Terms in Securing Linux

previous Linux Security

After you define a security policy, you can proceed to secure the system according to the policy. The exact steps depend on what you want to do with the system, whether the system is a server or workstation, and how many users must access the system.

To secure the Linux system, you have to handle two broad categories of security issues:

Host security issues: These issues relate to securing the operating system and the files and directories on the system.
Network security issues: These issues refer to the threat of attacks over the network connection.

If your host is connecting to a large network, Directory Services can become a significant issue. Directory Services security is outside the scope of this book, but you can find a number of sources addressing the issue with a Google search.

Understanding the host security issues

Here are some high-level guidelines to address host security. (I cover some of these topics in detail in Chapter 2 of this minibook.)

When installing Linux, select only the package groups that you need for your system. Don’t install unnecessary software. For example, if your system is used as a workstation, you don’t have to install most of the servers (Web server, news server, and so on).
Create initial user accounts and make sure that all passwords are strong enough that password-cracking programs can’t guess them. Linux includes tools to enforce strong passwords.
Set file ownerships and permissions to protect important files and directories.
If available, enable mandatory access control capabilities provided by Security Enhanced Linux (SELinux). Linux kernel 2.6 supports SELinux.
Use the GNU Privacy Guard (GnuPG) to encrypt or decrypt files with sensitive information and to authenticate files that you download from the Internet. GnuPG comes with Linux, and you can use the gpg command to perform tasks such as encrypting or decrypting a file and digitally signing a file. (See Chapter 2 of this minibook for an explanation of digital signatures.)
Use file-integrity checking tools, such as Tripwire, to monitor any changes to crucial system files and directories. Visit www.tripwire. com for the commercial version.
Periodically check various log files for signs of any break-ins or attempted break-ins. These log files are in the /var/log directory of your system.
Install security updates as soon as they are available and tested. These security updates fix known vulnerabilities in Linux. Be sure to test the update on nonproduction machines before rolling it out to your production servers.

Understanding network security issues

The issue of security comes up as soon as you connect your organization’s internal network to the Internet. You need to think of security even if you connect a single computer to the Internet, but security concerns are more pressing when an entire internal network is opened to the world.

If you’re an experienced system administrator, you already know that the cost of managing an Internet presence doesn’t worry corporate management; their main concern is security. To get your management’s backing for the Web site, you have to lay out a plan to keep the corporate network secure from intruders.

You may think that you can avoid jeopardizing the internal network by connecting only external servers, such as Web and FTP servers, to the Internet. However, employing this simplistic approach isn’t wise. It’s like deciding not to drive because you may have an accident. Not having a network connection between your Web server and your internal network also has the following drawbacks:

You can’t use network file transfers, such as FTP, to copy documents and data from your internal network to the Web server.
Users on the internal network can’t access the corporate Web server.
Users on the internal network don’t have access to Web servers on the Internet. Such a restriction makes a valuable resource — the Web — inaccessible to the users in your organization.

A practical solution to this problem is to set up an Internet firewall and to put the Web server on a highly secured host outside the firewall.

In addition to using a firewall, here are some other steps to take to address network security. (I explain these further in Chapter 2 of this minibook.)

Enable only those Internet services you need on a system. In particular, don’t enable services that aren’t properly configured.
Use Secure Shell (ssh) for remote logins. Don’t use the r commands, such as rlogin and rsh.
Secure any Internet services, such as FTP or TELNET, that you want to run on your system. You can use the TCP wrapper access control files — /etc/hosts.allow and /etc/hosts.deny — to secure some of these services. (See Chapter 3 of this minibook for more on the TCP wrapper.)
Promptly fix any known vulnerabilities of Internet services that you choose to run. Typically, you can download and install the latest security updates from your Linux distribution’s online update sites.

Delving into Computer Security Terminology

Computer books, magazine articles, and experts on computer security use a number of terms that you need to know to understand discussions about computer security (and to communicate effectively with security vendors). Table 1-1 describes some of the commonly used computer security terms.

