comp.os.linux.security FAQ

1.1)  Introduction to comp.os.linux.security

   Welcome to comp.os.linux.security.  We ask that you please read the FAQ before asking any questions you may have.  Otherwise:  Look, listen, learn, contribute, but above all, enjoy yourself and the interests you share with the other denizens of the newsgroup.

    This FAQ is intended to serve as a starting point for those new to the newsgroup, but is also intended to be a survey of  Linux security issues and tools.  This FAQ is aimed at intermediate to experienced Linux users and is intended to not only answer specific questions, but to also facilitate further learning by providing pointers other useful security resources.

This introduction/pointer will be posted to comp.os.linux.security appoximately every two weeks.

The latest version of this faq can be downloaded from:

http://www.memeticcandiru.com/colsfaq.html

Or the mirrors at:

http://www.linuxsecurity.com/docs/colsfaq.html
http://www.geocities.com/swan_daniel/colsfaq.html

1.2)  Does comp.os.linux.security have a charter?

"This newsgroup is dedicated to the discussion of issues related to establishing and maintaining the security of machines running the Linux Operating System on all processor architectures.

Open discussion of techniques and software for protecting machines against remote attacks (via a network connection) as well as attacks from untrusted local users are welcome. This discussion can include information about which applications are vulnerable, the form of the vulnerability and snippets of source code for demonstrating the vulnerability.

The posting of commercial information to this group is permitted only if the information is directly relevant to security and the Linux Operating System.

Messages which are cross-posted to or from any advocacy newsgroup are not welcome. As this is a discussion group, the posting binaries is strongly discouraged. Spamming, ECP and EMP of any sort is absolutely not tolerated."

1.3)  What is covered in this FAQ?

Specifically, security as it pertains to the Linux operating system.

General installation of linux is not covered, nor are products by other vendors, except where they impact Linux security.   It is not my intent to re-invent the wheel, and in cases where relevant information has been covered elsewhere it has been linked to, but is accompanied with commentary on linux-specific issues.

Also, I have purposefully left out pointers to 'sploits, and other such naughtiness.  Presentation of such material will benefit those on the offensive end of security more than it will benefit those trying to secure their systems.  A holistic view of system security will serve sysadmins far better than will concentrating on protecting against the 'sploit du jour.

To do in future:

-Add a section on backups.
-Add a section on encryption tools/filesystem encryption.
-Update firewall rules to include iptables rules.
-Add a section on logfile monitoring and related tools.

Changelog:

-Jan 1, 2001:  Initial release.

1.4)  Who is responsible for this faq, and how can I contribute?

Daniel Swan is the creator and maintainer of this FAQ, but it's a large effort, and informed contributions are welcome, particularly suggestions for topics or questions that you feel have been overlooked.

This is a living document, and one that is intended to reflect the issues discussed on comp.os.linux.security.  All participants of comp.os.linux.security are urged to contribute in whatever form possible.
 

1.5) Acknowledgements and contributions

This FAQ primarily owes a debt to the many users in comp.os.linux.security, and the discussions therein.  Although not direct contributors, I'd also like to give a nod to those who have contributed to my own knowledge of Linux security:   Kevin Fenzi and Dave Wreski, authors of the Linux Security Howto, and Kurt Seifried, author of the Linux Administrators Security guide.

The following deserve credit for significant contributions made to this FAQ:

Jessica Luedtke, who co-authored section four (services), picked nits, and made many useful suggestions.
Dave Wreski, for his support in hosting a mirror of this FAQ at linuxsecurity.com.

Recognition also goes to Joel Klammer, my best friend, deceased:   My accomplishments are his to share.
 

Credit for error spotting, suggestions for subject matter, constructive picking of nits, and other miscellaneous contributions:

Cliff Rayman.
nobody@cse.tek.com
Ian Abbott
Doug Rogers
Mike Jetzer
 

1.6) Feedback

Feedback may be sent to mailto://swan_daniel@hotmail.com

1.7) Disclaimer and Copyright

This material is provided for free, and without warranty, and I accept no responsibility for use or misuse of the material contained within.

