cancel
Showing results for 
Search instead for 
Did you mean: 

Best way to secure a linux box

SOLVED
Go to solution
Morcos
Super Advisor

Best way to secure a linux box

Dear all,

I used to work on RHEL 3 and now I need to install RHEL 5. I haven't worked with SElinux before.
Let's say I would like to use the box as ftp server only; What is the best way to have a perfect secure linux environment.

Thanks,
8 REPLIES
Fredrik.eriksson
Valued Contributor
Solution

Re: Best way to secure a linux box

Best security is to disconnect it from the wall socket and fry your power supply :P

Just kidding, but it's actually quite true.
If you need to secure your environment you first of all need to asses what you're trying to stop.

These are some of the questions I usually ask myself:
1) Is it remote or internal threats?
1a) If it's remote, which networks can access it and why, also what applications could be vulnerable to an attack? (FTP usually is quite safe, but maybe you should /bin/false those accounts which isn't supposed to log in via shell)
1b) If it's internal, is it physical or "remote-interal" (ssh, telnet ...)?
2) What is it supposed to do and what users are supposed to use it, especially how many?

If all these have a solid answer, then you should start looking into firewalling everything you don't need. Maybe even NAT to make sure it's hidden well enough (if it's on the internet that is :P).
SELinux is a good way to lock it up and make sure your internal security isn't compromissed. Even thou I prefer GRSEC.

But in the long run it boils down to something like this:
Internal security: Kernel level, SELinux/GRSEC and the like.
External security: Localized firewall, and limiting which applications you run. The more ports that's inuse the more diffrent applications is available to hack.
User security: Limiting access and making sure they don't do stuff they're not supposed to. Also making sure their passwords and such (ssh keys) are fresh and following your standards.

Another good thing is to validate new users, make sure they know what they're supposed to do and make sure they've actually got the reason for it. Use SUDO with limitations if they need to do root stuff and also never use "su", since a shared password is a bad password. Besides, SUDO does let you log intrusion attempts and such.

Hope this gives you a pointer, all security issues is based on the person doing it and the need for it. As a standard better security == worse useability and vice versa.

A good example is the use of TPE (trusted path execution) which makes it impossible for users to execute binary files located outside the trusted paths you decide (like /usr/bin). The downside is that a user cannot run their own programs, which would make a developer quite angry probably. The upside is that a hacker can't run his exploit code if he hack's a non-trusted account.

Well, I've ranted enough for now :P

Best regards
Fredrik Eriksson
Steven E. Protter
Exalted Contributor

Re: Best way to secure a linux box

Shalom,

Remove all unneeded software.

There is no such thing as a perfect Linux security environment. However if the software is not installed it can not be abused.

Do a minimal OS install with only ftp and openssh(No option not) in the customization section of the RHEL 5 install.

Configure the firewall to only open up port 21.

Do you need selinux? No. Will it help if someone finds a way to pull a ftp buffer overflow and get command line access? Yes, and REHL 5 has gui tools for selinux configuration that does not require in dept knowledge of those incomprehnsible configuration files.

Downloading and installing bastille from http://bastille-linux.org and running through the configuration will make your system more secure.

Realistically, a good firewall configuration and minimal software installation is enough, but the other steps improve security.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Fredrik.eriksson
Valued Contributor

Re: Best way to secure a linux box

Agreed SEP, I was just pointing out worst case scenarios and what I do when my work demands me for it.

Also, never allow root to login via SSH... that is the worst thing you can.
All linux boxes (practically anyway) has the root user... which all bruteforces viruses try to exploit... even if it wasn't a virus the best user to try to bruteforce or exploit is the root user.

Best regards
Fredrik Eriksson
dirk dierickx
Honored Contributor

Re: Best way to secure a linux box

bastille would be my choice as well, ofcourse a big fat WARNING is included, do not blindly implement everything bastille suggests, some things you will not want to do.

the thing is that, even though bastille automates lots of the things, you still have to know what it is talking about.

mostly linux boxes are pretty secure out of the box, certainly so for internal use. when presenting to the outside world some more hardening may be needed.

as always, it depends on what you want to do.
Brendan Peter Murphy
Occasional Advisor

Re: Best way to secure a linux box

As well as all the good advice above, you might look into using vsftp (very secure ftp).
Nuwan Alwis
Valued Contributor

Re: Best way to secure a linux box

Hi,
Wel i dont have much to say coz you have enough information. But ill add this FYI.
Linux now have 7 layers of security.
But implementing all these to a system will add additional overhead to the system as well and also it can become hard to manage to the administrative prospective.
SELinux is just one of them and personal i think it is very useful when implementing security for direct user interactive systems.
If this is a system that provides services
Iptables
host.allow
pam
properly configured with correct services(SSH,SCP,VSFTP)will do the job.
Morcos
Super Advisor

Re: Best way to secure a linux box

Thanks all for your help.

I'll leave this thread open in case I need more information.

cheers,
Srimalik
Valued Contributor

Re: Best way to secure a linux box

You can also customize things in

/etc/security/limits.conf

I use this file to protect my machine from fork bombs.

-Sri
abandon all hope, ye who enter here..