Derwynd's Weblog

Derwynd's Weblog

Security Section

In general, many new Linux System Administrators create only two partitions / (root) and swap for entire hard drive. This is really a bad idea. You always need to consider following points:

Let us assume you have 120 GB SCSI hard disk with / and swap partitions only. Then here comes a user (may be internal or external or cracker user) and runs something which eats up all hard disk (DoS attack). For example, consider the following tiny script that such user can run in /tmp directory:

man bash > $(mktemp)

Anyone can run above script via cron (if allowed), or even with nohup command:
$nohup bad-script&
Result is disaster! Your entire file system comes under Denial of Service attack. It will even bypass the disk quota restriction. A Linux sys admin created only two partition. Later, poorly written application eats up all space in /var/log/. End result was memo for him as he did not followed internal docs that has guidelines for partition setup for clients server.

Youcan create partition as follows:
/ – Root partition
/home – Users home directory
/usr – Linux/BSD binary programs are installed here
/tmp – Temporary files partition
/var – Stores files which keep changing size, e.g. log, or squid caching files

If you don’t have partitions like this then following attack can take place:
1. Denial of Service attack against disk space (example is the script above)
2. Users can download or compile SUID programs in /tmp or even in /home
3. Performance tunning is not possible

However, all of this attack can be stopped by adding following option to /etc/fstab file:
nosuid – Do not set SUID/SGID access on this partition
nodev – Do not character or special devices on this partition.
noexec – Do not set execution of any binaries on this partition
ro – Mount file system as readonly
quota – Enable disk quota
Please note that above options can be set only if you have separate partitions. Make sure you create partition as above with special option set on each partition
/home – Set option nosuid, and nodev with diskquota option
/usr – Set option nodev
/tmp – Set option nodev, nosuid, noexec option must be enabled

For example entry in /etc/fstab for /home should look like as follows:
/dev/sda1 / ext3 defaults,nosuid,nodev,noexec,ro 0 0
/dev/sda2 /home ext3 defaults,nosuid,nodev 1 0
/dev/sda3 /usr ext3 defaults,nodev 2 0
/dev/sda4 /tmp ext3 defaults,nosuid,nodev,noexec 3 0

For more info please read man pages of fstab, mount, fdisk.

Apply the Secure Linux Kernel Patch Read the directions to install the diff.
Don’t forget to make the changes under performance
Turn OFF all the stuff you don’t need. This includes Telnet (you aren’t using telnet are you), NFS and a bunch of other crap that comes as a default install.
Stop SYN attacks dead :
echo 1 > /proc/sys/net/ipv4/tcp_syncookies.
Add this to your /etc/rc.d/rc.local file.
Stop IP address spoofing: Edit the /etc/host.conf and add the following lines:
#Check for IP address spoofing.
nospoof on
Set immutable bits on passwords and shadow files. Of course you will have unset these bits to change passwords etc, so do this after your system is stable.
Block su access: Edit /etc/pam.d/su and add the following two lines to the top in the file:
auth sufficient /lib/security/ debug
auth required /lib/security/ group=wheel
This means that only users in the wheel group can log as su.
Add who you need to this group:
usermod -G10 username
I changed my /etc/fstab as follows
/dev/sda5 /tmp ext2 nosuid,nodev,noexec 1 2
This was to make /tmp safer, Of course your /dev will be different.
I don’t like having my shell commands living forever. (of course this doesn’t matter if noone has ssh access but you) (you are using ssh, if not you don’t have security).
Edit /etc/profile and change the following line to:
Change permissions on /etc/rc.d/init.d scripts:
chmod -R 700 /etc/rc.d/init.d/
Edit the /etc/nsswitch.conf file to eliminate all references to NIS. Why would you use NIS unless recquired?

November 10, 2008 - Posted by | Uncategorized

Sorry, the comment form is closed at this time.

%d bloggers like this: