Linux Hardening PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169

Volume: 2 Issue: 5 1019 – 1022


_______________________________________________________________________________________________

Linux Hardening
Namita Arora Tejasvi Bhosale Vishakha Sharma Jyoti Supe
Dept of comp science Dept of comp science Dept of comp science Dept of comp science
PES’s Modern College of PES’s Modern College of PES’s Modern College of PES’s Modern College of
Engineering Engineering Engineering Engineering
Pune, India Pune, India Pune, India Pune, India
[email protected] [email protected] [email protected] [email protected]

Abstract -This paper is focused on practical securing Linux production systems. It discusses basic Linux security requirements for systems that
need to pass various audits in an enterprise environment. This paper also presents onto detect the vulnerabilities in the system by scanning
configuration files and server files, to determine the computer activities by scanning the log files thereby securing the system by replacing the
vulnerable attributes with secured attributes. Application security is ensured by scrutinizing the signatures of various applications and displaying
all the functionalities in GUI format making it more user friendly. A very important step in securing a Linux system is to determine the primary
function or role of the Linux server. You should have a detailed knowledge of what is on your system. Otherwise you will have a difficult time
to understand what needs to be secured and hence securing your Linux system proactively won’t be that effective. Therefore it is very critical to
look at the default list of software packages that don’t comply with your security policy. If you do that you will have less packages to update and
to maintain when security alerts and patches are released.

Keywords-vulnerability; package; netfilter; TCP wrapper; hardening.

__________________________________________________*****_________________________________________________

A. User Security
I. INTRODUCTION 1) Vulnerability assessment: A vulnerability assessment
The term “Hardening” refers to securing the is an internal audit of your network and system
system. Like any other operating system, application level security; the results of which indicate the
security flaws leave Linux vulnerable to a variety of confidentiality, integrity, availability of your network.
malicious attacks. Over the years, many tools and techniques Typically, vulnerability assessment starts with a
have been developed to “harden” Linux hosts in an attempt reconnaissance phase, during which important data
to mitigate the risk posed by buggy software. The Linux regarding the target systems and resources are
operating system has numerous settings and permissions gathered. This phase leads to the system readiness
which provide high degree of customization but this same phase, whereby the target is essentially checked for all
feature also makes it a challenge to secure properly. Add to known vulnerabilities. The readiness phase culminates
this nature of the open source software environment where in the reporting phase, where the findings are classified
anybody can create a program for this operating system and into categories of high, medium, and low risk; and
you end up with an infinite number of possible methods for improving vulnerability. The security (or
configurations. The goal is to use these properties to create a mitigating the risk of vulnerability) of the target are
secure system that meets the user’s needs. discussed.

The following are some of the benefits of performing


II. IMPLEMENTATION vulnerability assessments:
In order to ensure complete security, the Linux
 Creates proactive focus on information security.
operating system must be secured from the following
 Finds potential exploits before crackers find them.
aspects:
 Results in system being kept up-to-date and patched.
 User Security  Promotes growth and aids in developing staff
 Network Security expertise.
 Package Security  Abates financial loss and negative publicity.

