Hardening Linux (eBook)

James Turnbull is the author of five technical books about open source software and a longtime member of the open source community. James authored the first and second books about Puppet, and works for Puppet Labs, running client services. James speaks regularly at conferences including OSCON, Linux.conf.au, FOSDEM, OpenSourceBridge, DevOpsDays and a number of others. He is a past president of Linux Australia, has run Linux.conf.au and serves on the program committee of Linux.conf.au and OSCON. James is Australian but currently lives in Portland, Oregon. His interests include cooking, wine, political theory, photojournalism, philosophy, and most recently the Portland Timbers association football team.

Contents 6
About the Author 14
About the Technical Reviewer 15
Acknowledgments 16
Introduction 17
Chapter 1 Hardening the Basics 24
Installing Your Distribution Securely 25
Some Answers to Common Installation Questions 25
Install Only What You Need 25
Secure Booting, Boot Loaders, and Boot-Time Services 27
Securing Your Boat Loader 28
Init, Starting Services, and Boot Sequencing 31
Consoles, Virtual Terminals, and Login Screens 38
Securing the Console 39
The Red Hat Console 39
Securing Virtual Terminals 40
Securing Login Screens 41
Users and Groups 42
Shadow Passwording 45
Groups 46
Adding Users 47
Adding Groups 49
Deleting Unnecessary Users and Groups 51
Passwords 54
Password Aging 58
User Accounting 65
Process Accounting 67
Pluggable Authentication Modules (PAM) 69
PAM Module Stacking 71
The PAM “Other” Service 72
Restricting su Using PAM 73
Setting Limits with PAM 74
Restricting Users to Specific Login Times with PAM 76
Package Management, File Integrity, and Updating 79
Ensuring File Integrity 80
Downloading Updates and Patches 84
Compilers and Development Tools 87
Removing the Compilers and Development Tools 87
Restricting the Compilers and Development Tools 88
Hardening and Securing Your Kernel 89
Getting Your Kernel Source 89
The Openwall Project 91
Other Kernel-Hardening Options 97
Keeping Informed About Security 98
Security Sites and Mailing Lists 98
Vendor and Distribution Security Sites 99
Resources 99
Mailing Lists 99
Sites 100
Chapter 2 Firewalling Your Hosts 101
So, How Does a Linux Firewall Work? 102
Tables 104
Chains 104
Policies 104
Adding Your First Rules 105
Choosing Filtering Criteria 108
The iptables Command 109
Creating a Basic Firewall 113
Creating a Firewall for a Bastion Host 119
Kernel Modules and Parameters 139
Patch-o-Matic 139
Kernel Parameters 146
Managing iptables and Your Rules 151
iptables-save and iptables-restore 152
iptables init Scripts 153
Testing and Troubleshooting 154
Resources 158
Mailing Lists 158
Sites 158
Books 158
Chapter 3 Securing Connections and Remote Administration 159
Public-Key Encryption 159
SSL, TLS, and OpenSSL 162
Stunnel 174
IPSec,VPNs, and Openswan 181
inetd and xinetd-Based Connections 189
Remote Administration 191
ssh-agent and Agent Forwarding 199
The sshd Daemon 201
Configuring ssh and sshd 202
Port Forwarding with OpenSSH 205
Forwarding X with OpenSSH 206
Resources 207
Mailing Lists 207
Sites 207
Chapter 4 Securing Files and File Systems 208
Basic File Permissions and File Attributes 209
Access Permissions 209
Ownership 219
Immutable Files 219
Capabilities and lcap 221
Encrypting Files 223
Securely Mounting File Systems 225
Securing Removable Devices 228
Creating an Encrypted File System 229
Installing the Userland Tools 230
Enabling the Functionality 230
Encrypting a Loop File System 231
Unmounting Your Encrypted File System 235
Remounting 236
Maintaining File Integrity with Tripwire 236
Configuring Tripwire 237
Explaining Tripwire Policy 239
Network File System (NFS) 250
Resources 252
Mailing Lists 252
Sites 252
Sites About ACLs 252
Chapter 5 Understanding Logging and Log Monitoring 253
Syslog 253
Configuring Syslog 255
Starting syslogd and Its Options 259
syslog-NG 261
Installing and Configuring syslog-NG 261
The contrib Directory 262
Running and Configuring syslog-NG 262
Sample syslog-ng.conf File 274
Logging to a Database with syslog-NG 276
