• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

Hardening down a Linux Server

Hello everyone,
I am running a Debian Woody 3.0 and the uname -a output is "Linux **censored** 2.4.20-021stab022.8.777-enterprise #1 SMP Fri Nov 12 10:42:02 MSK 2004 i686 unknown"

What makes Linux and Windows totally different in a sense of security is that Windows is so way easy to perform security patches and updates management through the proprietory WindowsUpdate(tm). Although Linux may have their own version of "WindowsUpdate", it's kinda hard for a beginner-level entry user to perform security updates for his/her Linux box.

Given the following scenario based on the upon operating system,

how do i specifically harden down my Debian Linux server? Is there a full guide to it, basically search for it through google, came up with some results but not really detailed and sastifactory. With regard to that, how do i secure my server, which firewall software are feasible to use, allowing the admins to edit settings(iptables is kinda hard) and how do i setup a secure shell environment for my user whereby "exploits, rootkits, messing up" are not allowed and they are only allowed to do what's required and the permission given to them.

This seemed quite difficult to answer, so I am willing to give more than 500 points separately(max point here is 500). Yeah, that's about it.
0
dr0zaxx
Asked:
dr0zaxx
  • 4
  • 3
  • 2
  • +4
1 Solution
 
sekargopiCommented:

ok, quite a bit tough question. question is very broad, lemme try to answer atleast few.

for debian update, there is automatic update utility available called apt-get it can do package install/update/remove/query and whatever you require. it is a command line tool and i am not sure whether there is any GUI front end available for this

for security hardening, the basic rule is to do not run any daemons which you really dont require. especially the one which listens on the network.

there are front end tools available for iptables which can help you out in configuring firewalls. http://www.linuxguruz.com/iptables/ link will give you all type of firewall resource which you are looking for in linux
http://www.linuxlinks.com/Software/Networking/Firewalls/index.shtml link will give you all the front end utilities for iptables configuration

Regards,
Gopi
0
 
dr0zaxxAuthor Commented:
What about restricted shell environment? And with regards to the basic rule about not running any daemons which I dont required, which one is required and which one is not? About the firewall i will take a look. As for the apt-get, I read somewhere from the internet where it's not really good just to update your entire system based on a "apt-get upgrade" Since it will basically tries to update your entire system and in the process install software/applications which are totally not called for. Any other alternatives? Thanks
0
 
sekargopiCommented:

i dont exactly understand your idea of restricted shell environment. basically you can configure a user to have a particular program to run instead of dropping him on to shell. each user has passwd entry as follows:
root:x:0:0:root:/root:/bin/bash

above is root user's /etc/passwd entry,in that if you change /bin/bash to some other program then that program will get executed whenever a user is logged on. so if you want a user to see only top command then change his /etc/passwd entry to this
user1:x:501:501:user:/home/user1:/usr/bin/top
whenever user1 logs on he will presented only top command output and nothing else, the moment he quits from top command he will be logged out.

apt-get has different parameters to do different things.

apt-get dist-upgrade is upgrading from one version to another version, in this process it will install other packages too. but apt-get upgrade will upgrade only the installed packages and it might install new packages to satisfy dependency for the existing package.

http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html link should give you good idea about apt-get

apt-get is officially supported by debian. the only alternative i can think of is yum but i am not sure whether it will hand debian packages. check up with yum

Regards,
Gopi
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
dr0zaxxAuthor Commented:
Thanks for the reply, anyway, my idea of a restricted shell is the user being able to do only legitimate stuff that he's being assigned too. That means running exploits rootkits and stuff like that wont work, or virus. Maybe not allowed to view other users directories or access any passwd list from /etc etc... Yeah that's it.. any?
0
 
sekargopiCommented:

thats general requirement and that is how the linux users work.

they work on files/directory permissions

if you dont want the user to go to any other user's home directory just do the following

chmod -R 700 /home/*

this allows only the owner of the directory to access others will be denied

you can do the same for /etc/passwd or any other files or directories

generally the permission in linux are 3

user     read/write/execute
group  read/write/execute
others  read/write/execute

for each file permission the first 3 bits of permission represent owner of the file, next 3 bits for group and next for others.

check man chmod to find out more

Regards,
Gopi
0
 
PsiCopCommented:
"What makes Linux and Windows totally different in a sense of security is that Windows is so way easy to perform security patches and updates"

Baloney. Try installing SUSE Linux and using YaST Online Update (YOU).

Don't judge all Linuxes based on ONE distro.
0
 
PsiCopCommented:
One thing that DOES make Linux and Windoze totally different, tho, is that fact its generally much easier to turn off unneeded/unwanted services in Linux, and generally a default Linux install has a lot fewer services turned on than Windoze.
0
 
David PiniellaCommented:
consider running a hardening tool like bastille: http://www.bastille-linux.org/ (there's a debian version available).

apt-get upgrade will only upgrade what you have installed (and the dependencies of the things that you have installed) -- it's won't add new packages just because they're new and available.
0
 
PsiCopCommented:
For ideas, see also the Center For Internet Security (http://www.cisecurity.com) and their Linux Benchmark. Written for RH/FC, but many things in it will apply to all Linux distros.
0
 
chris_calabreseCommented:
Debian is designed for hobbyists and researchers. If you find it too difficult, use Red Hat or SuSE.
0
 
David PiniellaCommented:
I would say that's an oversimplification (I've used debian in production environments before). It can be more difficult than some of the more user-friendly distros (mandrake, ubuntu etc).
0
 
chris_calabreseCommented:
Didn't say it couldn't be used in a production environment, but that's not its reason for being.
0
 
PsiCopCommented:
My experience is that the most "user-friendly" distro is SUSE, with RH behind that. This doesn't mean SUSE is "better" or whatever other adjective the reader might feel applies to their fave distro, just means that SUSE seems to support the most hardware out-of-the-box (that is, drivers it SHIPS WITH; naturally, practically any driver available for Linux can compiled for any specific distro) and seems to have the "nicest" (again, from an end-user, not kernel-hacker, perspective) installation and configuration interface.

Heck, SUSE Pro 9.1 did a better job of auto-detecting the hardware in my Fujitsu Lifebook than W2K Pro w/SP4 did. And I won't run the Atheros 802.11 ab+g NIC under anything but Linux. Certainly not going to turn it on in Windoze.
0
 
xDamoxCommented:
To secure Debian have a look at what Debain suggest you do:

http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
0
 
decoleurCommented:
One of the problems with a restricted shell environment , like rbash, is that you have to define applications that the restricted user has access to... and those applications could have methods that will circumvent your restricted shell environment. Some popular examples are vi and the ftp client, both have a method to escape to a command prompt that will not be contained within a restricted shell.

Your best bet is to research seLinux, it was partially developed on Debian and so should be able to work with that. There is a very good O'Reilly book on the topic.

Using seLinux I would consider implementing a strict security policy where you define access on a user/group level and provide for a separation of privileges.

HTH,

-t
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 4
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now