a chain-Psets the handling for a chain-Aadds a new rule to the chain
To set up a chain, you might use:
# ipchains --F input
# ipchains --A input REJECTThis is a blanket command that essentially halts all incoming traffic. The first command flushes the input chain, and the second command adds a new rule to the input chain that rejects all traffic.
You could do this if you were completely disconnected from a network, but most of the world is not. Almost every desktop or server Linux box in the world connects to a network or the internet, so it's not realistic to use such a blanket command.
There are plenty of other options to set up a more intelligent filtering system. Suppose that your Linux box is a development server accessible only on the local LAN. The IP of its network device is 192.168.25.4, with a netmask of 255.255.255.0.
Note that on Linux you can determine the source machine's network IP through ifconfig, or on Windows using ipconfig at the command prompt. The rest of the network is on the 192.168.x.x private block as well.
You might write a rule that looks like:
# ipchains --A input --I eth0 -s 192.168.1.0/255.255.255.0 \
--d 192.168.25.4 --j ACCEPTWhat the heck does that mean?
ipchains --A input adds a rule to the input chain.
-I eth0 tells the firewall that the packet traffic on which to run this rule is attached to Ethernet network device 0 (Eth0).
-s 192.168.1.0/255.255.255.0 identifies the source, or sending IP address, as 192.168.1.0. The number after the slash denotes the netmask, which in this case is 255.255.255.0
The ACCEPT designates that ipchains should allow all traffic from this source. You can also use REJECT to keep traffic out.
The best bet for ipchains firewalling lies within the ipchains how-to.
Other Tricks
Some other tricks you can perform to further secure your server have to do with your servers' hosts* files.
In /etc/hosts.deny and /etc/hosts.allow, you can enable tcp wrappers, which simply wrap a service in a particular rule. Your hosts.allow file might look similar to:
// Allow localhost ALL : 127.0.0.1
// Allow SSH Access to anyone except from 192.168.1.101
sshd : ALL EXCEPT 192.168.1.101 : ALLOWYour /etc/hosts.deny file might resemble:
// No one can connect via anything except loopback localhost
ALL : ALL EXCEPT 127.0.0.1:DENYIntrusion Detection
You may want to consider using a package like Tripwire to detect intrusions. It doesn't come with Red Hat 9, but you can get the source and compile it yourself. It creates and compares the hashes of critical files to determine whether any changes have been made.
An effective hacker won't just break into your system. He will also create a back door for himself so that he can gain access at other times. Most of the time, these back doors are in exploited files, and this is one way you can protect against this occurrence.
Summary
There are many other tricks and tips available to the security-conscious system administrator. The key to being effective is to always be on your toes and ready to think outside the box. There's generally more than one way to skin a cat, and hackers are consistently inventing or discovering new means.
Please don't read this article and think this is the last word in system security. These tips merely scratch the surface. Happy guarding!
Aaron Brazell is an author and blogger from Baltimore, Maryland, and is the primary system administrator for b5media, a network of more than 100 blogs.
Return to the Linux DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 8 of 8.
-
ftpusers
2006-03-28 12:21:39 CraigBuchek [Reply | View]
According to the man page, the contents of /etc/ftpusers is those who may NOT log in via the FTP daemon. So you want to make sure that root IS listed in that file.
-
The artice is 3 years old!
2006-03-25 01:47:28 AaronBrazell [Reply | View]
Gimme a break. I know IPChains is obsolete. I also wouldn't be talking about 2.4 kernel. O'Reilly picked up an article that was written over three years ago. Most of the stuff is still relevant so take that and spit out the IPChains stuff. If I would have had a chance to tweak this article before O'Reilly got it, I would have. As it was, it was handed off from the previous publisher.
-
Using ipchains and u talk of security
2006-03-24 23:31:04 topdog [Reply | View]
Ipchains is obsulate in the kernels of today, iptables features have far supercided those of ipchains i dont even think ipchains is being maintained anymore.
-
The Bastille Hardening program as a starting point
2006-03-24 21:21:46 nzheretic [Reply | View]
The Bastille Hardening program (http://www.bastille-linux.org/) is a great tool for towards hardening your Linux servers:
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works.
Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX and Mac OS X. Bastille's focuses on letting the system's user/administrator choose exactly how to harden the operating system. In its default hardening mode, it interactively asks the user questions, explains the topics of those questions, and builds a policy based on the user's answers. It then applies the policy to the system. In its assessment mode, it builds a report intended to teach the user about available security settings as well as inform the user as to which settings have been tightened.
I would recommend using the assessment mode on every server, even if you have not used Bastille to harden the system. You quickly learn what weaknesses the servers have, and even if a server in the green zone is not directly connected to the Internet, you will quickly discover where it could be exploited.
-
Intrusion Detection
2006-03-24 06:34:23 Wave2Limited [Reply | View]
AIDE - Advanced Intrustion Detection Environment is a good alternative to TripWire, in fact it does more and for free. Check it out at http://www.cs.tut.fi/~rammer/aide.html
-
just wanted to add to my previous comment.
2006-03-24 02:39:34 anshu123 [Reply | View]
I have no intentions to disregard your article =). infact, i did learn a few things too.
Just that, the things i totally love when it comes to linux and security were not mentioned, and i got a tick worked up.
I am passionate about linux and sometimes I get worked up. :D .
Peace out.
-
what? is this oreilly linux server security article?
2006-03-24 02:23:25 anshu123 [Reply | View]
as someone above commented, Why IPChains?
On one thought, how much will i get paid to write article explaining, setting up the following things on linux.
recompiling kernel 2.4.* with gr-sec patch.
firewall with iptables.
Apf with bfd (brute force detection).
rkhunter / chrootkit.
finally scanning and hardening your configurations with bastille-script.
This might sound advance, but the way script-kiddies have easy access to exploits on irc and underground sites, Installing the above should be basic in security.
On Other Thought. I might not write this kind of article, as I would prefer "Real Companies" hire a experienced professional admin who has chiseled his skills for years securing linux, and not some admin who claims to have KB securing linux relying on Oreilly article.
Peace.
