As Linux Mandrake works it's way away from it's Red Hat roots, they've added a
number of features "out of the box" that make it easier to use as a server.
However, there are still a number of things that I do before considering a
new install "ready" to be configured for offering any services. I recently had
to put together a list of things that I normally do after installation for my
employer, and I figured I would pass this information along to RootPrompt in
the hopes that it will help someone else. Despite the fact that this is geared
towards Mandrake, most of this should apply with very few changes to almost any
distribution.
(Submitted by Ranger Rick Mon Aug 21, 2000 )
| | One of the nicest things about the newest Mandrake releases is a better emphasis
on security. One thing I really like that isn't present in RedHat is the
'secure' versions of the kernel, which includes some of the optional third-party
patches for locking down Linux, the most notable being the 'OpenWall' patches, that help prevent buffer
overflows and /tmp race-condition hacks, as well as restricting access to fifos
and the /proc filesystem. For a complete rundown of what it does, see the README.
While it's not really security-related, another nice thing that Mandrake
supports out of the box, is the new ReiserFS filesystem. It
offers journaling, and a btree-based structure that promises to speed things
up as well as use less space.
After Installation
The first thing you should do after installing is to download any official
security patches and updates. The updates are available on most Mandrake
mirrors, in the updates/[version]/RPMS/ directory (or updates/[version]/[arch]/RPMS/
for non-x86 distributions). For the most part, you can just grab anything that's
on your system, and then do an 'rpm -U *.rpm' and you're all set. (as I
understand it, Mandrake has a tool for downloading updates now, I've never used
it, I rarely boot into X :) Keep in mind, however, that you should *NOT*
do an 'rpm -U' on kernel updates. For the full scoop, read the documentation
on performing kernel upgrades, but the short version is to do an 'rpm -i'
(install instead of upgrade) so you can keep your old version around in case
something goes wrong. You can set up LILO to have a menu option for both your
old and new kernels. If you're using reiserfs, you may have to make an
initial ramdisk image (initrd) as well. There's a very good writeup on how
to upgrade your kernel at mandrakeuser.org
to get you started.
Perform Some Basic Lockdown Procedures
It used to be that you had to do a lot of this manually, but now there is a
great tool called 'Bastille'. Originally, it was going to be a full
distribution based on Red Hat, but instead they ended up creating a script that
would change the few things that would need to be done to a default Red Hat
installation. The plus side of this is that as of version 1.1, Bastille
supports other distributions besides Red Hat (including Mandrake). You can get
it at SourceForge.
Bastille will ask you a series of questions, with full, verbose explanations of
why the changes should be made. Even if you never plan on setting up a
server, running through the questions is a good way of learning some of the
basic things you have to look out for, security-wise.
To run Bastille, untar it in root's home directory (for some reason, it's
currently hardcoded to run from there), then run the 'InteractiveBastille.pl'
script. You can run this as often as you want without messing with your
setup, it won't do anything until you run the 'BackEnd.pl' script to actually
make the changes, so don't worry if you make a mistake.
Set Up Your Firewall Rules
Bastille can actually create a basic set of firewalling rules for you, but I
personally find PMFirewall to be a bit easier to work with. To download
PMFirewall, go to pointman.org.
Like Bastille, PMFirewall will walk you through some basic questions on what
services (FTP, telnet, etc.) you will be running on your firewall. Keep in mind,
the questions are regarding the services you want people on the net to
have access to, it does not affect your ability to access these services from
your local network. PMFirewall will also set up your server to do NAT
Masquerading, if you so desire.
Install OpenSSH
OpenSSH is a secure alternative to telnet
and FTP (more specifically, a secure alternative to the rsh/rcp/rexec/etc.
suite of tools). If at all possible disable telnet on your server.
Yes, it's convenient, yes it's everywhere, and yes, it's totally insecure.
OpenSSH can do everything telnet can, and can do it over an encrypted connection.
There are pre-compiled RPMs on the site, for both OpenSSH and OpenSSL (which
OpenSSH depends on). I cannot stress enough how important this is if you are
going to allow command-prompt access to your server from the net. If you want
to be a bit more careful, you can even up the default number of bits in the
/etc/ssh/sshd_config used for the server encryption key from the default of 768
to 1024, or even 2048 for the paranoid. :)
As a side note, if you are forced to access your systems from Windows, there are
a number of SSH clients available, both free and commercial. On the commercial
side, there is a very nice all-around terminal program that supports both
the SSH 1 and 2 protocols, called SecureCRT. If you want
to go the free route (and who doesn't, given a choice? :) there is a fairly
good SSH 1 terminal program called PuTTY. So,
accessing your servers from Windows is not an excuse for leaving telnet around.
:)
Install 'stunnel' For Mail Hosts
If you are going to be allowing POP or IMAP connections to your host, install
stunnel. stunnel is a program that can take any connection on a port and turn
it into an encrypted SSL connection. Some e-mail clients (Outlook, Outlook
Express, and Netscape Mail, for example) support connecting to an SSL POP or
IMAP connection out of the box, and any mail program that doesn't support it
directly can be configured to use stunnel on the client side as well to make
it work. You can get stunnel at stunnel.org. There are numerous examples
on their site for ways to wrap common services with SSL, but it is a necessity
for POP and IMAP mail, both of which send passwords in cleartext.
Uninstall Any Unnecessary Packages
Instead of selecting packages individually at install, I find it easier to remove
the stuff I don't need afterwards. What I will usually do is an 'rpm -qa' to
list every package on my system, and then go through and remove anything I don't
need. This way, if there's something I'm unsure of, it's easy to go to another
window and do an 'rpm -qi [package]' and find out what it does. Even if you do
selectively install things, it's not a bad idea to go through all of the packages
on your system and find out what they do. It's hard to tell if something went
wrong if you don't know how your system was supposed to be in the first place.
That's It!
These are some very simple things you can do to make your system more secure, no
matter what you're going to be doing with it. Once you've done this a few times,
excluding actual download time, you can get a nice basic server configured and
ready to go in just a few hours. This is the first time I've written an article
like this, so if you have any comments, I would greatly appreciate your feedback.
|