I also acknowledge that there may be minor errors in the FAQ, and stress that responsibility for verification of  information provided lies with the end user.

2.1)  How can I protect myself from hackers quickly and easily?

In a nutshell:

1.  Install the most recent security patches for your distribution.
2.  Turn off unused services, and tcpwrapper the rest.
3.  If accessing your computer remotely, replace Telnet and Ftp with more secure equivalents.
4.  Read the rest of this FAQ.

Do these simple things, and you'll have covered most of your bases.   If you still want to learn more about security, a couple of other recommended documents are the Linux Security Howto, and the Linux Administrator's Security Guide.  Familiarise yourself with these documents,  make use of their suggestions, and you're well on your way to being secure.

Also, see CERT Australia's Unix security checklist at http://www.bris.ac.uk/is/selfhelp/supportstaff/auscert_checklist.html.  It's a bit dated, but it's step-by-step walkthrough of locking down a Unix box is nonetheless quite useful.

As well, reading and participating in comp.os.linux.security will assist in your understanding of the finer points, and also help you keep current with new developments.

2.2)  What is security?

Security, in a nutshell, is ensuring the Confidentiality, Integrity, and Availability of your systems and network.

2.3)  How secure should my linux box be?

Even if it were possible to lock a system down air tight, it is not always practical to invest the time and effort required to do so.  The best thing to do is to first determine your risk, and then secure accordingly.

risk=(threat*vulnerability*impact)

Threat:  What is the probability of you coming under attack?  Who will be trying to penetrate you?  Will you be targeted by seasoned hackers with a bone to pick, or are you only concerned with keeping the $cript kiddies out?  Do you have many users, or are you the only one?  Are your users trusted, or are they experienced programmers who like to "play"?  Are you a reviled site, such as microsoft.com, or are you an innocuous cable modem or dialup user?

Vulnerability:  How suceptible to attack is your host?   Do you run many services?  How exploitable are they?  How accessible is your host?  Is your host behind a firewall?  Do you offer remote access, and if so, how?  Do others have physical access to your host?  What other potential points of compromise are there?

Impact:  What are the ramifications if your machine is compromised?   Will proprietary data enter the public domain?  Is there sensitive or potentially embarassing information on your computer?   Will downtime have a financial impact on you?   How long will it take you to get up and running again, and how much effort will it require?

2.4)  Which is the most secure linux distribution?

There are several linux 'distributions' specifically created with security in mind:

Immunix OS:  http://www.immunix.com/immunix.html - A commercially available hardened Linux.

Bastille Linux:  http://www.bastille-linux.org/ - A post-install hardening script, presently available only for Redhat up to 6.1.

Secure Linux:  http://www.trustix.net/ - A newer hardened Linux project, which focuses on secure default settings.

slinux:  http://www.slinux.org/  - Still in its infant stage, slinux is a project to develop a hardened version of the Linux kernel.

Security-Enhanced Linux: http://www.nsa.gov/selinux/:  -  This isn't actually a distribution, but an add-on that facilitates "Flexible Support for Security Policies".  Considering the source of this package, an American Intelligence Agency, careful consideration should be made before installing it on machines that store sensitive or proprietary information, at least until a rigorous code audit is done of it.

khaOS Linux, a previously promising project, has been halted, due to "...lack of interest from the community at large and our core developers".

    The various other distributions of Linux vary a little in the secureness of a default install, but all can be customized to the same high degree of security.   You should never rely on the default installation of any distribution for security.  The relative security of the most popular distributions is discussed in Kurt Sigfried's Linux Administrator's Security Guide.  Also, by the same author, is the Linux Distribution Security Report.

    Although technically not Linuxes, OpenBSD and TrustedBSD deserve a mention.  Both are based on NetBSD and FreeBSD, respectively.  OpenBSD is a free Unix that has been designed with security in mind, and has been subject to very rigorous code auditing.   TrustedBSD is a suite of extentions to FreeBSD intended to make it compliant with the Orange Book B1 security standard.

3.1)  How do I set up a firewall under Linux?