1019
IJRITCC | May 2014, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 2 Issue: 5 1019 – 1022
_______________________________________________________________________________________________
TABLE 1 VULNERABILITIES
Vulnerability Attacks Countermeasure 2) Password security: Passwords are the primary method
No separate partition System crash and data Create separate that red hat enterprise Linux uses to verify the users
for /boot, /, /home, loss partition for /boot,
identity. This is why password security is so important
/tmp, and /var/tmp /, /home, /tmp,
and /var/tmp for the protection of the user, the workstation and the
Unnecessary Software vulnerability Install minimum network. Password aging is one technique used by
software’s attack software’s system administrators to defend against bad
maliciously altered System instability Install Signed passwords within an organisation. password aging
package ,System crash and data Packages
loss, data still means that after a specified period (usually 90 days),
Stealing/Changing Data the user is prompted to create a new password. The
No BIOS password Using a Bootable Linux Give BIOS theory behind this is that if a user is forced to change
CD password his password periodically, a cracked password is only
Single User Mode Access as root user Password
access without password protecting BIOS
useful to intruder for a limited amount of time.
Access to the GRUB change its configuration 3) Log monitoring: In order to determine ongoing
Console or to gather information Password operational status of your system and applications, log
using the cat command. protecting GRUB monitoring plays an important role. When it comes to
Access to Insecure If it is a dual-boot
security, we need to delve a bit deeper into the logging
Operating Systems system, an attacker can Password
select an operating protecting GRUB world to gain a clearer understanding of what is going
system at boot time (for on with our system and applications and thus identify
example, DOS) potential threats and attacks. Logs are also key targets
Weak password, no Cracking of weak1) 1) Enforcing
for someone who wants to penetrate your system-for
password or default passwords Stronger
password Passwords two reasons:
2) 2) Restricting Use  The first reason is that your logs often contain vital
of Previous clues about the system and its security. Attackers
Passwords
often target the logs in an attempt to discover more
3) 3) Locking User
Accounts After about the system. As a result, we need to ensure our
Too Many Login log files and /var/log directory are secure from
Failures intruders and that log files are available only to
No password Aging Use of Cracked Apply good
authorized users. Additionally, if you transmit your
password over long password Aging
period of time logs over the network to a centralized log server, you
root access 1)
to 1)Machine 1) 1) Root need to ensure no one can intercept or divert your
individual users Misconfiguration Disallowing logs.
2) 2)Running Insecure Access
 The second reason is that if attackers do penetrate
Services 2) 2) Disallow
Remote Root your systems, the last thing they want to happen is
Login that you detect them and shut them out of your
3) 3) Disabling root system. One of the easiest ways to prevent you from
access via any
seeing their activities is to whitewash your logs so
console device
(tty) that you see only what you expect to see. Early
detection of intrusion using log monitoring and
Allowed su command Access other user data Limit and block analysis allows you to spot them before they blind
to users and services su access
you.
Enabled CTRL-ALT- Unauthorized System Disable CTRL-
Delete Shut down ALT-Delete
OS fingerprinting Get os information like Place login banner
B. Network security
OS version etc. Potentially, any network service is insecure. This is
Local log monitoring Remove of log entries Remote log why turning off unused services is so important. Some
and log files monitoring network protocols are inherently more insecure than others.
Insecure Services
1) 1) Get user name and 1) 1) Avoid these
These include any services that: Transmit usernames and
FTP , Telnet password. services and use
Transmit Usernames 2) 2) Denial of Service behind the Passwords Over a Network Unencrypted –Many older
and Passwords Over a Attacks (DoS) firewall protocols, such as Telnet and FTP, do not encrypt the
Network Unencrypted 2) 2)Use tcp
authentication session and should be avoided whenever
wrappers and
xinetd possible. Firewall is an important measure to protect
3) 3) Use SSH network security. Firewall can be used to enhance access
control between two or more networks. The Linux kernel
1020
IJRITCC | May 2014, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 2 Issue: 5 1019 – 1022
_______________________________________________________________________________________________
uses the netfilter facility to filter packets, allowing some of addition to any server administrator’s arsenal of security
them to be received by or pass through the system while tools, most network services within Red Hat Enterprise
stopping others. This facility is built in to the Linux kernel, Linux are linked to the libwrap.solibrary. Such application
and has three built in tables or rules lists, as follows: include /usr/sbin/sshd, /usr/sbin/sendmail, and
/usr/sbin/xinetd. To determine if a client is allowed to
 Filter- the default table for handling network packets. connect to a service, TCP Wrappers reference the following
 Nat-used to alter packet that create a new connection two files which are commonly referred to as hosts access
and used for Network Address Translation (NAT). files:
 Mangle- used for specific types of packet alteration.
 /etc/hosts.allow
The built in chains for the filter table are as follows:  /etc/hosts.deny
 Input- applies to network packets that are targeted for
When a TCP-wrapped service receives a client request, it
the host.
performs the following two steps:
 Output- applies to locally generated network packets.
 Forward- applies to network packets routed through 1. It references etc/hosts.allow – The TCP-wrapped
the host. service sequentially parses the /etc/hosts.allow file
and applies the first rule specified for that service.
If it finds a matching rule, it allows the connection .
For network services that utilize nefilter, TCP Wrappers add if not, it moves on to the next step.
an additional layer of protection by defining which hosts are 2. It references /etc/hosts.deny – the TCP-wrapped
or are not allowed to connect to “wrapped” network service sequentially parses the /etc/hosts.deny file.
services. One such wrapped network service is the xinetd If it finds a matching rule, it denies the
super server. This service is called a super server because it connections. If not, it grants access to the service.
controls connections to a subset of network services and
further refines access control. The xinetd daemon is a TCP-wrapped super
service which control access to a subset of popular network
services, including FTP,IMAP and Telnet. It also provides
service-specific configuration options for access control,
enhanced logging, binding, redirection and resources
utilization control. When a client attempts to connect to a
network service controlled by xinetd, the super service
receives the request and checks for any TCP Wrappers
access control rules. If access is allowed , xinetd verifies that
the connection is allowed under its own access rules for that
service. It also checks that the service is able to have more
resources assigned to it and that it is not in breach of any
defined rules.

