Securing your Unix (/Linux) Machine

1. Know your machine
   Turn off what you don't need.
   Limit the availability of what you do need.
   When in doubt, comment out.
    - Try to not do anything irreversible, though.
  A. Odd Behavior?
    - Sluggish
    - Changes (new files, programs not working, permissions)
    - Odd logins
    - Reboots
    - Syslog logfile events
    - I can tell when I receive email on my desktop system by the drive noise.
    - etc
  B. Accounts
    - What accounts exist?
    - Who has access?
      . avoid account sharing
    - Do they all have passwords or lockouts?
      . Are you using shadow passwords?
      . Use MD5 over crypt if you have that option
    - Last used when?
    - Who has root access?
    - Choosing good passwords
      . Names/Words are bad.  Abbreviated phrases are good.
        http://attila.stevens-tech.edu/~khockenb/crypt3.html
  C. Files
    - Ownership
      . Unowned files?
        find / -nouser -print ; find / -nogroup -print
      . Misowned files?  (e.g., my file in your dir)
    - Permissions
      . World and/or Group writeable?
        find / -perm -0002 -exec ls -ld {} \;
        find / -perm -0020 -exec ls -ld {} \;
      . What SUID/SGID files exist? 
        find / -perm -4000 -exec ls -ld {} \;
        find / -perm -2000 -exec ls -ld {} \;
        - Do you know what they do?
        - When were they last accessed?
          ls -ldu /the/file
    - Odd files
      . Directories that start with "."
        for instance ".. "
    - Tripwire
  D. Services
    - Inetd vs. Standalone (Daemons)
      . Once had inetd die on my workstation.
        Took me a week to notice.
        Decided I was better off without it.  Turned if off in startup.
      . Limit what you do need
        - tcpwrappers will allow your to limit what hosts can connect, and
          log connection attempts.
          ftp://ftp.porcupine.org/pub/security/index.html
        - standard in most linux distributions
    - Login Services
      . telnet/ftp
      . ssh
      . rlogin/rsh/rcp
      . pop/imap
    - Disk/Printer Services
      . NFS
      . Samba
      . LPD
    - Public Services
      . SMTP (Email) ["Sendmail"]
      . Finger
      . HTTP (Web)
      . Anonymous FTP
    - Other Services
      . Syslog
      . Database
      . Misc Inetd
         echo/chargen/discard
         linuxconf
         portmapper
      . Cron/At
      . .forward files and .procmailrc scripts
  E. Physical Security
    - Who has access to the machine?
     . Is it locked down, or can it "walk"?
       - Register your Ethernet Address (aka MAC address) with the CSC.
     . Can it be opened?  The disk could "walk".
    - Can it be rebooted into single user mode, or booted off of installation
      media?
    - Other attacks
     . "Shoulder surfing"
     . Keyboard sniffers
     . Social Engineering aka "I'm from the computer center.  
       What's your password?"

2. Keeping Current
  A. Vendor Patches.
  B. Alerts mailing list "subscribe alerts" to majordomo@stevens-tech.edu.
  C. Vendor mailing lists/web sites.

3. Backups, Backups, Backups.
  A. *Everyone* looses data, eventually.
  B. Are your backups current?
  C. Are they complete?
  D. Are they secure?

4. What to do when you are "hacked" (have a break-in)
  A. Remain calm.
  B. Disconnect from the network
  C. Gathering data -- do not reboot right away!
  D. Reinstall the OS from scratch, apply all patches, and 
     restore data from backups
    - Painful.  Costly.
      . That's why you're here - to avoid it happening in the first place.
      . Most intruders are looking for "a" machine, not "your" machine.
        If they can't get in easy, they'll move on.
        - There are exceptions.  But then, you're talking physical and human
          attacks are usually cheaper.

5. Where to go from here.
  A. ONLY SCAN YOUR OWN MACHINES.
  B. What hosts exist?  
  C. Who controls them?  
  D. What OS?  What version?  Are the latest vendor patches installed?
  E. Who has accounts on the machine?  
  F. Who has physical access?
  G. What services is this machine offering on the network?
  H. Turning off unneeded services, limit needed services, close holes.
  I. Set up logging.
  J. Syslog monitoring.

Remember, _all_ machines are valuable: some may have valuable content, but 
all are valuable from a disk space, cpu time, net laundering,
DoS amplification, or network sniffing point of view.

ftp://ftp.porcupine.org/pub/security/index.html
   tcp wrappers
   Admin guide to cracking
   Satan

http://www.fish.com/security/
   Titan
   COPS
   More papers

nmap
   http://www.insecure.org/nmap/
   http://www.insecure.org/nmap/nmap_doc.html

http://www.trinux.org/

http://ciac.llnl.gov/ciac/

http://www.deter.com/unix/

http://www.wwdsi.com/saint/

http://www.nessus.org/

http://www.securityfocus.com/
http://www.securityfocus.com/forums/bugtraq/faq.html