If you are new to firewalls, you should first read the Firewalls FAQ, and the Linux Firewall and Proxy Server HOWTO.

For those already familiar with firewalls, several tools are available to configure the built in packet filtering capability of the Linux kernel.
IPFWADM is for use with 2.0.x kernels, and IPChains for use with 2.2.x kernels and above.  For information on configuring this functionality, see:

The IPChains Howto:  http://www.rustcorp.com/linux/ipchains/HOWTO.html

The IPFWADM FAQ:  http://www.dreamwvr.com/ipfwadm/ipfwadm-faq.html

Other commercial firewalling tools available for Linux:

Firewall-1 for Linux:  http://www.checkpoint.com/products/firewall-1/pbrief.html

Phoenix Adaptive Firewall:  http://www.progressive-systems.com/products/phoenix/

Gateway Gaurdian Firewall:  http://www.gatewayguardian.com/products/gg_personal.shtml

Xsentry Internet Firewall:  http://www.trustix.com/products/xsentry/

3.2)  Where can I get sample/custom firewall rules?

Creating a firewall from scratch can be daunting.  Thankfully, there are plenty of same rules, as well as sites and utilities that will help you customize a ruleset for your own needs.  Those making use of automatically generated firewalls should use these firewalls as a base, make sure they understand them, and not blindly trust them.  That being said, here is a list of useful tools:

Sample rules:

3.3)  What is the best way to start-up my firewall at boot time?

There are many different ways to start your firewall, and your choice of method is often one of personal preference.  Most important, however, you must ensure that there is very little time between the initialization of your networking, and the initialization of your firewall.

The best method I have found is to place my firewall initialization (ipchains rules, masquerading, port forwarding, etc) into a the file /etc/rc.d/rc.firewall, which is called by dhcpcd immediately after leasing an IP.

Whatever you do, it is essential that you start your firewall before, or immediatly after bringing up your network devices.
 

3.4)  What is the difference between pump and dhcpcd?

Pump and dhcpcd, included in the RedHat distribution, are both DHCP clients, programs that will obtain a dynamic IP address from a DHCP server, but dhcpcd offers the added functionality of calling an external program as soon as an IP is successfully leased.

The program called by dhcpcd is /etc/dhcpc/dhcpcd-eth0.exe, and you may edit it to call any other program.  Particularly useful is executing your firewall initialization script from /etc/dhcpcd-eth0.exe.  This ensures that the firewall is activated as soon as the device is brought up.

To use dhcpcd instead of pump, edit the file /etc/sysconfig/network-scripts/ifup, and change all instances of /sbin/pump to /sbin/dhcpcd.

3.5)  How do I allow incoming UDP, such as CUseeMe or Battlenet through my masquerading firewall?

Ipchains will not allow remotely initiated udp transmissions to connect to internal hosts, for the main reason that it doesn't know which internal host the connection is for.  Thus, something called 'port fowarding' must come into play. Port forwarding works under the assumption that connections to a particular port are always destined to the same host, and automatically forwards all packets to port xxx on to internal host xxx.xxx.xxx.xxx.

To use port forwarding, you must download and install ipmasqadm, or ipautofw, depending on your kernel level.  Special kernel options must also be enabled during compilation in order to use port forwarding.  See the man pages for the respective commands to find out which particular kernel parameters are.  Below is listed the proper syntax for each of the port forwarding tools:

Battlenet:

IPChains:

/usr/sbin/ipmasqadm autofw -A -r tcp 6112 6112 -h 192.100.100.2
/usr/sbin/ipmasqadm autofw -A -r udp 6112 6112 -h 192.100.100.2

IPFWADM:

/usr/sbin/ipautofw -A -r tcp 6112 6112 -h 192.100.100.2
/usr/sbin/ipautofw -A -r udp 6112 6112 -h 192.100.100.2

CUseeMe:

IPChains:

/usr/sbin/ipmasqadm autofw -A -r tcp 7648 7649 -h 192.100.100.2
/usr/sbin/ipmasqadm autofw -A -r udp 7648 7649 -h 192.100.100.2

IPFWADM:

/usr/sbin/ipautofw -A -r tcp 7648 7649 -h 192.100.100.2
/usr/sbin/ipautofw -A -r udp 7648 7649 -h 192.100.100.2

Other Services:  You get the idea...

