[plug] Re: Securing Redhat 9.0

Craig Ringer craig at postnewspapers.com.au
Fri Oct 14 18:05:51 WST 2005 

luca at trifelli.id.au wrote:
> I agree.
> 
> I think Fedora Core 4 is stable enough, well updated and easy to maintain, which makes it a possible choice (may be better then
> RH9).
> 
> Linux can be penetrated (for sure less then other OS).
> 
> If you are worried about possible intrusions, you might want to use some Intrusion Detection Softwares (eg.: www.snort.org) in
> congiunction with your firewall, which logs any possible attack and will give you also a sort of evidence....
> I also suggest to use ACID (Analysis Console for Intrusion Databases) in congiunction with snort, it will give you some useful
> features such as: Query-builder and search interface, Packet viewer (decoder), Alert Management, Chart and statistics
> generation, etc...

Yep. That reminds me that the original poster didn't just ask about RH9, 
but general security measures for Internet-accessible hosts. I'll give 
my views - and while I'm no expert, I haven't had a system cracked yet 
either...

The first and most important one is the same as for any other OS - make 
sure you limit what runs on it, and limit what's visible to the outside 
world, to the very minimum possible. If you want to run something (like, 
say, a database server) on the host but don't want it accessible except 
from the host its self, set it to listen only on the "loopback" network 
interface, or set it to only use UNIX sockets to communicate. This is 
usually possible in the configuration of the process, and most 
half-decent distros do this by default for most services.

The next is the same as any other OS too - keep it up to date. This is 
critically important. There *have* been worms that attack software 
commonly used on Linux, such as Apache, though it seems direct hacks by 
automated scanners are a more common means of compromise. You do need to 
keep it up to date.

As well as limiting what runs, you should limit what the running 
processes can do. If the web server process doesn't need rights to write 
to user home directories, it shouldn't have those rights. Again, any 
half-decent distro should do this by default, but some do it better than 
others. SELinux, as shipped by Fedora Core 4, gives an added layer of 
protection in this regard, but at the cost of some potential confusion 
(and swearing and sobbing with frustration) if you need to alter those 
permissions or run into them unwittingly.

A firewall might not be a bad idea, but if you've properly limited your 
public services it shouldn't really be necessary, and gives attackers 
another thing to attack. James Devenish had some convincing arguments 
here (more so now than I found them at the time), which can be found in 
the archives.

If you plan to run a web server, don't forget that you must keep any web 
applications up to date too. It does you little good to keep Apache up 
to date if your custom-installed copy of PHPNuke (*shudder*) lets an 
attacker get a local account.

If you're feeling really paranoid (note that when running an Internet 
host that's quite reasonable really - they all ARE out to get you) you 
may wish to look at isolating services on the system using 
virtualization systems such as Xen or UML. It's also possible to do 
something similar, but much less comprehensive, with chroot hosting. 
Using Xen or UML gives you a virtual machine that runs "on top" of your 
real host. This machine can easily be snapshotted, frozen in time, etc, 
and it's also easy to just restore a backup of it remotely if it does 
get broken into. Additionally, you can separate different services into 
different OS instances, so if one gets broken into the rest of the 
services are unaffected. I'm about to start using this to isolate my 
employer's web server setup from some other security critical tasks done 
on the same host.

I'm sure this is making it sound like it's nigh impossible to run a 
Linux system on the Internet without it getting cracked. That's not 
true; you simply have to pay a little attention. Given that most distros 
do a lot of it right by default, the most important thing is probably 
going to be keeping the system up to date. Decent distros will provide 
tools like yum and apt that make this trivial.

--
Craig Ringer

More information about the plug mailing list