Linux security - A few useful, tactical tips

Posted by Anonymous Linux, MISS YOU ORKUT SCRAP 8/04/2010 09:31:00 PM

All right, I've bored you to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I have not shown you even a single program that you can use on your Linux machine to gauge your security; all of the solutions were conceptual, which makes them universal - a good thing.

Today, I will focus on specific vectors of security, within the world of reason and moderation that I've created and show you how you can bolster a healthy strategy with some tactical polish, namely software.

Do not expect wonders or detailed guides how to setup this or that NIDS. That's not the idea. The idea is to help you understand the core elements of security, focus on identifying your needs and leverage them with a flexible and transparent solution. The choice of software will reflect your needs.

Let us begin.

Linux security as a concept

Linux security revolves around minimizing exposure to malicious code by using digitally signed repositories, minimizing accidental or automated damage by using a non-root account, default file permissions, with diversity of software as a reserve.

Now, some of the suggested repertoire might need some small tweaking.

Keep the system up to date

This is a very simple, very important piece of the puzzle. Make sure the software repositories are configured and that you have an automated update mechanism in place. Having your system fully patched is always a good idea.

Firewall

Firewalls sound like an interesting concept. Basically, a firewall is a tool that controls the traffic flow in and out of your machine. Firewalls are configured to permit traffic you initiated and asked for and blocked traffic that was sent without invitation (unsolicited). This holds true for firewalls on all operating systems.

To work with one, you do need some basic understanding of networking. Luckily for you, most distributions ship with a firewall enabled, with default rules that permit a reasonable level of comfortable use, without any special changes required. In a few cases, you may need to create manual rules to allow additional functionality, like Samba sharing.

Some distributions ship with a graphical management console for the firewall, which simplifies the usage. Others stick to the command line, making them less suitable for new users.

Here are a few examples:

Firewall in Fedora 12:

Ubuntu, on the other hand, ships with the firewall disabled, because there are no network-aware services running, hence no need for a firewall. Hence, no management console for the firewall. However, you can very easily restore the missing bits with additional software like gufw:

openSUSE:

Scanning for malware

This is so 90s, when you think about it, still some people have this dire need for scanners. In that case, you may want to consider using either the rkhunter or chkrootkit scanners, both of which will probe your system for nefarious changes. Both are command-line only.

Using these scanners implies a deeper understanding of the Linux system. Then, there's the question of what to do if you encounter a problem. Can you really trust a subverted machine? How do you recover? You should definitely read my previous article for that.

Anti-virus (not needed, but read on)

You do not need one. Seriously. Honestly. It's not required. It's useless. In the worst case, if you can't let go of your Windows demons, go for a free solution, so you need not waste your money on something that is redundant by concept.

There's ClamAV (including Klam for KDE), as well as a number of commercial products that have started shipping solution for Linux. Then, most anti-virus rescue CDs are based on Linux. Clam-based versions can be found in the repositories.

As a security measure, anti-virus products are problematic, due to the signature-based nature, which is always competing against malware creators and always lagging behind. The only sensible reason to use anti-virus on Linux is to scan files that you receive from your friends running a flavor of Windows before forwarding them to other Windows users. That way, you may break the chain of accidental malware spreading. You may not notice or care, but your clueless friends could. The best solution is to have no friends, but most people fail at this.

On that note, please consider reading my whitelist vs. blacklisting article.

Still, you need not have a resident program running on the system. You can go for a web solution, like Jotti or VirusTotal, both of which use multiple scanners to detect malicious content. Upload a file and it will be diagnosed by a host of dedicated anti-malware software.

You can also consider using dedicated security distributions for offline, in-depth system scanning and analysis. A forensics distribution like BackTrack sound like a very good idea.

You may also sin the sin of using a Linux-friendly Windows-based preinstalled environment (PE) like BartPE or UBCD4WIN, which also come with scanner utilities for Linux, too.

Startup applications and services

If you're in the mood, go through the list of applications and services configured to run on your machine. You may discover undesired processes running, hogging resources and possibly exposing your machine to threats, as well as plain doing things that you do not want. While this can take the form of system optimization, it can also have security implications.

As an analogy to Windows, think of these as the msconfig and services.msc utilities.

System awareness

System awareness goes beyond malware. It's about controlling your system and knowing what's running when, where and why. There are tons of tools available, many already installed and waiting for you.

If you've read my Linux cool hacks, both parts one and two, you've learned about a few useful system tools that provide a better visibility of what's happening inside your system.

I'm going to mention a few, just briefly. Some of these will have their own dedicated article, with numerous examples and screenshots.

/var/log/messages

This is the system log. Almost everything goes in there. Reading the log will give you an indication of possible system issues, including software errors, as well as possible security-related items. You do need some knowledge to read the file properly.

/var/log/secure

You can configure your machine to log ssh and sudo attempts to a separate file, like /var/log/secure. Then, you can examine the log for any privilege escalation attempts or remote connection attempts.

Examine logged in users

There are many ways of doing this. The most accurate one is to parse the output of the ps command. But you can also use w and who and lastlog. Manually dumping utmp and wtmp can also work.

Processes accounting

If you use pacct, you can write a log entry for every command successfully completed on your machine. Then, you can dump the log and look for suspicious entries. Automating the mechanism can provide you with a useful early warning system.

lastcomm lets you print out information about previously executed command, sort of a head against the pacct log. Furthermore, you can enhance the power of process accounting by using sar.

Audit files

It is possible to audit core system files. This is what audit is for, a built-in Linux kernel auditing facility, which allows you to monitor changes to critical system files. I'm going to write a dedicated article soon. Stay tuned.

Other tools

You also have a range of other utilities available, like netstat or nmap, which can help you examine your machine network visibility

Geek stuff

There's geek stuff, of course. For example, you may want to use system hardening tools like AppArmor, by creating special, sandbox-style profiles for your applications, which are then restricted from doing harm to your system, should an unwanted privilege escalation occur, due to an error, a bug or a vulnerability.

There's also SELinux, available in most RedHat-based distributions, like Fedora.

Conclusion

I've written lots of stuff. So what do you take from this article? Well, firewall seems like the best single solution overall. It's useful and sometimes rather necessary. Anti-virus and malware scanners are definitely not needed. The rest is perks. Take it or leave it. You can run a comfortable desktop life in Linux without so much as lifting a finger, with most distributions configured properly, including firewall enabled and running and hardening profiles preconfigured for you.

You may want to invest time in learning how to use the logging tools and facilities, as they offer a wealth of useful information. Properly configured and used, they will replace the need for commercial tools that strive to do that for you.

Server security is a different matter altogether, but for home use, you're in a really good shape. Just make sure to keep the system patched, install software from official repositories and run a firewall. The rest is polish.

Windows users moving to Linux often suffer from a panic surge due to the sheer lack of security-related buzz, but it's really simple and quite boring. There's no need to go overboard. You can invest your brain cycles in having fun. That would be all.

Cheers.