Vous êtes sur la page 1sur 15

Interested in learning more about securing Linux?

SANS Institute

Security Consensus Operational Readiness Evaluation


This checklist is from the SCORE Checklist Project. Reposting is not permited without express, written permission.

Linux Security Checklist

Copyright SANS Institute Author Retains Full Rights

Linux Security Checklist


Prepared by: Lori Homsher Contributor: Tim Evans Table of Contents Introduction............................................................................................................... 1 Checklist................................................................................................................... 2 oot and !escue "isk........................................................................................... 2 #ystem Patches.................................................................................................... 2 "isablin$ %nnecessary #ervices........................................................................... & Check 'or #ecurity on (ey )iles............................................................................ & "e'ault Pass*ord Policy........................................................................................ & Limit root access usin$ #%"+.............................................................................. , +nly allo* root to access C!+-........................................................................... , .arnin$ anners................................................................................................... , !emote /ccess and ##H asic #ettin$s.............................................................. , Host0based )ire*all Protection *ith iptables........................................................ 1 2inetd and inetd.con' ............................................................................................ 3 tcp*rappers........................................................................................................... 3 #ystem Lo$$in$..................................................................................................... 4 ackups................................................................................................................. 5 Inte$rity0checkin$ #o't*are................................................................................... 6 /pache #ecurity 7all 8ni9:...................................................................................... 6 /pache ;od<security module............................................................................. 1= 2*indo*.............................................................................................................. 1= LI"# 7Linu9 Intrusion "etection #ystem:............................................................ 11 #elinu9 7#ecurity Enhanced Linu9:..................................................................... 11 Email #ecurity..................................................................................................... 11 )ile #harin$......................................................................................................... 11 Encryption........................................................................................................... 12 /nti0>irus Protection............................................................................................ 12 astille Linu9....................................................................................................... 12 !e'erences:............................................................................................................. 1&

Introduction
This checklist can be used to audit an e9istin$ Linu9 system? or as a system hardenin$ document 'or Linu9 administrators tasked *ith settin$ up a ne* Linu9 system. This checklist does not provide vendor0speci'ic security issues? but attempts to provide a $eneric listin$ o' security considerations to be used *hen auditin$ or con'i$urin$ a Linu9 machine. #ecurity is comple9 and constantly chan$in$. In addition to this checklist? consult the *eb site o' your Linu9 distribution and the individual so't*are packa$es that are loaded onto the system. ;ost Linu9 distributions have their o*n recommendations re$ardin$ security. !edHat has documented their recommendations at: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/. @entoo Linu9 has a security handbook at: http:AA***.$entoo.or$AdocAenAsecurityAinde9.9ml "ebianBs security statement and recommendations can be 'ound at: http:AA***.debian.or$AsecurityA

Pa$e 1 o' 1&

Cou should also Doin or other*ise monitor security0related mailin$ lists? or !## 'eeds? such as those at http:AAsecurity0'ocus.comA and http:AA***.sans.or$. .hen implementin$ system security? there are several 'undamental concepts that can $o a lon$ *ay in keepin$ your system secure. Patch mana$ement 7keepin$ so't*are up0to0date: and system hardenin$ 7disablin$ unnecessary services: are vital? but so are overall security policies? chan$e mana$ement? and lo$ 'ile audits. / $ood approach to Linu9 security is to establish your baseline checklist 'or secure installation and system hardenin$? 'ollo*ed by on$oin$ policy and procedures to ensure your system stays secure. This document provides steps you can take to minimiEe your risk *hen installin$ a ne* Linu9 system. #ecurity is all about risk reduction. The checklist items de'ined belo* do not remove your risk o' system compromise? but provide you *ith sa'ety measures that can help reduce your overall chance o' compromise.

Checklist
No. 1. Security Elements

Boot and Rescue Disk


I' you install Linu9 'rom a do*nload or over the net*ork? you can create a boot disk manually. The FmkbootdiskG command is included on most systems. This is the same command that is used durin$ installation to create a boot disk. Cou must speci'y a device and a kernel to use. mkbootdisk 00device AdevA'd= Huname 0rH 7-ote: Huname 0rH returns the kernel version.: /lso? have a couple o' rescue disks ready. There are many rescue disks available at ftp://metalab.unc.edu/pub/Linux/system/recovery I @ood choices are: Tomsbtrt at: http://www.toms.net/rb and (noppi9 at: http:AA***.knoppi9.or$ 7a complete Linu9 system on C":. Cou can do*nload or purchase the C"? but make sure you choose the bootable option.

2.