For more information, see:  http://www.monmouth.demon.co.uk/ipsubs/portfw-2.2.html
 

3.6)  How can I block traffic from doubleclick.net?

There are five different ways to block doubleclick.net, each with their own advantages and disadvantages:

Hacking your hostfile

3.7)  Should I reject incoming/outgoing pings?

For more information, on ICMP, and the different ICMP types, see RCF 792: The Internet Control Message Protocol.

3.8)  How can I track traffic volume going through my firewall?

3.9)   Why should I filter out outgoing X Windows sessions?

4.8)  Is there a free ssh Client for MS Windows or Mac?

4.9)  But hasn't SSh/SSl been cracked?

4.a)  What is Identd?  Can I disable it?

5.1)  What is Intrusion Detection?

Intrusion detection is the ability to detect people trying to compromise your system.  Intrustion detection is divided into two main categories, host based, and network based.   In simple terms, host based means that you are using a single host to monitor itself, and network based means you are using a host to monitor a complete network segment.  For most home Linux users, you will only be concerned with host-based Intrustion Detection Systems (IDS).

For more information on Intrusion Detection, check out:

Robert Graham's Intrusion Detection FAQ at: http://www.robertgraham.com/pubs/network-intrusion-detection.html

The SANS' Institute's Intrusion Detection FAQ at:  http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
 

5.2)  But why would someone want to hack *my* computer?

Home linux boxes are a prime target of computer hackers, as they are often not well secured, and once compromised they can be used as launching points for a more serious attacks.   Compromised boxes can also become DDOS amplifiers, warez servers, or spam relays, to name a few potential abuses.  The high bandwidth of cable/dsl connections is another attraction.

Users of cable or ADSL modems are particularly vulnerable, since their extended connectivity time gives hackers a longer window within which to compromise their host.  It is also common for cable users to fall prey to amateur hackers known as "script kiddies" who run automated tools which scan entire subnets for a particular vulnerability.  Casting such a wide net, they are invariably successful in finding a few vulnerable hosts which they then use to compromise other hosts.

Your anonymity and obscurity does not ensure that your computer will not be targeted.

5.3) What Intrusion Detection systems exist for Linux?

There are many excellent Intrusion Detection systems for Linux.  Here is are some of the more common ones:

Snort:  http://www.clark.net/~roesch/security.html - Possibly the most popular Linux IDS.  It's free, highly customizable, and easy to use.

Portsentry:  Portsentry is a portscan detector with the ability to automatically drop routes to attacking hosts, making your system inaccessible to them.  Portsentry can be downloaded from:  http://www.psionic.com/abacus/portsentry/

Tripwire:  Tripwire protects against trojans by checking the integrity of your binaries, and alerting you if any binary's signature has changed.  Tripwire can be downloaded from:  http://www.tripwiresecurity.com/products/linux.cfm?cfid=212269&cftoken=6548645

LIDS:  http://www.lids.org/  - The Linux Intrusion Detection System is a comination Intrusion Detection and hardening patch for the Linux kernel.

For a further list of Intrusion detection tools and applications, see:  http://www.whitehats.com/tools/ids.html.

5.4)  How do I know if I've been compromised?

5.6)  I've been compromised, what should I do?

1.  Disconnect your computer from its network.
2.  Copy logfiles to a floppy for later analysis.
3.  Verify your binaries using either Tripwire or RPM (rpm -Va), save output to floppy.
4.  Analyze saved data to determine time and method of compromise.
5.  Restore system, either from scratch, or from guaranteed pre-compromise backup (you have backups, right?!).

For a more in depth guide, see CERT's excellent paper:  "Steps for Recovering from a UNIX or NT System Compromise", located at: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html.

5.7)  I'm seeing repeated probes to port xxxx... What does this mean?

