Completely new to linux, a few basic security questions

Support for security such as Firewalls and securing linux
Post Reply
buddylee
Posts: 1
Joined: 2006/03/29 01:27:42

Completely new to linux, a few basic security questions

Post by buddylee » 2006/03/29 01:32:12

Hello! I'm new to linux and I'm enjoying learing all the fun (and confusing) things I can do.

Anyways, I'm trying to setup a server that can do dns, apache, tomcat and mysql and I'm having some success, but anyways, here are my questions, hopefully you guys can help, I want to have as secure of a machine as possible. (I'm using webmin to help me with some configs btw).

1) Does it matter what account bind, apache, tomcat, etc use to startup?
2) How do I keep the root account from logging in remotely? I want to login under my account and then su to root, no term access for root.
3) Is there a checklist that I can go over to make sure my server doesn't have any glaring holes that I just don't know about?
4) Is there a firewall built in to CentOS and if not, should I get one, and which one?

Thank you very much for any help you can provide!

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

Completely new to linux, a few basic security questions

Post by ixeous » 2006/03/29 14:06:36

1) Yes. The primary thing you don't want is for services to run as root. They should use unprivledged accounts. If you use the rpm packages, all of the account stuff is taken care of and you do not need to worry about it.

2) Using ssh (and only ssh) for remote login, you need to modify /etc/ssh/sshd_config. Change the line

#PermitRootLogin yes
to
PermitRootLogin no

I also like to change

#Protocol 2,1
to
Protocol 2

This way your ssh server will not allow the use of the older, vulnerable protocol

3) The best thing to do is to turn off services you are not going to use. If you run the command netstat -tap you will see all of the ports that the machine is listening on. You should see things such as *:ssh *:http and such. You will probably see *:sunrpc which you probably do not need. The "p" part of the netstat command adds a column which tells you which process is linstening on the port. In the case of sunrpc, the process is portmap. You should use chkconfig to prevent startup of everything that you will not use. You can stop the process without rebooting by issuing "/etc/rc.d/init.d/[name] stop" on the commandline. [name] is the name of the script (ls init.d directory to see what all is there) assicated with the particular service. Most of them are pretty good about having the same name as the process. You might want to leave the x11 port open so you can have X remotely, but you should filter that using either hosts.allow or the firewall in number 4.

Another thing I like to do for security purposes is to prevent any user that is not a member of the wheel group from being able to use the su command. This is especially useful on something such as a web server where apache is running as user apache. If the web server were knocked over, the hacker would most likely have the user rights of the user apache. By enabling the wheel only option for su, they can't su to root. To set this up, first make your user a member of wheel via the usermod -G command. Use -G not -g. man usermod for more info on that. Second, uncomment the line in /etc/pam.d/su

#auth required /lib/security/$ISA/pam_wheel.so use_uid

by removing the # from the front.

4) There is a built in firewall called iptables. I really like the tutorial at http://iptables-tutorial.frozentux.net/iptables-tutorial.html

mssfrommn
Posts: 1
Joined: 2006/06/23 21:04:02
Contact:

Re: Completely new to linux, a few basic security questions

Post by mssfrommn » 2006/06/23 21:12:32

[quote]
i
Another thing I like to do for security purposes is to prevent any user that is not a member of the wheel group from being able to use the su command. This is especially useful on something such as a web server where apache is running as user apache. If the web server were knocked over, the hacker would most likely have the user rights of the user apache. By enabling the wheel only option for su, they can't su to root. To set this up, first make your user a member of wheel via the usermod -G command. Use -G not -g. man usermod for more info on that. Second, uncomment the line in /etc/pam.d/su

#auth required /lib/security/$ISA/pam_wheel.so use_uid

by removing the # from the front.

4) There is a built in firewall called iptables. I really like the tutorial at http://iptables-tutorial.frozentux.net/iptables-tutorial.html[/quote]

Hi ixeous, thanks for your very good suggestions. I have a question on su. I did make this chagne and now users not in wheel group can not do su. But, when the same (non-wheel) user selects Application---> System Settings and any option, a box is displayed to enter the root password, and if I enter the root password, the non-wheel user can do any thing (like cretae net users/groups, selinux settings). How can I stop this?

Thanks!

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

Re: Completely new to linux, a few basic security questions

Post by ixeous » 2006/06/26 13:43:59

Preventing access to those tools is a bit more tedious, but it's essentially the same. Whithin the /etc/pam.d/ directory there are several files. The "Printing" tool is controled by /etc/pam.d/printconf-gui. The others have similar files that control them (the system-config files for example). In order to prevent users that are not in the wheel group from being able to access these utilties by entering the root password, you will need to add the same line from su that was commented out to each of those files.

auth required /lib/security/$ISA/pam_wheel.so use_uid

You don't want to add the line to everything though. For example, it's nice if everyone can login.

Post Reply

Return to “CentOS 4 - Security Support”