System Patches
;ost Linu9 systems *ork *ith either rpm 7!edHat Packa$e ;ana$er? also used by ;andrake and #use:? aptAdpk$ 7"ebian Packa$e ;ana$er:? or C%; 7Cello*do$ Linu9 ;ana$er:. Cou can update speci'ic so't*are individually usin$ these commands? or use your vendorBs updatin$ tools? i' available. !edHat has a very nice mana$ed support option available throu$h !edHat -et*ork that can help you mana$e many !edHat servers. The mana$ed support option uses the up2date command? *hich *ill automatically resolve dependencies. ;anual updates 'rom rpm 'iles can be 'rustratin$? since the rpm command simply reports on dependencies J it doesnGt resolve them 'or you. )or in'ormation on !edHat -et*ork services? visit: https:AArhn.redhat.comArhnAhelpAKuickstart.Dsp. !H- services are $enerally 'ree 'or the 'irst 6= days a'ter installation? a'ter *hich you must purchase entitlements to continue. I' you are stuck *ith an older Linu9 and you canGt up$rade? check out the limited support at the )edora Le$acy ProDect? http:AA***.'edorale$acy.or$A )or details on the rpm command? type Fman rpmG to vie* the man pa$es on the Linu9 system? or revie* online help. The Linu9 "ocumentation ProDect has many H+.T+s? includin$ one 'or !P; at:

Pa$e 2 o' 1&

http:AA***.ibiblio.or$ApubALinu9AdocsAH+.T+A!P;0H+.T+ The "ebian packa$e system *ill resolve any dependency problems? rather than simply report on them 7as the rpm system does:. )or details on the apt command? *hich is used to load "ebian packa$es? see: http:AA***.debian.or$AdocAmanualsAusers0$uideAch0iraus.en.html !e$ardless o' the Linu9 vendor youGve chosen? youGll need some *ay in *hich to keep in'ormed o' vulnerabilities in the so't*are. There are many mailin$ lists that *ill send you vulnerability notices 'or selected operatin$ system so't*are. Here are Dust a 'e*: http:AA***.sans.or$Ane*slettersA http:AA***.security'ocus.comA http:AA***.cert.or$A &.

Disabling Unnecessary Services


Hardenin$ systems by eliminatin$ unnecessary services can enhance security and improve overall system per'ormance. To be$in? you 'irst need to kno* *hich services are runnin$ on your system. #ince services run in various *ays? there are several places to check. L ps Ja9 *ill list all currently runnin$ processes L ls Jl AetcArc.dArc&.dA#8 *ill sho* all start0up scripts 7i' you boot into $raphics mode? replace rc&.d *ith rc1.d: L netstat Ja *ill list all open ports L chkcon'i$ Jlist *ill sho* the current startup status o' all processes kno*n by chkcon'i$ Ideally? you should see only those ports that must be open to provide the 'unctionality reKuired by the system. To disable services? you can remove the startup script? or use a command such as chkcon'i$. There are t*o steps to stoppin$ a service: 1: stop the currently runnin$ services? and 2: chan$e the con'i$uration so that the services doesnGt start on the ne9t reboot. To stop the runnin$ service: L service stop n's To stop the service at startup time? use the chkcon'i$ command or remove the startup script. To use chkcon'i$: L AsbinAchkcon'i$ Jlevels 2&,1 net's o'' To remove the startup script: L AbinAmv AetcArc.dArc1.dA#21net's AetcArc.dArc1.dA(21net's #ome services may need to be removed 'rom AetcAinetd.con' or AetcA9inetd.d. This is detailed in the 2inetd section o' this document

,.

Check for Security on Key Files


AetcA'stab: make sure the o*ner M $roup are set to root.root and the permissions are set to =3,, 70r*0r00r00: veri'y that AetcApass*d? AetcAshado* M AetcA$roup are all o*ned by BrootB veri'y that permissions on AetcApass*d M AetcA$roup are r*0r00r00 73,,: veri'y that permissions on AetcAshado* are r00000000 7,==:

1.

Default Password Policy


Ensure the de'ault system pass*ord policy matches your or$aniEation pass*ord policy. These settin$s are stored in AetcAlo$in.de's and should minimally contain settin$s 'or the 'ollo*in$. )or a complete list o' options? see the online man pa$e at:

Pa$e & o' 1&

http:AA***.tin.or$AbinAman.c$iNsectionO1MtopicOlo$in.de's P/##<;/2<"/C# 6= P/##<;I-<"/C# 3 P/##<;I-<LE- 1, P/##<./!-</@E 4 3.

imit root access using SUD!


#udo allo*s an administrator to provide certain users the ability to run some commands as root? *hile lo$$in$ all sudo activity. #udo operates on a per0 command basis. The sudoers 'ile controls command access. Cour Linu9 distribution should have speci'ics on ho* to con'i$ure your distribution. There is help available online as *ell: http:AA***.linu9help.netA$uidesAsudoA

4.

!nly allow root to access CR!"


The cron daemon is used to schedule processes. The crontab command is used to create personal crontab entries 'or users or the root account. To enhance security o' the cron scheduler? you can establish the cron.deny and cron.allow 'iles to control use o' the crontab. The 'ollo*in$ commands *ill establish root as the only user *ith permission to add cron Dobs. cd AetcA AbinArm 0' cron.deny at.deny echo root Pcron.allo* echo root Pat.allo* AbinAcho*n root:root cron.allo* at.allo* AbinAchmod ,== cron.allo* at.allo*

5.