Secure Logging with syslog-NG 279
Testing Logging with logger 283
Log Analysis and Correlation 284
Installing and Running SEC 287
Inputting Messages to SEC 289
Building Your SEC Rules 290
Log Management and Rotation 297
Resources 300
Mailing Lists 300
Sites 300
Books 300
Chapter 6 Using Tools for Security Testing 301
Inner Layer 302
Scanning for Exploits and Root Kits 302
Testing Your Password Security 307
Automated Security Hardening with Bastille Linux 310
Outer Layer 315
NMAP 316
Nessus 322
Other Methods of Detecting a Penetration 333
Recovering from a Penetration 335
Additional Security Tools 338
dsniff 338
Ethereal 338
Ettercap 338
LIDS 338
Netcat 339
SARA 339
Snort 339
tcpdump 339
Titan 339
Resources 339
Sites 340
Chapter 7 Securing Your Mail Server 341
Which Mail Server to Choose? 341
How Is Your Mail Server at Risk? 343
Protecting Your Mail Server 343
Chrooting a Sendmail SMTP Gateway or Relay 344
Chrooting Postfix 350
Securing Your SMTP Server 353
Obfuscating the MTA Banner and Version 353
Disabling Dangerous and Legacy SMTP Commands 356
Some Additional Sendmail Privacy Flags 359
Sendmail and smrsh 359
Writing to Files Safely 360
Limiting the Risk of (Distributed) DoS Attacks 361
Relaying, Spam, and Viruses 366
Relaying 366
Antispam 371
Antivirus Scanning Your E-mail Server 384
Resources 392
Mailing Lists 392
Sites 392
Chapter 8 Authenticating and Securing Your Mail 393
TLS 393
Creating Certificates for TLS 394
TLS with Sendmail 397
TLS with Postfix 401
SMTP AUTH Using Cyrus SASL 407
Compiling Cyrus SASL 408
Configuring SASL saslauthd 409
SMTP AUTH Using Cyrus SASL for Sendmail 409
Compiling Cyrus SASL into Sendmail 410
Configuring Cyrus SASL for Sendmail 411
Using SMTP Server Authentication with Sendmail 412
Using SMTP Client Authentication with Sendmail 414
SMTP AUTH Using Cyrus SASL for Postfix 415
Compiling Cyrus SASL into Postfix 415
Configuring Cyrus SASL for Postfix 416
Using SMTP Server Authentication with Postfix 418
Using SMTP Client Authentication with Postfix 420
Testing SMTP AUTH with Outlook Express 420
Resources 422
Mailing Lists 422
Sites 422
Chapter 9 Hardening Remote Access to E-mail 423
IMAP 424
POP 424
Choosing IMAP or POP Servers 425
How Is Your IMAP or POP Server at Risk? 426
Cyrus IMAP 427
Installing and Compiling Cyrus IMAP 429
Installing Cyrus IMAP into a chroot Jail 431
Configuring Cyrus IMAP 437
Cyrus IMAP Authentication with SASL 442
Cyrus IMAP Access Control and Authorization 445
Testing Cyrus IMAP with imtest/pop3test 448
Fetchmail 450
Installing Fetchmail 451
Configuring and Running Fetchmail 454
Resources 461
Mailing Lists 461
Sites 461
Chapter 10 Securing an FTP Server 463
How Does FTP Work? 464
Firewalling Your FTP Server 466
What FTP Server to Use? 468
Installing vsftpd 468
Configuring vsftpd for Anonymous FTP 470
General Configuration 471
Mode and Access Rights 472
General Security 474
Preventing Denial of Service Attacks 475
Configuring vsftpd with Local Users 476
Adding SSL/TLS Support 479
Starting and Stopping vsftpd 481
Resources 481
Sites 481
Chapter 11 Hardening DNS and BIND 482
Your DNS Server at Risk 483
Man-in-the-Middle Attacks 483
Cache Poisoning 484
Denial of Service Attacks 484
Data Corruption and Alteration 485
Other Risks 485
What DNS Server Should You Choose? 485
Secure BIND Design 486
Installing BIND 489
Chrooting BIND 491
Permissions in the chroot Jail 492
Starting and Running named 493
Configuring BIND 495
Access Control Lists 498
Logging 499
Options 503
Views and Zones 512
Zones 516
TSIG 519
The rndc Command 523
rndc.conf 524
Adding rndc Support to named.conf 526
Using rndc 527
Resources 529
Mailing Lists 529
Sites 529
Information About Zone Files 529
Books 529
APPENDIX A The Bastion Host Firewall Script 530
APPENDIX B BIND Configuration Files 536
A Caching Server 536
An Authoritative Master Name Server 538
A Split DNS Name Server 539
A Sample Named init Script 542
APPENDIX C Checkpoints 544
Chapter 1 544
Chapter 2 545
Chapter 3 546
Chapter 4 546
Chapter 5 547
Chapter 6 548
Chapter 7 548
Chapter 8 549
Chapter 9 549
Chapter 10 550
Chapter 11 550
Index 552