Here are some lists of port assignments:

IANA Port Assignments :  http://www.isi.edu/in-notes/iana/assignments/port-numbers - "Official" port assignment from the Internet Assigned Numbers Authority.

Port list at NetworkIce:  http://advice.networkice.com/advice/Exploits/Ports/ - List of ports and hyperlinked explanations that includes 'less standard' ports.

List of Trojans:  http://www.tlsecurity.com/trojanh.htm - The most complete list of trojan ports available.

Port Search Engine:  http://www.cotse.com/cgi-bin/port.cgi - Very nice search engine for ports, links results to relevant RFC's.

For a more in depth analysis of what you're seeing, see Robert Graham's Firewall forensics FAQ:   http://www.robertgraham.com/pubs/firewall-seen.html

5.8)  What is a 'Honeypot' ?

A Honeypot is a hardened host  that masquerades as a vulnerable host for the purposes of observing crackers, and learning how they operate.   The Honeypot host should be inviting enough to attract an attacker, but not so inviting as to arouse suspicion, and should extensively log attacker activities.

More resources on creating a  Honeypot:

5.9)  I've been scanned by xxx.xxxx.xxx.xxx... Should I flood/hack/mailbomb him?

Most certainly not.  It's possible that this host has already been compromised, and you'd only end up venting on a fellow victim.  Instead, if possible, send a polite note to the Sysadmin of the box, and CC it to the abuse department of his service provider.  They are in a better position to determine the situation and address it appropriately.

Also, this is a good opportunity to discuss 'automated response' tools that will react offensively upon detecting a portscan.  This has the opportunity to get you in all sorts of trouble, including infinite loops leading to self-Dos, or even legal trouble.  It's about as wise as setting up bear traps in your own home, and is highly discouraged.

Do unto others...

6.1)   I've read all the docs, and made the suggested changes .. is my computer secure?

No, it's not.  It is both theoretically and practically impossible to completely secure a computer.   Never fall into the trap of believing you are invulnerable.  Remain ever vigilant, and regularly check your logfiles for anomolous activity.

That having been said, the goal is to make your computer secure enough to discourage casual attackers, and to slow down the more persistent attacks, allowing you time to identify and respond to them.
 

6.3)  Are there any web-based security scanners?

Yes, there are many, with more cropping up each day.  These are not only useful to test your security, but also to ensure that your IDS is doing it's job.  Take the results of these scans with a grain of salt.  Here are some of the better free scanners that don't require registration:

Hackerwhacker :  http://www.hackerwhacker.com/  - Services, Ports, Samba, etc.  A well rounded scanner.

Max Vision:  http://maxvision.net/#free   - A 'visibility analysis' and a free penetration testing quote by the creator of whitehats.com.

Shields Up:  http://www.grc.com/ - Also known as "Shields Up".  Basic testing, but easy to use.

Privacy.net:  http://privacy.net/analyze/ - Not exactly a scanner, but shows you what information you give out as you surf.  A worthwhile look.

Secure-Me:  http://www.secure-me.net/ - A very busy remote port scanner.
 

6.4)  What vulnerability testing tools are available for Linux?

Here is a list of the most popular remote vulnerability testing tools for Linux.  You should use them against your own system, for you can be sure that others will.  For best results, try running these tools against your own computer from several locations both inside and outside of your firewall.  This will give you a better idea of what an attacker would see than just running it locally.

Nmap:  http://www.insecure.org/nmap - A very powerful port scanner that does stealth scans and OS fingerprints, to mention a few of its features.  Undoubtedly the best in its class, with lots of third-party addons available.

SAINT:  http://www.wwdsi.com/saint/index.html - A next generation version of SATAN.  Well rounded and thorough.

SARA:  http://www-arc.com/sara/ - A third generation auditing tool based on SATAN.

Nessus:  http://www.nessus.org/intro.html - A client/server vulnerability scanner.  Also well rounded and thorough.

Cybercop Scanner: http://www.pgp.com/products/cybercop-scanner/default.asp  - A commercial scanner with demo available.

Webtrends Security Scanner:  http://www.webtrends.com/site_download/wsad.htm?product=security - Another commercial scanner with a 14 day demo available.