#arning Banners
I' your policy reKuires a *arnin$ banner? you can easily create one by copyin$ the appropriate banner messa$e to the 'ollo*in$ 'iles. AetcAmotd AetcAissue AetcAissue.net add B@reet#trin$OQ/uthoriEed %se +nlyQB to AetcA211A9dmAkdmrc and make a similar chan$e to $dm.con' Here is a sample banner messa$e: R/uthoriEed %se +nly. Transactions may be monitored. y continuin$ past this point? you e9pressly consent to this monitorin$.Q

6.

Remote $ccess and SS% Basic Settings


Telnet is not recommended 'or remote access. #ecure #hell 7##H: provides encrypted telnet0like access and is considered a secure alternative to telnet. Ho*ever? older versions o' ##H have vulnerabilities and should not be used. To disable ##H version 1 and enhance the overall security o' ##H? consider makin$ the 'ollo*in$ chan$es to your sshd!config 'ile: Protocol 2 Permit!ootLo$in no PermitEmptyPass*ords no anner AetcAissue I$nore!hosts yes !hosts/uthentication no !hosts!#//uthentication no Hostbased/uthentication no Lo$in@raceTime 1m 7or less J de'ault is 2 minutes: #yslo$)acility /%TH 7provides lo$$in$ under syslo$ /%TH:

Pa$e , o' 1&

/llo*%ser "list of users allowed access# "eny%ser "list of system accounts and others not allowed# ;a9#tartups 1= 7or less J use 1A& the total number o' remote users: $ote: Max%tartups refers to the max number of simultaneous unauthenticated connections. &his setting can be helpful against a bruteforce script that performs for'ing. #ome 'olks also su$$est runnin$ ssh on an alternate port? althou$h others consider this to be Fsecurity throu$h obscurityG. !e$ardless o' your opinion? itGs very easy to chan$e the port that ssh runs on by simply chan$in$ the RPortQ settin$ in the sshd<con'i$ 'ile? then stoppin$ and restartin$ ssh. !unnin$ ssh on an alternate port *ill help you avoid port scanners that are lookin$ 'or open port 22 and the scripted brute0'orce attempts on this port. Cou can block such brute0'orce ssh attacks *ith a packa$e like denyhosts 7http:AAdenyhosts.source'or$e.netA:? *hich utiliEes tcp*rappers 7see belo*:. /lternatively? use your iptables 'ire*all 7see belo*: to limit access by IP address or hostAdomain name. )or additional ssh security? you can con'i$ure key 'or*ardin$. The 'ollo*in$ link covers the e9tra 'unctionality o' a$ent key 'or*ardin$ *ithin ssh: http:AA***.uni9*iE.netAtechtipsAssh0a$ent0'or*ardin$.html 1=.

%ost&based Firewall Protection with i'tables


;any versions o' Linu9 no* come *ith iptables automatically enabled and con'i$ured durin$ installation. !edHat creates AetcAsyscon'i$Aiptables? based on the services you ans*er as Fallo*edG durin$ installation. Here is a basic sample script? created 'or a server runnin$ ssh 7port 22:? smtp 7port 21:? sKuid pro9y 7port &125: and samba 7netbios port 1&4:. The serverGs IP is 162.135.1.2 and it is part o' a class C net*ork. In the e9ample? *e *ant to accept these services and block all others. I' the reKuested service is not accepted by one o' the /CCEPT lines? the packet 'alls throu$h and is lo$$ed and reDected.
# Firewall configuration written by redhat-config-securitylevel # Manual customization of this file is not recommended. *filter :IN !" #$$% " &':'( :F)*+#*, #$$% " &':'( :)!" !" #$$% " &':'( :*--Firewall-.-IN !" - &':'( -# IN !" -/ *--Firewall-.-IN !" -# F)*+#*, -/ *--Firewall-.-IN !" -# *--Firewall-.-IN !" -i lo -/ #$$% " -# *--Firewall-.-IN !" -0 icm0 --icm0-ty0e any -/ #$$% " -# *--Firewall-.-IN !" -0 1' -/ #$$% " -# *--Firewall-.-IN !" -0 1. -/ #$$% " -# *--Firewall-.-IN !" -m state --state %2"#34I2-%,5*%4#"%, -/ #$$% " -# *--Firewall-.-IN !" -m state --state N%+ -m tc0 -0 tc0 -d0ort 16 -/ #$$% " -# *--Firewall-.-IN !" -m state --state N%+ -m ud0 -0 ud0 -d0ort 16 -/ #$$% " -# *--Firewall-.-IN !" -m state --state N%+ -m tc0 -0 tc0 -d0ort 71 -/ #$$% " -# *--Firewall-.-IN !" -m state --state N%+ -m tc0 -0 tc0 -d0ort 77 -/ #$$% " -# *--Firewall-.-IN !" -m state --state N%+ -m tc0 -0 tc0 -d0ort 6.78 -/ #$$% "

Pa$e 1 o' 1&

-# *--Firewall-.-IN .6= -/ #$$% " -# *--Firewall-.-IN -# *--Firewall-.-IN -# *--Firewall-.-IN -# *--Firewall-.-IN -# *--Firewall-.-IN 0rohibited $)MMI"

!" -s .97..:8...';7< -d .97..:8...7 --d0ort !" !" !" !" !" -s -d -d -/ -/ .97..:8...7 -d .97..:8...711 -/ #$$% " 711.711.711.711 -/ ,*) .97..:8...711 -/ ,*) 4)> *%?%$" --re/ect-with icm0-host-

11.

