[plug] Securing Red Hat Linux

Tue Aug 11 17:29:42 WST 1998

> From: John Summerfield <summer at os2.ami.com.au>
> On Mon, 10 Aug 1998, Paul Wilson wrote:
> 
> > A while ago there was a talk at Digital that I missed - it concentrated
on
> > the practicalities of securing Red Hat Linux so that it was safe to use
on
> > the Internet (i.e. as a web server or somesuch).
> > 
> > Does anyone have notes/views/comments/experience that they'd be willing
to
> > pass on?
> 
> now let me see:
> Don't run imap - the protucol's fine, the code holey.
> Don't run any service you don't need. Not mentioned is that every bind on
> several platforms gave the knowledgable root access. Finxed in in(I
think)
> 8.1, Certainly 8.1.2 is availble and fixed.
> 
> Don't run echo: it sends IP packets back to the source. If the source is
> forged and youself and someone sends you lots,,,
> 
> Don't run tftpd.
> Don't run talkd (doesn't understand network byte order so can't talk to
> big-endian computers. ntalk's fine).
> 
> don't run finger. Apart from anything else, it's a wonderful source of
> email addresses. Also tells hackers which accounts they might try:
onayone
> who never logs in will probably not notice that someone's been in for a
> free ride.
> run 
> find / -perm +6000 
> to see what's setuid/setgid.
> 
> Some things that were said not to have to be setuid root in fact do: some
> fo the print (lpxx) stuff comes to mind as I turned off the naughty bits
> and they wouldn't work.
> 
> Some other points that have come up recently.
> Some sites have discovered three documents and no others were requested
> from their web servers:
> test-cgi
> handler
> phf
> 
> All are known security holes: see http://www.rootshell.com/
> 
> Additionally I seem to have been subject to a port scan by a few of these
> intruders: I've seen access to my mail (pop3) service from remote sites.
> 
> Keep up todate with patches. redhat is quite good with releasing updates.
> i recently updated my 4.2 system with pretty well all the same parches
> that apply to 5.0 (but, of course, compiled & linked with libc). The
> exceptions are apache (I got the source from apache.org) and sendmail:
> again, i got source and built from that.
> 
> btw You need sendmail 8.9 to avoid spammers hiding their source domain by
> saying
> "helo Imacomputeriwithanextraordinarilylongdomainname(over1kbytesofthis)"
> and causing the "Received:" header to be truncated.
> 
> Now, I think, the "truncation"'s done in the middle.
> 
> > Are there any radical differences from the process of securing other
> > Unixen?
> 
> The RH system was taken to demonstrate the technique, using a virgin
> system. Very little (except a few comments) were RH-specific.
> 
> 
> A point emphasised repeatedly:
> Fo you don't need a service, don't run it. If you only need it part-time,
> run it then then stop it.

Also, run everything behind :

(1) a router configured to drop packets for unwanted services
(2) a properly configured firewall (and read the logs regularly)

Paul