Romulus 2

 
x You are here: Home > Guides > Online security with Linux



 

xBill Viands

Concise Guide Series

Online security with Linux
 

It has often been asked what can be done to secure a Linux box that is online. There are actually a fairly large number of things but some are a little too deep for the average user and some are too much like work. I am just going to touch on basics that anyone can do.

If your Unix based OS uses an inetd.conf file you can either delete it or just leave in the lines for services you want to provide. The easiest thing to do is vi /etc/inetd.conf as root, scroll down below the telnet and ftp lines and hold down the d key. Telnet and ftp are the only two lines that I leave in most boxes and then I # them out.

By eliminating these services, you are NOT deleting the ability to telnet, etc; you are just denying anyone from outside access in. So you can still ftp to your hearts content, you just can't ftp into your box from another. That is why I usually # out the two lines instead of delete them. Sometimes you need fast access for a moment.

After you are done editing or deleting your inetd.conf file, you need to restart inetd. It is done like this in Linux boxes...

killall -HUP inetd

That's it, reboots are for weenies.

On Solaris boxes before 8 you need to...

ps -aux | grep inetd


Then take the PID and HUP it.

kill -HUP 836


You can also kill using a -1 from what I understand.

If you use Redhat 7 or newer you can run setup as root and turn off services like sendmail if you don't use them. You can also allow or deny certain accesses via the built-in firewalling.

The above are just really simple basics that will help a great deal. Next up are some things you should do all the time. Use OpenSSH or SSH to do all communications between boxes. Instead of ftp, try using sftp or scp. Basically they encrypt the traffic so that anyone using a sniffer won't see your passwords in plain text.

Make sure that whatever password you use for your e-mail is different from your regular passwords. This is because when you have your e-mail program setup to check for new mail every so often, it sends your password in plain text too. So if you have it set to check your e-mail every two minutes, then every two minutes you are broadcasting your password to the world.

Be sure to log into all your boxes as a user, NOT root. This is a practice that you need to do all the time anyway just so you don't hose something in your box by accident. Give yourself a user account and get used to using it. The password for all Unix based operating systems in standard form is supposed to be from 6-8 characters in length using a mix of numbers, upper and lower case letters and at least one symbol.

Any password less than 6 characters is too easy to crack and any password over 8 characters is worthless after the 8th character. Unix only looks at the first eight, after that is ignored unless you have a modified password program.

The easiest way to remember your passwords is to make them mean something. Never ever use a person's name, anniversary or anything like that. Use something like, uh, a saying or lyrics from a song, poem, line from a book, etc. Then tweak it. Let's say I want a password for posting on a forum:

I post here as often as I can

You can tweak it so it makes a password, this is one possibility...

iPh@0a1c


See how it works? (i Post here @s 0ften as 1 can)

You'll need a separate password for your user accounts, root accounts, etc. Try never to use the same password for root and user account, etc. You need to change your passwords about every month or two although sometimes you can go three months. I am not too worried about my forums accounts so I rarely change those but my user and root accounts on servers are changed regularly.

You can also use a router for a firewall or actually set up a real firewall. Firewalling is also possible on the box in question.

Try to remember that as long you you have a network connection, you are vulnerable to attack. There really isn't much you can do about it except prepare for the worst and do your best to minimize your danger.

Internet security is a huge business. I only touched lightly on a few things you can do to help lock down your stuff. There are definitely more things that you can do.

Oddly enough, when I want to crack a box, err, uh, when I need access to a box that I, uh, seem to have lost or forgotten the password to, I can usually get access by one of these things first: ask someone nearby, look on the monitor for a post-it note, look on the desk for a scrap of paper, try the name of their wife, child, dog, etc.

Try to keep the servers in a physically secure area too. If I have physical access to a box, I have root. I'm not even into cracking and I can still gain access to more boxes than I want to.

Security starts and ends with the user.

   

Back to Top

   

Copyright © 1999-2002 Romulus 2. All rights reserved. Legal Notice / Privacy Policy.