(inetd and inetd)conf


I' runnin$ the older AetcAinetd.con' 'ile? be sure to disable unnecessary services by removin$ them 7or commentin$ them out: 'rom the inetd.con' 'ile. )or e9ample? to remove telnet access? remove the 'ollo*in$ line:
telnet -a stream tc0 nowait root ;usr;sbin;telnetd telnetd

+n systems runnin$ scripts 'rom the 9inetd.d directory? disable the services by chan$in$ the script 'rom Fdisable O noG to Fdisable O yesG. / sample 9inetd.d script and various /CL settin$s are included in the tcp*rappers section. Cou *ill need to send a H%P si$nal to the inetd process a'ter modi'yin$ the con'i$uration 'iles 7kill 0H%P process(): 12.

tc'wra''ers
TCP .rappers allo*s control o' services based on hostname and IP addresses. /dditionally this tool contains lo$$in$ and use administration. Tcp*rappers is a daemon that positions itsel' bet*een detailed inKuiries and the reKuested service? and checks the reKuestorGs IP a$ainst the hosts.allo* and hosts.deny 'iles. In the traditional inetd.con' 'ile? you can run tcp*rappers by callin$ tcpd 7the tcp*rappers daemon: as 'ollo*s:
# first comment out the original line: #telnet stream tc0 nowait root ;usr;sbin;telnetd telnetd @a # then re0lace it with the modified line: telnet stream tc0 nowait root ;usr;sbin;tc0d telnetd -a

#tandard Linu9es donBt have tcp*rappers built into 9inetd? since 9inetd already includes lo$$in$ and access control 'eatures. Ho*ever? i' you *ant to add this 'urther control you can re0compile 9inetd *ith lib*rap support by passin$ F-with-libwrap as an option to the configure script. .hen 9inetd is compiled *ith lib*rap support? all services can use the /etc/hosts.allow and /etc/hosts.deny access control. 9inetd can also be con'i$ured to use tcpd in the traditional inetd style. This reKuires the use o' the -/;EI-/!@# 'la$ and the real daemon name must be passed in as server<ar$s. Here is an e9ample 'or usin$ telnet *ith tcpd:
service telnet A flags 0rotocol socCetDty0e wait user server serverDargs E B B B B B B B *%!2% N#M%IN#*>2 tc0 stream no telnetd ;usr;sbin;tc0d ;usr;sbin;in.telnetd

Pa$e 3 o' 1&

To use settin$s *ithin 9inetd scripts to control access by IP 'or speci'ic services? simply chan$e the appropriate 9inetd scripts? 'or e9ample:
service ima0 A socCetDty0e 0rotocol wait user onlyDfrom banner server E

B B B B B B B

stream tc0 no root .98.=7.1.' localhost ;usr;local;etc;denyDbanner ;usr;local;sbin;ima0d

Here are some other help'ul settin$s: To deny certain IPs or domains: no<access O 1=.=.1.12 bad.domain.com To speci'y limits on connections J total number o' ssh connections: instances O 1= ;a9imum number o' connections per IP address: per<source O & To speci'y allo*ed access times: access<times O 5:==014:== 1&.

System ogging
/ll Linu9 systems support system lo$$in$? *hich is important 'or troubleshootin$ system and net*ork problems? as *ell as possible security incidents. #yslo$ is the daemon that controls lo$$in$ on Linu9 systems. Lo$$in$ con'i$uration is stored in AetcAsyslo$.con'. This 'ile identi'ies the level o' lo$$in$ and the location o' the lo$ 'iles. Lo$ 'iles should be o*ned by root user and $roup? so that they are not available to the casual user. It is recommended that lo$ entries be lo$$ed to a centraliEed lo$ server? pre'erably over ssh 'or data con'identiality. CentraliEed lo$$in$ protects 'rom deletion o' lo$ 'iles and provides another layer in the event the lo$ 'iles are tampered *ith. This is easily accomplished as 'ollo*s:
# send to syslog server *.emergF*.infoF*.err Ghostname

