General
cancel
Showing results for 
Search instead for 
Did you mean: 

How to secure LINUX BOX from Hacking

SOLVED
Go to solution
palaniappan.sp
Regular Advisor

How to secure LINUX BOX from Hacking

Hi,
I want to know the different way of approching the linux boxes at the hacking...
1)Just I want to know the different way of securing the linux boxes... from Hacking...
2)Then how to probe and prevent hacking of servers...from hackers.
3)What are the preventive measures to be taken in a server to avoid hacking...
4)Where i can find the more relevant details of hacking in linux boxes..
5)How can i find which unknown processes running and why it is running and using the port 899 in linux boxes.
for ex: 899/tcp open unknown services

regds,
palani
Everything is Possible and Anything is Feasible if u try
14 REPLIES
Ivan Ferreira
Honored Contributor

Re: How to secure LINUX BOX from Hacking

Too many security practices are available:

Configure the firewall (iptables)
Change the default ssh port
Disable ssh root login
Keep the server updated
Plan a good backup and disaster recovery strategy
Disable uneeded services
Install an IDS tool like tripwire
Other tools available, like portsentry, logwatch, nmap, snort, etc
Use nessus to check the server security
There is a book called Hacking linux exposed by anonymous
You can use lsof to identify the process that opens a port, like this:

lsof -i :899
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Colin Topliss
Esteemed Contributor

Re: How to secure LINUX BOX from Hacking

....plus you can configure services under xinetd to respond to known IP addresses only.

But basically apply the same common sense approach to securing systems and diagnosing hacking attempts as you would any other UNIX system. The principles are exactly the same - you just might find that there are more tools available under Linux than most other *NIXs.

If you really want something Linux specific to while away the midnight hours, have a look at Linux Server Security (ISBN 0-596-00670-5).

In general terms, look at Network Intrusion Detection (ISBN 0-7357-0868-1).

Colin.
Court Campbell
Honored Contributor

Re: How to secure LINUX BOX from Hacking

I would actually disable xinetd as a whole. I realize xinetd is more secure than inetd, but most of the services it manages can be run stand alone. If you need an ftp daemon you could look into vsftpd. Set up users to be chrooted to thier home directory. You could also set it up to use ssl. This would make your ftp traffic secure. And really, I think the world needs to forget that telnet and r-services exist.

If you are running Red Hat you can setup SELinux. It basically defines and characterizes applications and only allows them to do what they are meant to do. So if an application became compromised, the attacker could only access things that the application is allowed to access. I would suggest reading up on SELinux before you implement it. You can shoot yourself in the foot pretty fast if you are not familiar with how it works.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Stuart Browne
Honored Contributor

Re: How to secure LINUX BOX from Hacking

Also consider running all services in their own chroot environment. This is actually quite a bit of work, but it means that if a service is compromised, the effect is limited to a very narrow area.

SSH should also be configured to not accept passworded logins, but require pre-shared 1024/2048 bit DSA keys. This means that SSH it's self becomes even more secure.

Look into the PAM limits for failed logins, and automation of account disables, or locking if someone tries repeated logins to that account.

There are a few tools around which allow you to create actively dynamic firewall rules based on behaviours (i.e. block someone who tries to telnet to a port 50 times within a period). This reduces probing looking for possible exploits on services.

For question 5), 'netstat -ntlp' is your friend. It ties processes to listening ports. If you use just '-nap', it'll match all TCP/UDP/UNIX socket traffic to their owner PID's. Very handy.

Learn about ACL's, and how to use 'chattr'. Immutable is quite handy.

Learn about 'rpm -V', (if you're using an RPM based machine) to verify the files installed, to ensure that they haven't been modified.

As for 4), make sure you're on the security mailing lists (http://www.securityfocus.com for example). Also ensure you're on your Linux distribution's pacakge update lists so you can update your system as soon as security updates are available.

