Linux

	Linux
advICE :OS :UNIX : Linux

Linux has become the most popular operating system for users who want to learn about how computer operating systems work, and UNIX in particular. As a result, it is quickly becoming the most often hacked of UNIX systems.

There are large numbers of home Linux systems attached to the Internet that are "wide-open", meaning they are providing a huge number of services. On average, each of these services can be exploited in some fashion. Whereas a secure system should expose maybe one or two ports/services to the Internet, many of these systems expose 20 or 30 ports/services, and can usually be broken into in some fashion.

The command netstat -a will show all the "listening" ports. A typical output from a newly installed Linux box may look something like the following:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:sunrpc                *:*                     LISTEN      
tcp        0      0 *:echo                  *:*                     LISTEN      
tcp        0      0 *:discard               *:*                     LISTEN      
tcp        0      0 *:daytime               *:*                     LISTEN      
tcp        0      0 *:chargen               *:*                     LISTEN      
tcp        0      0 *:ftp                   *:*                     LISTEN      
tcp        0      0 *:telnet                *:*                     LISTEN      
tcp        0      0 *:gopher                *:*                     LISTEN      
tcp        0      0 *:nntp                  *:*                     LISTEN      
tcp        0      0 *:shell                 *:*                     LISTEN      
tcp        0      0 *:login                 *:*                     LISTEN      
tcp        0      0 *:exec                  *:*                     LISTEN      
tcp        0      0 *:pop-2                 *:*                     LISTEN      
tcp        0      0 *:pop                   *:*                     LISTEN      
tcp        0      0 *:imap                  *:*                     LISTEN      
tcp        0      0 *:uucp                  *:*                     LISTEN      
tcp        0      0 *:finger                *:*                     LISTEN      
tcp        0      0 *:netstat               *:*                     LISTEN      
tcp        0      0 *:time                  *:*                     LISTEN      
tcp        0      0 *:auth                  *:*                     LISTEN      
tcp        0      0 *:domain                *:*                     LISTEN      
tcp        0      0 *:printer               *:*                     LISTEN      
tcp        0      0 *:635                   *:*                     LISTEN      
tcp        0      0 *:2049                  *:*                     LISTEN      
tcp        0      0 *:netbios-ssn           *:*                     LISTEN      
tcp        1      0 frodo.intra.neti:systat 10.0.0.10:2621          CLOSE       
tcp        0      0 *:systat                *:*                     LISTEN      
tcp        0      0 *:12434                 *:*                     LISTEN      
tcp        0      0 *:www                   *:*                     LISTEN      
tcp        0      0 *:smtp                  *:*                     LISTEN      
udp        0      0 *:syslog                *:*                                 
udp        0      0 *:sunrpc                *:*                                 
udp        0      0 *:snmp                  *:*                                 
udp        0      0 *:echo                  *:*                                 
udp        0      0 *:discard               *:*                                 
udp        0      0 *:daytime               *:*                                 
udp        0      0 *:chargen               *:*                                 
udp        0      0 *:talk                  *:*                                 
udp        0      0 *:ntalk                 *:*                                 
udp        0      0 *:tftp                  *:*                                 
udp        0      0 *:bootps                *:*                                 
udp        0      0 *:time                  *:*                                 
udp        0      0 localhost:domain        *:*                                 
udp        0      0 *:domain                *:*                                 
udp        0      0 *:route                 *:*                                 
udp        0      0 *:mount                 *:*                                 
udp        0      0 *:nfs                   *:*                                 
udp        0      0 *:who                   *:*                                 
udp        0      0 *:netbios-ns            *:*                                 
udp        0      0 *:netbios-dgm           *:*

Defense

As menu services as possible should be disabled through /etc/inetd.conf and in the startup scripts. Furthermore, on machines attached to the Internet, a firewall such as ipchains needs to be installed in order to block unexpected access.

RedHat (2)
Market leader
Trinux (2)
Security tools

Bastille-Linux-A script that will harden a RedHat 6 Linux system after it has been installed.
LASG: Linux Administrators Security Guide
Linux Security Home Page
TrinityOS
Armoring Linux-by Lance Spitzer
Adding Security to Common Linux Distributions-This article discusses ways in which system administrators can help secure there system from intruders. It discusses several ways to improve the security of Linux systems
Linux Security HOWTO
Through the Looking Glass: Finding Evidence of Your Cracker-by Chris Kuethe
Securing your File System in Linux
Hardening the Linux Kernel (series 2.0.x)

RESOURCES

Books
FAQs
Intro
News
Lists
Notes

SEARCH