C. Package security
RPM is an open packaging system, which runs on
Red Hat Enterprise Linux as well as on Linux & UNIX
system. The utility works only with packages built for
processing by the rpm package. RPM maintains a database
of installed packages & their files. This software provides
Fig.1 Access Control to networked services the functionality to retrieve the number of packages installed
and their verification reports are generated. Software
The TCP Wrappers (tcp_wrappers and tcp_wrappers-libs)
packages are published through repositories. All well-known
are installed by default and provide host-based access
repositories support package signing. Package signing uses
control to control to network services. When a connection
public key technology to probe that the package that was
attempt is made to a TCP-wrapped service, the service first
published by the repository has not been changed since the
references the host’s access files (/etc/hosts.allow and
signature was applied. This provides some protection against
/etc/hosts.deny) to determine whether or not the client is
installing software that may have been maliciously altered
allowed to connect. Because TCP Wrapper are a valuable
1021
IJRITCC | May 2014, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 2 Issue: 5 1019 – 1022
_______________________________________________________________________________________________
after the package was created but before you downloaded it. replacing the vulnerable attributes with secured attributes. In
Using too many repositories, untrustworthy repositories, or network security we provide security for web server ssh
repositories with unsigned packages has a higher risk of server etc. application security is ensured by scrutinizing the
introducing malicious or vulnerable code into your system. signature of various applications and displaying all the
It is very critical to look at the default list of software functionalities in GUI format making it more user friendly.
packages and remove unneeded packages or packages that
don’t comply with your security policy. It is best practise to
REFERENCES
install only the packages you will use because each piece of
[1] Deng Yiquan, “Linux Network Security Technology”, IEEE
software on your computer could possibly vulnerability. computer, 978-14577-0860-2/11,2011
[2] Udi Ben-Porat, Student Member,IEEE,Anat Bremler-
Barr,Member,IEEE,and Hanoch levy,Member,IEEE,”Vulnerability
III. CONCLUSION of Network Mechanisms to Sophisticated DDoS Attacks”0018-
Our main contribution is in designing and building a secure 9340/13,IEEE TRANSACTIONS ON COMPUTERS, VOL. 62,
file system and network that was developed with the NO. 5, MAY 2013.
express goal of enhancing file data security and network [3] Terry Collings & Kurt Wall, “Red_Hat_Enterprise_Linux-6-
Deployment_Guide-en-US”2002 access.redhat.com
security in Linux kernel. The main objective is to detect the
[4] McGraw-Hill Companies, “hacking exposed Linux: Linux security
vulnerabilities in the system by scanning configuration file
secrets & solutions”, 2008 www.barnesandnoble.com
and server files , to determine the computer activities by [5] Red Hat Engineering Content Services,
scanning the log files thereby securing the system by “Red_Hat_Enterprise_Linux-6-Security_Guide-en-US”,2011
access.redhat.com

1022
IJRITCC | May 2014, Available @ http://www.ijritcc.org
_______________________________________________________________________________________

You might also like