.. Anyway, just some thoughts off the top of my head ..
One long-haired git at your service...
palaniappan.sp
Regular Advisor

Re: How to secure LINUX BOX from Hacking

Hi,
If i implemented selinux some network processes are getting affected.for ex:IF selinux enabled in amandabackup server,but the backup server not able to take backup of linux clients (i.e) communication error is arriving, like amandabackup server not have permission to take backup of /home/*... Then i disable the selinux its working fine....
But now i implemented iptables...
What can i do for this type of scenarios??

Pls let me know if any advanced and simple way.... of securing linux boxes...

regds,
Palani.
Everything is Possible and Anything is Feasible if u try
Steven E. Protter
Exalted Contributor

Re: How to secure LINUX BOX from Hacking

Shalom,

Great tool here that helps.

http://www.bastille-linux.org/

1) My basic approach is run a minimum amount of services. I have special firewall boxes that forward selected ports only to real servers which limits vulnerability. Fire firewalls run two application, the firewall and ssh.

2) Bastille helps you secure, nessus and snort help spot problems as they are happening.

3) See prior posts and link above.

4) A google search should suffice.

5) I would suspect that someone is trying to hack your box. Get that firewall up.

http://www.fs-security.com/

This tool ships with Fedora and other linuxes and though not frequently updated is an excellent firewall tool. It gets you going out of the box quickly and has an easy to understand gui.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ivan Ferreira
Honored Contributor

Re: How to secure LINUX BOX from Hacking

If you want to deal with SELinux, you should take a look to the audit2allow command.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
dirk dierickx
Honored Contributor
Solution

Re: How to secure LINUX BOX from Hacking

a few tools to help you:

- bastille
- tripwire/aide
- chrootkit
- selinux

and also important is to keep yourself up to date with new package releases. certainly for networking daemons and kernel.
palaniappan.sp
Regular Advisor

Re: How to secure LINUX BOX from Hacking

Hi all,

Now i had iplemented new policy in linux boxes and cold watching the servers with help of all of ur tips

steven,

What u suggested is correct,somebody trying to hack my m/c.I found the ssh log failures in /var/log/secure for every few minutes and 4 to 5 failed login attempts... are found.
let me know what i can do in this problems..


Thanx a lot for all..

Let me know if new anything is available...for securing unix boxes..



Regds,
palani.sp.

Everything is Possible and Anything is Feasible if u try
Ivan Ferreira
Honored Contributor

Re: How to secure LINUX BOX from Hacking

>> What u suggested is correct,somebody trying to hack my m/c.I found the ssh log failures in /var/log/secure for every few minutes and 4 to 5 failed login attempts... are found.
let me know what i can do in this problems..

Once I changed the default SSH port to anotherone, so basic attacks can be stopped.

You should also configure the following options in the sshd_config file:

PermitRootLogin no

And you can restrict who can login with SSH by configuring:
AllowUsers or AllowGroups

You can have a even more secure environment if you use only public keys and disable password authentication:

PasswordAuthentication no
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
palaniappan.sp
Regular Advisor

Re: How to secure LINUX BOX from Hacking

Hi ivan,

Actually I had changed the port of ssh and implemented iptables,cancel the permission for root login.
but i didn't do the public key authentication..Thanx for remaining this...
could u pls explain the usage of audit2allow command with example..
I am parallely collecting details regarding this....

Regds,
palani.
Everything is Possible and Anything is Feasible if u try
Ivan Ferreira
Honored Contributor

Re: How to secure LINUX BOX from Hacking

Please See this page:

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-section-0120.html

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Colin Topliss
Esteemed Contributor

Re: How to secure LINUX BOX from Hacking

If you want to look at blocking access from IP addresses that have attempted to access your servers without authorization, you could also look at portsentry and swatch.

Portsentry can be found at
http://sourceforge.net/projects/sentrytools/

Swatch can be found at
http://sourceforge.net/projects/swatch

I use swatch (which unfortunately requires you to create a config file for it for it to be of any use) to update my firewall to block IP address that attempt to SSH to my system with a username not in my username list. The trouble is of course is that the firewall blocked list can become quite large... :-)

Colin.
Rick Garland
Honored Contributor

Re: How to secure LINUX BOX from Hacking

There is a book from O'Reilly called "Linux Security Cookbook". It has descriptions of the above posts with examples.