)or more in'ormation on syslo$.con' settin$s? vie* the man pa$e by typin$ Fman syslo$.con'G. -e9t @eneration syslo$ is more customiEable than syslo$ and supports di$ital si$natures to prevent lo$ tamperin$. It is available at: http:AA'reshmeat.netAproDectsAsyslo$0n$A /uditin$ your lo$ 'iles: !e$ardless o' the so't*are used to create the lo$ 'iles? $ood security includes the on$oin$ revie* o' lo$ 'ile entries. This can become very tedious i' your only tool is to manually read the lo$s. )ortunately? there are some very $ood open0 source packa$es to help:

Pa$e 4 o' 1&

Logwatch: comes standard *ith many Linu9 distributions. Con'i$uration o' lo$*atch is done in the AetcAlo$.d directory. The script lo$*atch.con' allo*s you to set de'aults? such as the level o' detail? the services to include? and the lo$ 'ile names. !eports can be sent directly to your email and include data such as: 'ire*all reDects? 'tp uploadsAdo*nloads? disk space usa$e? sendmail statistics? etc. %watch: is an active lo$ 'ile0monitorin$ tool. #*atch uses re$ular e9pressions to 'ind lines o' interest. +nce s*atch 'inds a line that matches a pattern? it takes an action? such as printin$ it to the screen? emailin$ it? or takin$ a user0de'ined action. To use s*atch to check lo$s normally? run:
swatch --config-fileB;etc;swatch.conf -eHamineB;var;log;messages

To use s*atch as a constantly runnin$ service that scans lines o' a lo$ 'ile as they come in? run:
swatch --config-fileB;etc;swatch.conf --tailfileB;var;log;messages

"onBt 'or$et email security *hen sendin$ your lo$ 'iles via email? *hich 'lo*s in plain te9t 'rom source to destination mailbo9. Cou may *ant to encyrpt the lo$'iles *ith somethin$ like @nuP@ be'ore sendin$ them. >isit: ***.$nup$.or$ 'or more in'ormation. There are doEens o' other tools available to analyEe and audit syslo$ messa$es. The important point to remember is to pick a tool and make sure someone is responsible 'or lo$ 'ile auditin$ on a re$ular basis. 1,.

Backu's
There are many non0commercial and commercial backup pro$rams available 'or Linu9. .eGll hi$hli$ht the non0commercial tools here. / $oo$le search 'or Flinu9 backup so't*areG should provide you *ith enou$h commercial options to choose 'rom. tar* g+ip* b+ip,: these tools have been around a lon$ time and they are still a viable option 'or many people. /lmost any 8ni9 system *ill contain tar and $Eip? so they *ill rarely reKuire special installation or con'i$uration. Ho*ever? backin$ up lar$e amounts o' data across a net*ork may be slo* usin$ these tools. To backup a list o' directories into a sin$le tar archive? simply run the tar command to create the tarball? 'ollo*ed by the $Eip command to compress it: tar 0cv' archive0name.tar dir1 dir2 dir&....
$Eip 06 archive0name.tar

Cou may pre'er to use bEip2? *hich is a bit better then $Eip at compressin$ te9t? but it is Kuite a bit slo*er. Cou can combine the tar and $Eip actions in one command by usin$ tarBs 0E option. Rsync: rsync is an ideal *ay to move data bet*een servers. It is very e''icient 'or maintainin$ lar$e directory trees in synch 7not real time:? and is relatively easy to con'i$ure and secure. rsync does not encrypt the data ho*ever so you should use somethin$ like ##H or IP#ec i' the data is sensitive 7##H is easiest? simply use S0e sshS:. !sync 7by ;artin Pool: is available at: http:AA'reshmeat.netAproDectsArsyncA

Pa$e 5 o' 1&

-manda: is a client0server based net*ork backup pro$ram *ith support 'or 8ni9 and .indo*s 7via samba:. It is available 'rom http:AA***.amanda.or$ dump: is *ritten speci'ically 'or backups. It backs up the entire 'ile system and allo*s multiple levels o' backups. The correspondin$ FrestoreG command allo*s 'or restore 'rom a dump backup. )or e9ample? to backup Aboot 'ile system to backup.boot:
dum0 'zf bacCu0.boot ;boot

#ee Fman dumpG 'or a complete list o' options. 11.

*ntegrity&checking Software
Inte$rity checkin$Aassurance so't*are monitors the reliability o' critical 'iles by checkin$ them at re$ular intervals and noti'yin$ the system administrator o' any chan$es. This type o' so't*are is very use'ul in identi'yin$ unauthoriEed chan$es to con'i$uration 'iles? lo$ 'iles? services? as *ell as identi'yin$ the presence o' TroDans? rootkits? and other malicious code. There are several inte$rity0checkin$ packa$es available. ;ost Linu9 distros come *ith a barebones version o' a commercial packa$e. Commercial Trip*ire support is available 7'or a 'ee: and can include an e9cellent mana$ement console to provide central control 'or recreatin$ your policy 'iles and databases. /ide is an advanced Intrusion "etection system that aims to be a 'ree replacement to Trip*ire. #amhain is another open0source option. http:AAtrip*ire.or$A http:AAsource'or$e.netAproDectsAaide http:AAsource'or$e.netAproDectsAsamhain

13.