An honorable mention also goes out to some oldtimers to which today's security scanners owe a great debt:  SATAN, COPS, and Tiger.

7.1)  Is Linux Vulnerable to viruses?

In a practical sense, no.  Technically...

Due to the design of Linux, it is difficult for viruses to spread far within a system, as they are confined to infecting the user space of  the user who executes them.  Of course, this is a problem if infected files are launched by root, but as a security conscious individual, you wouldn't be running untrusted files as root, would you?

It is theoretically possible for a virus launched by a regular user to escalate its privileges using system exploits, however, a virus with this capability would be quite sizeable, and difficult to write.  As of this date, few viruses have actually been discovered for Linux, and the ones that have been discovered aren't worth losing sleep over.  This will undoubtedly change with time.

Viruses do exist for Linux, but are probably the least significant threat you face. On the other hand, Linux is definitely vulnerable to trojans, which are explained in the following section.

7.2)  What is a trojan?

A trojan is a malicious program that masquerades as a legitimate application.  Unlike viruses, they do not self replicate, but instead, their primary purpose is (usually) to allow an attacker remote access to your computer or it's resources.   Sometimes, users can be tricked into downloading and installing trojans onto their own computers, but more commonly, trojans are installed by an intruder to allow him future access to your box.

Trojans often come packaged as "root kits".  A "root kit" is a set of trojaned system applications to help mask a compromise.  A root kit will usually include trojaned versions of ps, getty, passwd, tcp_wrappers, login, and syslogd.
 

7.3)  Are there virus scanners for Linux?

At this point in time, virus Scanners for Linux are aimed at detecting and disinfecting date served to Windows hosts by a Linux file/mailserver.  This can be useful to help stop the spread of viruses among local, non-unix machines.   Due to the lack of viruses for linux, there are presently no scanners to detect viruses within the Linux OS, or it's applications. Trojans present a greater threat to the Linux OS itself than do viruses, and can be detected by regularly verifying the integrity of your binaries.  Methods for doing this are covered in the next section.

AMaViS:  http://www.amavis.org/amavis.html - A sendmail plugin that scans incoming mail for viruses.

AntiVir for Linux:  http://www.hbedv.com/ - Scans incoming mail and ftp for viruses.

Interscan Viruswall: http://www.antivirus.com/products/isvw/ - A Firewall-1 add-on that scans ftp,http,and smtp for  viruses.

Sophos AntiVirus:  http://www.sophos.com/products/antivirus/savunix.html - Checks shares, mail attachments, ftp, etc for viruses.

Network Associates:  http://www.nai.com/international/uk/asp_set/buy_try/try/product_evals.asp - Scanner for Unix/Linux (demo).
 

7.4)  How can I verify the integrity of my binaries?

There are three primary methods to verify binary integrity:  Tripwire, RPM, and homegrown solutions:

Tripwire:  http://www.tripwire.com/ - Tripwire is the most popular tool for verifying binaries under Linux.  It's easy to use, highly configurable, and can be automated to provide regular checks of your binaries, and report any changes via email.

RPM:  The Redhat Package Manager has it's own built in method for verifying binary integrity, which is useful for spot-checking suspicious files.  For information on using it, see section 5.3, "Checking binary integrity using RPM".

Homegrown Solutions:  Many use shell scripts that verify MD5 checksums of a file against previous checksums.   An MD5 checksum can be generated by typing "md5sum filename".  Other commands to generate checksums are cksum and sum.
 

8.1)  Security updates for common Linux distributions

8.2)  Related FAQs and Howto's, and other References

8.3)  Linux Specific Security Websites

8.4)  Linux-related security websites

8.5)  Newsgroups

comp.os.linux.security:  The newsgroup this faq is from.  Focus is on security as it pertains to Linux.

comp.security.announce:  A low-traffic group that carries the CERT advisories as they are announced.

comp.security.unix:   A fairly high traffic group dealing with security as it pertains to all flavors of Unix.

comp.security.firewalls:  Discussions relating to firewalls.

comp.security.misc:  Discussions relating to general computer security.