|This forum is proudly powered by Scientific Linux 6||SL website Download SL Help Search Members|
|Welcome Guest ( Log In | Register )||Resend Validation Email|
Posted: Jun 16 2011, 06:50 AM
SLF IRC Team
Member No.: 180
Joined: 15-May 11
This is a guide to make your scientific linux install much more secure. There might be many things in here you don't feel are nessesery and thats fine, this guide is suppose to cover all bases to make your box a nightmare to anyone trying to brake in. In addidion, any mistakes and/or additions i welcome your comments.
Okay we've all heard it before but whats a security post without this! You must use strong passwords, what does that mean? I've gradually noticed this change as i think the ability to brute force has become esier due to processing power increasing however a good guide is you want something with words and numbers (alphanumeric). This and i can't stress this enough should not be dictionary words, no names. The numbers should equally not refer to birthdates, graduation dates, anniversaries and other dates in that vain.
Targged attacks do happen so using these are common place, often this information is easy to get hold of using friends of you or the family, facebook, etc.. I suggest using ether numbers which have some distinct meaning to you so you can remember them but no one else or even better ones with no patten or meaning in them! This will slow hackers down as it pushing the number of posibilities up and in targgeted attacks nearly stops any levrage knowing the victom might have.
I think an upwards of 8 characters should do for a good alphanumeric password, prefriably with upper case and lower case and if you can even symbols. A simple 8 character password with a - z + 0 - 9 gives 68719476736 of posibilities, if you had uppercase and lower cause thats even better that changes the posibilities to 4611686018427387904 you have to make it as hard as possible. Equally you shouldn't write your password down and put it on a common place or next to your computer this is the equiverlent of writing your bank PIN on your bank card.
Lastly about passwords, your root password should certainly be different and strong however every password on your system should be strong and if there are other people on your system do your best to cajole them to use strong passwords but realise for the avarage user this advice falls on deaf ears so keeping their account isolated via permissions and disallowing sudo/su (talked about later) is a must.
Removing Unsed Software, Repositories & Services
People get into computers usually by exploiting bugs in code being run on your computer or by giving you malicous code by explointing another server such as a repository. The best way to combat this is to look at what you actually need and there is a lot to be said about this, when i go and try and fix peoples computers I frequently see computers chocked up with software in somecases the user hasn't a clue what it does! Now, I assume most scientific linux users aren't quite as bad as that however i do think its underrated even in technical circles.
Remove any repository you don't actually need, if an attacker can exploit that server they can provide packages which have their code injected into it which can give them control over your computer and compromise your security and anyone elses security who uses the computer. Depending on how you have the repo installed will depend on how to remove it, if its a package you might be able to remove that package:
sudo yum remove yum-conf-epel
(or the repo you wish to remove)
However even using that method i suggest you check in /etc/yum.repos.d/ to see if its there and if so remove it.
Software! well its the same principal if you don't need some some software don't have it. For example do you have java? if so do you need java? if not remove it, its just one more program attacks can find an exploit to and use. Now java was just an example this goes for any program. You can remove them by
sudo yum remove <program name>
Also stopping deamons you don't need running you can find a list of them at /etc/init.d/ which are started, a common one is ssh. ssh is fantastic but if you don't have a need for it, if its not something you use then disable it, it only takes 1 exploit and then an attacker can use that to get in.
I'm not going to cover this since its already been done, check here
Most people now are behind a router so that stops a lot but people shouldn't assume they can ignore firewalls on local machines compeatly, lucky on SL its configured so its on by default and blocks quite a lot however its worth reviewing. In the default standard gnome desktop go to:
System > Administration > Firewall
This allows you to see what ports are open, what services your system trusts and they should match what you trust and what ports you think should infact be open. I know by default its on but a double check is to look in the bottom left and check that indeed it says in green "The firewall is enabled" There are other interfaces to the firewall but this forum post can't go on forever and the GUI method is sufficiant so i shall leave it at that.
Su / sudo
First make sure you have sudo, it i believe comes default on the system but for some reason you might not have it installed so double check this by doing:
Now you should only allow users whome you trust, who have strong passwords. If this is only you on the system then so be it, giving people sudo should be done sparingly. You can alter who can use sudo in this file:
sudo nano /etc/sudoers
if you haven't got sudo your self you might have to su first then do nano /etc/sudo
Then users a user entry looks a lot like the root one in there for you by default
Jesssica ALL=(ALL) ALL
You might want to do it via groups so adding people to certain groups gives them sudo which is fine its
%groupname ALL=(commands) ALL
like the user except % to denote group name. I can't stress enough how much you should NOT allow sudo without password for any user or group ever! Never allow this.
As mentioned above software has bugs and some of these bugs can be used for security breaches. Regually checking for updates is key for protecting your self against exploits. Make sure you check regually that you are upto date and if you're not make sure you update it as soon as possible.
Possibly creating a CRON might be nice, I have heard that yum-updatesd sometimes doesn't function reliably and you might want to do something like:
/sbin/chkconfig yum-updatesd off
sudo nano /etc/cron.daily
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e 0 -d 0 -y update
Those three lines in there, the first tells it what shell to execute it with, the second checks yums upto date and the third checks your system is.
You may want encryption thats up to you, i won't cover this inhere simply because its a whole other post on its own however to stop other users on your system browing through your /home folder its important to ser permissions to
chmod 700 /home/<user>
so for all users that should be the case as root you can do
sudo chmod 700 /home/*
I hope I haven't missed anything vital from this guide and that you have picked up something you can take away from this. People need to take security seriously and making some your local machine is secure if your first line of attack. This information for me has been taken over my time using computers and certain security related documents which i have used in the past to secure my system.
Posted: Jun 19 2011, 08:24 PM
Retired SLF Admin
Member No.: 2
Joined: 8-April 11
The discussion that followed on this great piece of work can be found here.
Posted: Feb 11 2012, 07:29 AM
Member No.: 1281
Joined: 11-February 12
Other thing, is modify /etc/pam.d/su, for only users in wheel group can access to root.
AMD Phenom x4 945 3.0Ghz - 8Gb Ram DDR3-1600 GSKILL RIPJAWS - 2 HDD 500GB WD SATAII - Thermaltake Toughpower 700 - Thermaltake V9 Black - LG LED 19" // Windows 7 Ultimate x86_64 (for games only), Fedora 16 x86_64
Lenovo Thinkpad T400 Intel P8600 - 500GB SATAII - 4GB DDR3-1066 // SL6.2, Windows 7 Ultimate x86_64 (games and security test)
Posted: Mar 22 2012, 02:15 PM
Member No.: 1381
Joined: 16-March 12
Also change the default umask 022 to 027
Posted: Apr 15 2014, 06:46 PM
Member No.: 3067
Joined: 14-April 14
New note relating to 6.5 and auto yum update... Seems someone took your suggestion and created to be automatic, yum auto updates now. Using less (to view the file) or vi (to edit the file), check:
Posted: Apr 19 2014, 06:55 AM
SLF IRC Team
Member No.: 15
Joined: 10-April 11
yum-autoupdate is not new, it has been a feature since 6.0