$'ache Security +all ,ni-.


There are entire books dedicated to apache security. .e *ill hit some o' the hi$h0level su$$estions here. "etailed help can be 'ound at http:AAhttpd.apache.or$A )irst? veri'y that your apache subdirectories are all o*ned by root and have a mod o' 411:
&userGhost Hinetd.d(I ls -l ;etc;a0ache drwHr-Hr-H = root root <'9: #ug 76 .':7< conf drwHr-Hr-H 7 root root <'9: #ug 7= '8:<< logs Jyour #0ache installation may be located at ;usr;local;a0ache or elsewhere if you installed it yourselfK &userGhost Hinetd.d(I ls @l ;usr;sbin;*htt0* -rwHr-Hr-H . root root 719<88 #ug 7 '1:77 ;usr;sbin;htt0d -rwHr-Hr-H . root root 7='7<8 #ug 7 '1:77 ;usr;sbin;htt0d.worCer

Like*ise? your httpd binary should be o*ned by root? *ith a mod o' 111. Cou can create a *eb documents subdirectory outside the normal /pache 'iletree as your "ocument!oot 7AvarA***Ahtml in !edHat:? *hich is modi'iable by other users 00 since root never e9ecutes any 'iles out o' there? and shouldnBt be creatin$ 'iles in there. %erver side includes .%%(/ create additional risks? since ##I0enabled 'iles can e9ecute any C@I script or pro$ram under the permissions o' the user and $roup apache runs as 7as con'i$ured in httpd.con':. To disable the ability to run scripts and pro$rams 'rom ##I pa$es? replace RIncludesQ *ith RIncludes-+E2ECQ in the options directive. %sers may still use T00Linclude virtualOS...S 00P to e9ecute

Pa$e 6 o' 1&

C@I scripts i' these scripts are in directories desi$nated by a #cript/lias directive. %cript -liased 01(: is recommended over non0script aliased C@I. Limitin$ C@I to special directories $ives the administrator control over *hich scripts can be run. %ystem %ettings: To prevent users 'rom settin$ up .htaccess 'iles that can override security 'eatures? chan$e the server con'i$uration 'ile to include:
L,irectory ;M #llow)verride None L;,irectoryM

To prevent users 'rom accessin$ the entire 'ilesystem 7startin$ *ith the root directory:? add the 'ollo*in$ to your server con'i$uration 'ile:
L,irectory ;M )rder ,eny5#llow ,eny from all L;,irectoryM

To provide access into individual directories? add the 'ollo*in$:


L,irectory ;usr;users;*;0ublicDhtmlM )rder ,eny5#llow #llow from all L;,irectoryM L,irectory ;usr;local;htt0dM )rder ,eny5#llow #llow from all L;,irectoryM

I' you are usin$ /pache 1.& or above? apache recommends that you include the 'ollo*in$ line in your server con'i$uration 'iles:
!ser,ir disabled root

14.

$'ache /od0security module


The mod<security module runs on most versions o' /pache? but you *ill most likely be reKuired to install it 'rom source 7check *ith your Linu9 distribution:. Cou can do*nload the latest source code 'rom ***.modsecurity.or$ and compile it usin$ ap9s or ap9s2. "etailed instructions can be 'ound in the ;od#ecurity %ser @uide or the source codeGs I-#T/LL 'ile. ;od<security allo*s you to enhance the overall security o' your apache *eb server by providin$ additional con'i$uration settin$s *ithin your httpd.con' 'ile. These settin$s allo* you to 'ilterAinspect all tra''ic? or 'ilterAinspect non0static tra''ic only 7"ynamic+nly:. Cou can then set the de'ault action 'or matchin$ reKuests J 'or e9ample? displayin$ a standard error pa$e. In addition? you can speci'y allo*able /#CII values and set restrictions 'or 'ile uploads. ;od<security also provides much more lo$$in$ than the de'ault 'or apache. ;ore in'ormation can be 'ound at ***.modsecurity.or$

15.

(window
2 *indo* can be a lar$e security risk considerin$ the many e9ploits 'or the product and since its data 'lo*s unencrypted across net*orks. / $ood method o' con'i$urin$ access to 2 servers is to tunnel 2 *indo* sessions throu$h ##H 7secure shell:. This is re'erred to as 211 'or*ardin$. ##H provides the advanta$e o' addin$ encryption to tunneled 2 sessions. / document 'rom #tan'ord %niversity provides a security check to test e9istin$ 2 servers and

Pa$e 1= o' 1&

describes the steps involved to connect to an 2 server via ##H: http:AA***.stan'ord.eduAservicesAsecurecomputin$A90*indo*A 16.

*DS + inu- *ntrusion Detection System.


