Chapter 8. Basic Security
Prev   Next

Chapter 8. Basic Security

Table of Contents

8.1. Local Security
8.1.1. The BIOS
8.1.2. LILO
8.1.3. File permissions
8.1.4. Log Files
8.1.5. User Limits
8.2. Network Security
8.2.1. Host Based Security
8.2.2. Port Based Security
8.2.3. More background
8.3. The Secure Shell
8.3.1. Host Authentication
8.3.2. User Authentication (using passwords)
8.3.3. User Authentication (using keys)
8.3.4. sshd configuration file
8.3.5. ssh configuration file
8.4. Time Configuration
8.4.1. The System date
8.4.2. The Hardware Clock
8.4.3. Time Zones
8.4.4. Using NTP
8.5. Exercises and Summary
8.5.1. Summary
8.5.2. Exercises

Prerequisites

Goals

8.1. Local Security

8.1.1. The BIOS

If anyone has access to a rescue disks or a linux disk that boots from a floppy or a CDROM it is extremely easy to gain read access to any files on the system. To prevent this the BIOS should be set to boot only off the hard drive. Once this is done set a password on the BIOS.

8.1.2. LILO

LILO can be given options at boot time. In particular some Linux distributions will not ask for a password when starting the system in single user mode or runlevel 1.

There are two options that should be added to the /etc/lilo.conf:

  • the restricted option prompts the user for a password

  • the password="" option, set the password string.

Restricted means that LILO cannot be given any parameters without the password specified in lilo.conf.

boot=/dev/hda
install=/boot/boot.b
prompt
timeout=50
password="password"
restricted

8.1.3. File permissions

To prevent attackers causing too much damage it is recommended to take the following steps.

  1. Make vital system tools immutable, or logfiles append-only

    chattr +i /bin/login
chattr +i /bin/ps
chattr +a /var/log/messages

  2. Make directories /tmp/ and /home/ nosuid or noexec, as in the following /etc/fstab:

    /tmp		/tmp		ext2	nosuid		1 2
/home		/home		ext2	noexec		1 2

  3. Find all files on the system that don't belong to a user or a group:

    find / -nouser o nogroup
find / -perm +4000

8.1.4. Log Files

The main logs are

  • /var/log/messages, which contains information logged by the syslogd daemon

  • /var/log/secure which contains information on failed logins, added users, etc.

  • The last tool lists all successful logins and reboots. The information is read from the /var/log/wtmp file.

  • The who and w tools list all users currently logged onto the system using the /var/run/utmp file.

8.1.5. User Limits

When the /etc/nologin file is present (can be empty) it will prevent all users from login in to the system (except user root). If the nologin file contains a message this will be displayed after a successful authentication.

In the /etc/security/ directory are a collection of files that allow administrators to limit user CPU time, maximum file size, maximum number of connections, etc

/etc/security/access.conf disallows logins for groups and users from specific locations.

/etc/security/limits.conf. The format of this file is

domain  type  item  value
domain

a user name, a group name (with @group)

type

hard or soft

item
core

limits the core file size (KB)

data

max data size (KB)

fsize

maximum filesize (KB)

memlock

max locked-in-memory address space (KB)

nofile

max number of open files

cpu

max CPU time (MIN)

proc

max number of processes

as

address space limit

maxlogins

max number of simultaneous logins for this user

priority

the priority to run user process with

locks

max number of file locks the user can hold

Prev   Next
7.7. Exercises and Summary Home 8.2. Network Security