Network-Security Review for Linux
Working in Linux, you should be familiar with some security mechanisms. A network-security review focuses on assessing the security mechanisms in each of the following areas:
Prevention: Set up a firewall, enable packet filtering, disable unnecessary inetd or xinetd services, turn off unneeded Internet services, use TCP wrappers for access control, and use SSH for secure remote logins.
Detection: Use network intrusion detection and capture system logs.
Response: Develop incident response procedures.
Some key steps in assessing the network security are described here.
Services started by inetd or xinetd
Depending on your distribution, the inetd or xinetd server may be configured to start some Internet services such as TELNET and FTP. The decision to turn on some of these services depends on such factors as how the system connects to the Internet and how the system is being used.
You can usually turn off most inetd and xinetd services by commenting out the line — just place a pound sign (#) at the beginning of the line.
If you are using xinetd, it is possible to see which services are turned off by checking the configuration files in the /etc/xinetd.d directory for all the configuration files that have a disable = yes line. (The line doesn’t count if it’s commented out, which is indicated by a # character at the beginning of the line.)
You can add a disable = yes line to the configuration file of any service that you want to turn off.
Also check the following files for any access controls used with the inetd or xinetd services:
/etc/hosts.allow lists hosts allowed to access specific services.
/etc/hosts.deny lists hosts denied access to services.
Many services, such as apache or httpd (web server) and sendmail (mail server), start automatically at boot time, assuming they’re configured to start that way.
In some distributions, you can use the chkconfig command to check which of these standalone servers are set to start at various run levels. Typically, most systems start up at run level 3 (for text login) or 5 (for graphical login).
Therefore, what matters is the setting for the servers in levels 3 and 5. To view the list of servers, type chkconfig –list | more. When you do a self-assessment of your network security and find that some servers shouldn’t be running, you can turn them off for run levels 3 and 5 by typing chkconfig –level 35 servicename off, where servicename is the name of the service you want to turn off.
In some distributions, you can use a GUI tool to see which services are enabled and running at any run level. With YaST, for example, click System on the left side of the window, and then click Runlevel Editor on the right side of the window.
When you audit network security, make a note of all the servers that are turned on — and then try to determine whether they should really be on, according to what you know about the system.
The decision to turn on a particular service depends on how your system is used (for example, as a web server or as a desktop system) and how it’s connected to the Internet (say, through a firewall or directly).
A penetration test is the best way to tell what services are really running on a Linux system. Penetration testing involves trying to get access to your system from an attacker’s perspective. Typically, you perform this test from a system on the Internet and try to break in or, at minimum, get access to services running on your Linux system.
One aspect of penetration testing is to see what ports are open on your Linux system. The port number is simply a number that identifies TCP/IP network connections to the system. The attempt to connect to a port succeeds only if a server is running, or “listening,” on that port. A port is considered to be open if a server responds when a connection request for that port arrives.
The first step in penetration testing is to perform a port scan. The term port scan describes the automated process of trying to connect to each port number to see whether a valid response comes back. Many available automated tools can perform port scanning — you can install and use a popular port-scanning tool called nmap.
After performing a port scan, you know which ports are open and could be exploited. Not all servers have security problems, but many servers have well-known vulnerabilities. An open port provides a cracker a way to attack your system through one of the servers.
In fact, you can use automated tools called vulnerability scanners to identify vulnerabilities that exist in your system.
Whether your Linux system is connected to the Internet directly (through DSL or cable modem) or through a firewall, use the port-scanning and vulnerability-scanning tools to figure out whether you have any holes in your defenses.