LI"# is an enhancement 'or the Linu9 kernel *ritten by 2ie Hua$an$ and Philippe iondi. It implements several security 'eatures that are not in the Linu9 kernel natively. #ome o' these include: mandatory access controls 7;/C:? a port scan detector? 'ile protection 7even 'rom root:? and process protection. LI"# implements access control lists 7/CLs: that *ill help prevent even those *ith access to the root account 'rom *reakin$ havoc on a system. These /CLs allo* LI"# to protect 'iles as *ell as processes. )or more in'ormation on LI"#: http:AA***.lids.or$A

2=.

Selinu- +Security 1nhanced inu-.


"eveloped by the %.#. -ational #ecurity /$ency 7-#/:? #ecurity0enhanced Linu9 is a research prototype o' the Linu9U kernel and a number o' utilities *ith enhanced security 'unctionality desi$ned simply to demonstrate the value o' mandatory access controls to the Linu9 community and ho* such controls could be added to Linu9. The #ecurity0enhanced Linu9 kernel en'orces mandatory access control policies that con'ine user pro$rams and system servers to the minimum amount o' privile$e they reKuire to do their Dobs. .hen con'ined in this *ay? the ability o' these user pro$rams and system daemons to cause harm *hen compromised 7via bu''er over'lo*s or miscon'i$urations? 'or e9ample: is reduced or eliminated. This con'inement mechanism operates independently o' the traditional Linu9 access control mechanisms. It has no concept o' a SrootS super0user? and does not share the *ell0kno*n shortcomin$s o' the traditional Linu9 security mechanisms 7such as a dependence on setuidAset$id binaries:. Implementin$ #E Linu9 can have une9pected e''ects on a system? and you may 'ind standard daemons *onGt run properly? or at all? or lo$'iles may not be *ritable? or other similar e''ects that reKuire detailed con'i$uration o' #E Linu9 Currently? !edHat Enterprise Linu9 >ersion , includes an implementation o' #E Linu9. )or more in'ormation on #E Linu9: http:AA***.nsa.$ovAselinu2A

21.

1mail Security
;any sys0admins disable the sendmail utility on user *orkstations? and centraliEe its service on a main mailserver machine. Even in this situation? thereGs more you can do to increase its security. )or sendmail? 'ollo* the recommended security settin$s 'or secure installation: http:AA***.sendmail.or$AsecurityAsecure0install.html. It is possible to con'i$ure sendmail to launch *hen needed? rather than run it as a listenin$ daemon on port 21. Post'i9 is a $ood alternative to sendmail. In'ormation is available at: http:AA***.post'i9.or$A

22.

File Sharing
There are many methods o' 'ile sharin$ amon$ Linu9 systems. +penin$ up a system 'or 'ile sharin$ may not be acceptable *ithin your or$aniEational policy.

Pa$e 11 o' 1&

.e provide in'ormation here 'or those *ho reKuire this type o' access. )or in'ormation on -)# security 7'or sharin$ 8ni90to08ni9:? see: http:AA***.linu9security.comAcontentAvie*A1144=1A,6A #amba is a so't*are packa$e that o''ers 'ile sharin$ bet*een Linu9 and .indo*s systems. It can be con'i$ured to use encrypted pass*ord access? restriction by user andAor IP address? and 'ile0level permissions can be set. #amba is available at: ***.samba.or$. / $ood article describin$ the various #amba security modes is available at: http:AA***.redhat.comAdocsAmanualsAenterpriseA!HEL0,0;anualAre'0$uideAs10 samba0security0modes.html 2&.

1ncry'tion
I' the system *ill be storin$ con'idential data and you need to minimiEe the risk o' data e9posure? encryption may be an acceptable solution. #ource'or$e has a *eb pa$e that attempts to provide a disk encryption H+.T+ 'or Linu9 users. It is available here: http:AAencryptionho*to.source'or$e.netAEncryption0H+.T+.html "ependin$ on your needs? openP@P andAor @nuP@ may be appropriate. These tools *ill allo* you to encrypt emails and attachments? as *ell as 'iles stored on disk. @nuP@ is available at: ***.$nup$.or$ and +penP@P can be 'ound at: ***.openp$p.or$.

2,.

$nti&2irus Protection
There are several anti0virus options available 'or Linu9 users and the list continues to $ro*. Here are a 'e*: Clamav: ***.clamav.net '0prot: ***.'0prot.comAproductsAcorporate<usersAuni9A >e9ira: ***.centralcommand.comAlinu9<server.html

21.