Table 1-1	Common Computer Security Terminology
*Term*	*Description*
Application gateway	A proxy service that acts as a gateway for application-level protocols, such as FTP, HTTP, NNTP, and SSH.
Authentication	The process of confirming that a user is indeed who he or she claims to be. The typical authentication method is a challenge-response method wherein the user enters a username and secret password to confirm his or her identity.
Backdoor	A security weakness a cracker places on a host to bypass security features.
Bastion host	A highly secured computer that serves as an organization’s main point of presence on the Internet. A bastion host typically resides on the perimeter network, but a dual-homed host (with one network interface connected to the Internet and the other to the internal network) is also a bastion host.
Buffer overflow	A security flaw in a program that enables a cracker to send an excessive amount of data to that program and to overwrite parts of the running program with code in the data being sent. The result is that the cracker can execute arbitrary code on the system and possibly gain access to the system as a privileged user. The new exec-shield feature of the Linux kernel protects against buffer overflows.
Certificate	An electronic document that identifies an entity (such as an individual, an organization, or a computer) and associates a public key with that identity. A certificate contains the certificate holder’s name, a serial number, an expiration date, a copy of the certificate holder’s public key, and the digital signature of the certificate authority so a recipient can verify that the certificate is real.
Certificate authority (CA)	An organization that validates identities and issues certificates.
Confidentiality	Of data, a state of being accessible to no one but you (usually achieved by encryption).
Cracker	A person who breaks into (or attempts to break into) a host, often with malicious intent.
Decryption	The process of transforming encrypted information into its original, intelligible form.
Denial of Service (DoS)	An attack that uses so many of the resources on your computer and network that legitimate users can’t access and use the system. From a single source, the attack overwhelms the target computer with messages and blocks legitimate traffic. It can prevent one system from being able to exchange data with other systems or prevent the system from using the Internet.
Digital signature	A one-way MD5 (Message Digest algorithm 5) or SHA-1 (Secure Hash Algorithm-1) hash of a message encrypted with the private key of the message originator, used to verify the integrity of a message and ensure nonrepudiation.
Distributed Denial of Service (DDoS)	A variant of the Denial of Service attack that uses a coordinated attack from a distributed system of computers rather than a single source. It often makes use of worms to spread to multiple computers that can then attack the target.
DMZ	Another name for the perimeter network. (DMZ originally stood for demilitarized zone, the buffer zone separating the warring North and South in Korea and Vietnam.)
Dual-homed host	A computer with two network interfaces (think of each net- work as a home).
Encryption	The process of transforming information so it’s unintelligible to anyone but the intended recipient. The transformation is performed by a mathematical operation between a key and the information.
Exploit tools	Publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems.
Firewall	A controlled-access gateway between an organization’s internal network and the Internet. A dual-homed host can be configured as a firewall.
Hash	The result when a mathematical function converts a message into a fixed-size numeric value known as a message digest (or hash). The MD5 algorithm, for example, produces a 128-bit message digest; SHA-1 generates a 160-bit message digest. The hash of a message is encrypted with the private key of the sender to produce the digital signature.
Host	A computer on a network that’s configured to offer services to other computers on the network.
Integrity	Of received data, a state of being the same as originally sent(that is, unaltered in transit).
IP spoofing	An attack in which a cracker figures out the IP address of a trusted host and then sends packets that appear to come from the trusted host. The attacker can send packets but can’t see responses. However, the attacker can predict the sequence of packets and essentially send commands that set up a backdoor for future break-ins.
IPSec (IP Security Protocol)	A security protocol for the network layer of the OSI networking model, designed to provide cryptographic security services for IP packets. IPSec provides encryption-based authentication, integrity, access control, and confidentiality. (For information on IPSec for Linux, visit www.ipsechowto.org.)
Logic bombs	A form of sabotage in which a programmer inserts code that causes the program to perform a destructive action when some triggering event occurs, such as terminating the programmer’s employment.
Nonrepudiation	A security feature that prevents the sender of data from being able to deny ever having sent the data.
Packet	A collection of bytes, assembled according to a specific protocol, that serves as the basic unit of communication on a network. On TCP/IP networks, for example, the packet may be referred to as an IP packet or a TCP/IP packet.
Packet filtering	Selective blocking of packets according to type of packet (as specified by the source and destination IP address or port).
Perimeter network	A network between the Internet and the protected internal network. The perimeter network (also known as DMZ) is where the bastion host resides.
Port scanning	A method of discovering which ports are open (in other words, which Internet services are enabled) on a system, performed by sending connection requests to the ports, one by one. This procedure is usually a precursor to further attacks.
Proxy server	A server on the bastion host that enables internal clients to access external servers (and enables external clients to access servers inside the protected network). There are proxy servers for various Internet services, such as FTP and HTTP.
Public key cryptography	An encryption method that uses a pair of keys — a private key and a public key — to encrypt and decrypt the information. Anything encrypted with the public key is decrypted only with the corresponding private key, and vice versa.
Public Key Infrastructure (PKI)	A set of standards and services that enables the use of public key cryptography and certificates in a networked environment. PKI facilitates tasks such as issuing, renewing, and revoking certificates, and generating and distributing public and private key pairs
Screening router	An Internet router that filters packets.
Setuid program	A program that runs with the permissions of the owner regardless of who runs the program. For example, if root owns a setuid program, that program has root privileges regardless of who started the program. Crackers often exploit vulnerabilities in setuid programs to gain privileged access to a system.
Sniffer	Synonymous with packet sniffer — a program that intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text.
Spyware	Any software that covertly gathers user information through the user’s Internet connection and usually transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spyware is similar to a Trojan horse in that users are tricked into installing spyware when they install something else.
Symmetric key encryption	An encryption method wherein the same key is used to encrypt and decrypt the information.
Threat	An event or activity, deliberate or unintentional, with the potential for causing harm to a system or network.
Trojan horse	A program that masquerades as a benign program but is a backdoor used for attacking a system. Attackers often install a collection of Trojan horse programs that enable the attacker to freely access the system with root privileges, yet hide that fact from the system administrator. Such collections of Trojan horse programs are rootkits.
Virus	A self-replicating program that spreads from one computer to another by attaching itself to other programs.
Vulnerability	A flaw or weakness that may cause harm to a system or network.
War-dialing	Simple programs that dial consecutive phone numbers looking for modems.
War-driving	A method of gaining entry into wireless computer networks that uses a laptop, antennas, and a wireless network card and involves patrolling locations to gain unauthorized access.
Worm	A self-replicating program that copies itself from one computer to another over a network.

