Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> How to secure SL
Jessica_Lily
 Posted: Jun 16 2011, 06:50 AM
Quote Post


SLF IRC Team
**

Group: Members
Posts: 49
Member No.: 180
Joined: 15-May 11









This is a guide to make your scientific linux install much more secure. There might be many things in here you don't feel are nessesery and thats fine, this guide is suppose to cover all bases to make your box a nightmare to anyone trying to brake in. In addidion, any mistakes and/or additions i welcome your comments.

Passwords

Okay we've all heard it before but whats a security post without this! You must use strong passwords, what does that mean? I've gradually noticed this change as i think the ability to brute force has become esier due to processing power increasing however a good guide is you want something with words and numbers (alphanumeric). This and i can't stress this enough should not be dictionary words, no names. The numbers should equally not refer to birthdates, graduation dates, anniversaries and other dates in that vain.

Targged attacks do happen so using these are common place, often this information is easy to get hold of using friends of you or the family, facebook, etc.. I suggest using ether numbers which have some distinct meaning to you so you can remember them but no one else or even better ones with no patten or meaning in them! This will slow hackers down as it pushing the number of posibilities up and in targgeted attacks nearly stops any levrage knowing the victom might have.

I think an upwards of 8 characters should do for a good alphanumeric password, prefriably with upper case and lower case and if you can even symbols. A simple 8 character password with a - z + 0 - 9 gives 68719476736 of posibilities, if you had uppercase and lower cause thats even better that changes the posibilities to 4611686018427387904 you have to make it as hard as possible. Equally you shouldn't write your password down and put it on a common place or next to your computer this is the equiverlent of writing your bank PIN on your bank card.

Lastly about passwords, your root password should certainly be different and strong however every password on your system should be strong and if there are other people on your system do your best to cajole them to use strong passwords but realise for the avarage user this advice falls on deaf ears so keeping their account isolated via permissions and disallowing sudo/su (talked about later) is a must.

Removing Unsed Software, Repositories & Services

People get into computers usually by exploiting bugs in code being run on your computer or by giving you malicous code by explointing another server such as a repository. The best way to combat this is to look at what you actually need and there is a lot to be said about this, when i go and try and fix peoples computers I frequently see computers chocked up with software in somecases the user hasn't a clue what it does! Now, I assume most scientific linux users aren't quite as bad as that however i do think its underrated even in technical circles.

Remove any repository you don't actually need, if an attacker can exploit that server they can provide packages which have their code injected into it which can give them control over your computer and compromise your security and anyone elses security who uses the computer. Depending on how you have the repo installed will depend on how to remove it, if its a package you might be able to remove that package:

sudo yum remove yum-conf-epel

(or the repo you wish to remove)

However even using that method i suggest you check in /etc/yum.repos.d/ to see if its there and if so remove it.

Software! well its the same principal if you don't need some some software don't have it. For example do you have java? if so do you need java? if not remove it, its just one more program attacks can find an exploit to and use. Now java was just an example this goes for any program. You can remove them by

sudo yum remove <program name>

Also stopping deamons you don't need running you can find a list of them at /etc/init.d/ which are started, a common one is ssh. ssh is fantastic but if you don't have a need for it, if its not something you use then disable it, it only takes 1 exploit and then an attacker can use that to get in.

SSH

I'm not going to cover this since its already been done, check here

Firewall

Most people now are behind a router so that stops a lot but people shouldn't assume they can ignore firewalls on local machines compeatly, lucky on SL its configured so its on by default and blocks quite a lot however its worth reviewing. In the default standard gnome desktop go to:

System > Administration > Firewall

This allows you to see what ports are open, what services your system trusts and they should match what you trust and what ports you think should infact be open. I know by default its on but a double check is to look in the bottom left and check that indeed it says in green "The firewall is enabled" There are other interfaces to the firewall but this forum post can't go on forever and the GUI method is sufficiant so i shall leave it at that.