Bastille inu/ hardenin$ pro$ram 'or !edHat? #%#E? "ebian? @entoo? and ;andrake distributions? astille Linu9 attempts to lock do*n a Linu9 server. It *alks the user throu$h a series o' Kuestions and builds a policy based on the ans*ers. astille Linu9 *as conceived by a $roup o' #/-# con'erence attendees and is available at: http:AA***.bastille0linu9.or$A

Pa$e 12 o' 1&

References: "ocumentation resource. )ebian %ecurity (nformation* http:AA***.debian.or$AsecurityA "ocumentation resource. (biblio Linux -rchive? http:AA***.ibiblio.or$ApubALinu9A "ocumentation resource. 2ncryption H34&3. http://encryptionhowto.sourceforge.net/2ncryption-H34&3.html "ocumentation resource. Linux )ocumentation 5ro6ect? http:AAtldp.or$A "ocumentation resource. LinuxHelp.net* http://www.linuxhelp.net/guides/ "ocumentation resource. Linux %ecurity general information. http:AA***.linu9security.comA "ocumentation resource. -pache %erver 5ro6ect. http:AAhttpd.apache.or$AdocsA1.&AmiscAsecurity<tips.html )riedl? #teve 7)ebruary 22? 2==3:. -n (llustrated 1uide to %%H -gent 7orwarding. !etrieved /u$ust? 2==3 'rom http:AA***.uni9*iE.netAtechtipsAssh0a$ent0 'or*ardin$.html Holbrook? Vohn 72==,:. %tep by step installation of a secure Linux web* )$% and mail server. !etrieved /u$ust? 2==3 'rom http:AA***.sans.or$Areadin$<roomA*hitepapersAlinu9A1&42.php ;cCarty? ill. 72==&:. Red Hat Linux 7irewalls. !edHat Press. -ielsen? (im 72==3:. 1entoo %ecurity Handboo'. !etrieved /u$ust? 2==3 'rom http:AA***.$entoo.or$AdocAenAsecurityAsecurity0handbook.9ml #tan'ord %niversity 72==,:. 8 4indow %ecurity. !etrieved /u$ust? 2==3 'rom http:AA***.stan'ord.eduAservicesAsecurecomputin$A90*indo*A .ain*ri$ht? Peter. 71666:. 5rofessional -pache. .ro9 Press. !edHat 72==2:. RedHat %ecurity 1uide. !etrieved /u$ust? 2==3 'rom: http:AA***.redhat.comAdocsAmanualsAlinu9A!HL060;anualAsecurity0$uideA !edHat 72==1:. RedHat 2nterprise Linux 9 Reference 1uide !etrieved /u$ust? 2==3 'rom: http:AA***.redhat.comAdocsAmanualsAenterpriseA!HEL0,0;anualAre'0 $uideAinde9.html !osenthal? Chip M Hau$h? Vulianne )rances. 3nline man pages for login.defs. !etrieved /u$ust? 2==3 'rom http:AA***.tin.or$AbinAman.c$iNsectionO1MtopicOlo$in.de's Wie$ler? !obert. 72==2:. Linux 7irewalls. -e* !iders Publishin$.

Pa$e 1& o' 1&

Last Updated: August 4th, 2012

Upcoming SANS Training


Click Here for a full list of all Upcoming SANS Events by Location
Vulnerability Management Summit SANS Virginia Beach 2012 SCADA Security Advanced Training 2012 BETA FOR526 Windows Memory Forensics In-Depth SANS Melbourne 2012 Capital Region Fall 2012 SANS Crystal City 2012 SANS Network Security 2012 SANS Forensics Prague 2012 SANS CyberCon 2012 SOS: SANS October Singapore 2012 SEC 579: Virtualization and Private Cloud Security @ Bangalore SANS Gulf Region 2012 SANS Seattle 2012 SANS Baltimore 2012 SANS South Africa 2012 - Cape Town SANS Chicago 2012 SANS South Africa 2012 SANS Bangalore 2012 SANS Boston 2012 SANS OnDemand San Antonio, TX Virginia Beach, VA The Woodlands, TX Washington, DC Melbourne, Australia Arlington - Baltimore, Arlington, VA Las Vegas, NV Prague, Czech Republic Online, VA Singapore, Singapore Bangalore, India Dubai, United Arab Emirates Seattle, WA Baltimore, MD Cape Town, South Africa Chicago, IL Johannesburg, South Africa Bangalore, India OnlineMA Books & MP3s Only Aug 14, 2012 - Aug 17, 2012 Aug 20, 2012 - Aug 31, 2012 Aug 20, 2012 - Aug 24, 2012 Aug 27, 2012 - Aug 31, 2012 Sep 03, 2012 - Sep 08, 2012 Sep 05, 2012 - Sep 20, 2012 Sep 06, 2012 - Sep 11, 2012 Sep 16, 2012 - Sep 24, 2012 Oct 07, 2012 - Oct 13, 2012 Oct 08, 2012 - Oct 13, 2012 Oct 08, 2012 - Oct 20, 2012 Oct 08, 2012 - Oct 13, 2012 Oct 13, 2012 - Oct 25, 2012 Oct 14, 2012 - Oct 19, 2012 Oct 15, 2012 - Oct 20, 2012 Oct 26, 2012 - Oct 27, 2012 Oct 27, 2012 - Nov 05, 2012 Oct 29, 2012 - Nov 03, 2012 Oct 29, 2012 - Nov 03, 2012 Aug 06, 2012 - Aug 11, 2012 Anytime Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Self Paced