Keeping Up with Security News and Updates

To keep up with the latest security alerts, you may want to visit one or both of the following sites on a daily basis:

CERT Coordination Center (CERT/CC) at www.cert.org
United States Computer Emergency Readiness Team (US-CERT) at www.us-cert.gov

If you have access to Internet newsgroups, you can periodically browse the following:

comp.security.announce: A moderated newsgroup that includes announcements from CERT about security
comp.security.linux: A newsgroup that includes discussions of Linux security issues
comp.security.unix: A newsgroup that includes discussions of UNIX security issues, including items related to Linux

If you prefer to receive regular security updates through e-mail, you can also sign up for (subscribe to) various mailing lists:

FOCUS-LINUX: Fill out the form at www.securityfocus.com/archive to subscribe to this mailing list focused on Linux security issues.
US-CERT National Cyber Alert System: Follow the directions at www. us-cert.gov to subscribe to this mailing list. The Cyber Alert System features four categories of security information through its mailing lists:
Technical Cyber Security Alerts: Alerts that provide technical information about vulnerabilities in various common software products.
Cyber Security Alerts: Alerts sent when vulnerabilities affect the general public. They outline the steps and actions that nontechnical home and corporate computer users can take to protect themselves from attacks.
Cyber Security Bulletins: Biweekly summaries of security issues and new vulnerabilities along with patches, workarounds, and other actions that users can take to help reduce risks.
Cyber Security Tips: Advice on common security issues for nontechnical computer users.

Finally, check your distribution’s Web site for updates that may fix any known security problems with that distribution. In Debian and Ubuntu, you can update the system with the commands apt-get update followed by apt-get upgrade. For Fedora, the Web site is http://fedoraproject. org. In SUSE, use YaST Online Update to keep your system up-to-date. In Xandros, obtain the latest updates from Xandros Networks.

next Securing Linux

Linux