Su / sudo

First make sure you have sudo, it i believe comes default on the system but for some reason you might not have it installed so double check this by doing:

which sudo

Now you should only allow users whome you trust, who have strong passwords. If this is only you on the system then so be it, giving people sudo should be done sparingly. You can alter who can use sudo in this file:

sudo nano /etc/sudoers

if you haven't got sudo your self you might have to su first then do nano /etc/sudo

Then users a user entry looks a lot like the root one in there for you by default

username ALL=(commands)

e.g.

Jesssica ALL=(ALL) ALL


You might want to do it via groups so adding people to certain groups gives them sudo which is fine its

%groupname ALL=(commands) ALL

like the user except % to denote group name. I can't stress enough how much you should NOT allow sudo without password for any user or group ever! Never allow this.

Update

As mentioned above software has bugs and some of these bugs can be used for security breaches. Regually checking for updates is key for protecting your self against exploits. Make sure you check regually that you are upto date and if you're not make sure you update it as soon as possible.

Possibly creating a CRON might be nice, I have heard that yum-updatesd sometimes doesn't function reliably and you might want to do something like:

/sbin/chkconfig yum-updatesd off

sudo nano /etc/cron.daily

and place:

#!/bin/sh
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e 0 -d 0 -y update

Those three lines in there, the first tells it what shell to execute it with, the second checks yums upto date and the third checks your system is.

Protecting /home

You may want encryption thats up to you, i won't cover this inhere simply because its a whole other post on its own however to stop other users on your system browing through your /home folder its important to ser permissions to

chmod 700 /home/<user>

so for all users that should be the case as root you can do

sudo chmod 700 /home/*

Conclusion

I hope I haven't missed anything vital from this guide and that you have picked up something you can take away from this. People need to take security seriously and making some your local machine is secure if your first line of attack. This information for me has been taken over my time using computers and certain security related documents which i have used in the past to secure my system.
PMUsers Website
^
redman
 Posted: Jun 19 2011, 08:24 PM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1402
Member No.: 2
Joined: 8-April 11









The discussion that followed on this great piece of work can be found here.


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
synflag
 Posted: Feb 11 2012, 07:29 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 21
Member No.: 1281
Joined: 11-February 12









Other thing, is modify /etc/pam.d/su, for only users in wheel group can access to root.


--------------------
AMD Phenom x4 945 3.0Ghz - 8Gb Ram DDR3-1600 GSKILL RIPJAWS - 2 HDD 500GB WD SATAII - Thermaltake Toughpower 700 - Thermaltake V9 Black - LG LED 19" // Windows 7 Ultimate x86_64 (for games only), Fedora 16 x86_64
-------------------------------------------------------------------------------------------------------------------------------
Lenovo Thinkpad T400 Intel P8600 - 500GB SATAII - 4GB DDR3-1066 // SL6.2, Windows 7 Ultimate x86_64 (games and security test)
PMUsers Website
^
doublejoon
 Posted: Mar 22 2012, 02:15 PM
Quote Post


SLF Newbie


Group: Members
Posts: 5
Member No.: 1381
Joined: 16-March 12









Also change the default umask 022 to 027
/etc/profile
PM
^
Screwballl
 Posted: Apr 15 2014, 06:46 PM
Quote Post


SLF Junior
**

Group: Members
Posts: 27
Member No.: 3067
Joined: 14-April 14









New note relating to 6.5 and auto yum update... Seems someone took your suggestion and created to be automatic, yum auto updates now. Using less (to view the file) or vi (to edit the file), check:

CODE
vi /etc/cron.daily/yum-autoupdate
PM
^
Jcink
 Posted: Apr 19 2014, 06:55 AM
Quote Post


SLF IRC Team
****

Group: Members
Posts: 166
Member No.: 15
Joined: 10-April 11









yum-autoupdate is not new, it has been a feature since 6.0
PMUsers Website
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll