- •Table of Contents
- •Introduction
- •Saving Time with This Book
- •Foolish Assumptions
- •Part I: Making the Desktop Work for You
- •Part II: Getting the Most from Your File System
- •Part III: Good Housekeeping with Linux
- •Part IV: Tweaking the Kernel on Your Linux System
- •Part V: Securing Your Workspace
- •Part VI: Networking Like a Professional
- •Part VII: Monitoring Your System
- •Part VIII: Serving Up the Internet and More
- •Part X: Programming Tricks
- •Part XI: The Scary (Or Fun!) Stuff
- •Icons Used in This Book
- •Discovering Your Protocols
- •Managing Snapshots with the camera: Protocol
- •Remote File Management with fish:
- •Getting Help with help:, info:, and man:
- •Other KDE Protocols
- •Using GNOME VFS Modules
- •Stacking VFS Modules
- •Working with Packages: rpm and rpms
- •Putting VFS to Work at the Command Line
- •Burning CDs with a VFS
- •Skinning Your Desktop with VFS
- •Classifying Data with MIME
- •Creating KDE File Associations
- •Creating New MIME Types with GNOME
- •Making Basic Prompt Transformations
- •Adding Dynamically Updated Data to Your Prompt
- •Colorizing Your Prompt
- •Seeing a Red Alert When You Have Superuser Privileges
- •Saving Your Work
- •Completing Names Automatically
- •Using the Escape Key to Your Advantage
- •Customizing Completion for Maximum Speed
- •Using cd and ls to Navigate through bash
- •Setting Your CDPATH Variables to Find Directories Fast
- •Streamlining Archive Searches
- •Turning the Output of a Command into a Variable with $( )
- •Using $UID and $EUID in Shell Scripts
- •Customizing Variables for Rapid Transit
- •Finding the Right Shell Script
- •Choosing your victims
- •Timing is everything
- •Cleaning up made easy
- •Changing prototype scripts
- •Customizing Your Autostart File
- •Navigating the History List
- •Scrolling
- •Summoning a command by number
- •Searching through history
- •Customizing the History List
- •Adjusting key default settings
- •Filtering the history list
- •Executing Commands Quickly with History Variables
- •Viewing Your Aliases
- •Using Aliases for Complex Commands
- •Automating Tedious Tasks with Functions
- •Filtering file searches by file type
- •Automatic downloading
- •Monitoring Your System in a Snap
- •Un-tarring the Easy Way
- •What Is Samba?
- •Getting Up and Running with Samba
- •Checking whether Samba is installed
- •Enabling Samba
- •Adjusting the workgroup name and creating user accounts
- •Giving a Windows machine access to your home directory
- •Sharing Linux files and directories with other computers
- •Hooking Everyone Up to the Printer
- •Sharing Linux printers with SWAT
- •Using a Windows printer from Linux
- •Plugging In to Remote Data with Linux Programs Quickly
- •Finding Files with locate
- •Finding Files with find
- •Qualifying Your Search with the find Command
- •Doing updated filename searches
- •Adding time-based qualifications
- •Filtering by file size
- •Perusing commonly used qualifications
- •Acting on What You Find
- •Displaying specific info with -printf
- •Checking disk usage by user
- •Executing commands with find
- •Building Complex Commands with xargs
- •Creating Archives with File Roller
- •Inspecting and Extracting Archives with File Roller
- •Adding Functionality to tar with Complex Commands
- •Building archives from the command line
- •Archiving complex search results
- •Backing up an installed package
- •Uprooting Entire Directory Trees with scp
- •Splitting Big Files into Manageable Chunks
- •Building Software from Downloaded tarballs
- •Compiling a tarball: The basic steps
- •Downloading and compiling SuperKaramba
- •Versatile Downloading with wget
- •Mirroring sites with wget
- •Verifying your bookmarks with wget
- •Downloading files with wget
- •Downloading and unpacking in one quick step
- •Downloading and Uploading with curl
- •Setting Up ADIOS
- •Downloading ADIOS
- •Burning ADIOS to CD
- •Installing ADIOS
- •Finding Your Way around UML
- •Connecting to the Internet from an ADIOS VM
- •Using a GUI with UML
- •Installing Software into UML
- •Merging Changes to Your Prototype
- •Querying RPM Packages for Content
- •Digesting Information
- •Creating a Package Index
- •Querying for Prerequisites
- •Dissecting an RPM Package
- •Using RPM at the Command Line
- •Removing RPMs
- •Flagging Down RPM
- •Getting Graphic with RPM
- •Using Rpmdrake to install from media
- •Installing from your Konqueror browser
- •Verifying Your System
- •Reading the Tamper-Proof Seal
- •Setting Up Synaptic and apt in a Snap
- •Keeping Up-to-Date with apt and Synaptic: The Basics
- •Handy Hints about Synaptic
- •Changing repositories
- •Viewing package details
- •Installing new packages with Synaptic
- •Importing the Keys to the Repository
- •Letting Task Scheduler Work for You
- •Scheduling a new task
- •Editing a task
- •Adding environment variables
- •Reining In Resources with Disk Quotas
- •Installing the quota RPM package
- •Enabling file system quotas
- •Getting your files together
- •Setting quotas
- •Reviewing your quotas
- •Using System Accounting to Keep Track of Users
- •Setting up system accounting
- •Looking up user login hours
- •Checking out command and program usage
- •Running Down the Runlevels
- •Runlevel basics
- •Customizing runlevels in Fedora
- •Customizing runlevels in SuSE
- •Customizing runlevels in Mandrake
- •Customizing runlevels at the command line
- •Switching to a new runlevel
- •Disabling Unused Services
- •Removing Unneeded Services
- •Learning about modules
- •Installing a module with insmod
- •Taking care of dependencies automatically with modprobe and depmod
- •Loading a module for a slightly different kernel with insmod and modprobe
- •Removing modules with rmmod
- •Step 1: Making an Emergency Plan, or Boot Disk
- •Step 2: Finding the Source Code
- •Step 4: Customizing the Kernel
- •Step 5: Building the Kernel
- •Understanding the Principles of SELinux
- •Everything is an object
- •Identifying subjects in SELinux
- •Understanding the security context
- •Disabling or Disarming SELinux
- •Playing the Right Role
- •Exploring the Process-Related Entries in /proc
- •Surveying Your System from /proc
- •Popping the Cork: Speeding Up WINE with /proc
- •Reading and Understanding File Permissions
- •Controlling Permissions at the Command Line
- •Changing File Permissions from a Desktop
- •Encryption Made Easy with kgpg and the KDE Desktop
- •Creating keys with kgpg
- •Sharing your key with the world
- •Importing a public key from a public-key server
- •Encrypting and decrypting documents with drag-and-drop ease
- •Encrypting Documents with gpg at the Command Line
- •Sharing a secret file
- •Creating a key pair and receiving encrypted documents
- •Encrypting documents on your home system
- •Encrypting E-Mail for Added Security
- •Encrypting with Ximian Evolution
- •Setting up Mozilla e-mail for encryption
- •Sending and receiving encrypted messages with Mozilla mail
- •Using Cross-Platform Authentication with Linux and Windows
- •Prepping for cross-platform authentication
- •Setting up cross-platform authentication
- •Using PAM and Kerberos to Serve Up Authentication
- •Establishing synchronized system times
- •Testing your domain name server (DNS)
- •Setting up a Key Distribution Center
- •Setting up automatic ticket management with Kerberos and PAM
- •Adding users to the Key Distribution Center
- •Building Good Rules with PAM
- •Phase
- •Control level
- •Module pathname
- •Arguments
- •Dissecting a Configuration File
- •Skipping a Password with PAM
- •Feeling the Power
- •Gaining Superuser Privileges
- •Pretending to Be Other Users
- •Limiting Privileges with sudo
- •Installing sudo
- •Adding Up the Aliases
- •Adding Aliases to the sudo Configuration File
- •Defining the Alias
- •Creating a User_Alias
- •Creating a Runas_Alias
- •Simplifying group managment with a Host_Alias
- •Mounting and unmounting CDs without the superuser password
- •Managing access to dangerous commands with command aliases
- •Using SSH for Top-Speed Connections
- •Setting Up Public-Key Authentication to Secure SSH
- •Generating the key pair
- •Distributing your public key
- •Passing on your passphrase
- •Logging In with SSH and Key Authentication
- •Starting from the command line
- •Getting graphic
- •Creating Shortcuts to Your Favorite SSH Locations
- •Copying Files with scp
- •Secure (And Fast) Port Forwarding with SSH
- •Finding Your Firewall
- •Setting up a simple firewall in Mandrake Linux
- •Setting up a simple firewall in Fedora Linux
- •Setting up a simple firewall in SuSE Linux
- •Editing the Rules with Webmin
- •Starting a Webmin session
- •Reading the rules with Webmin
- •Changing the rules
- •Editing existing rules
- •Adding a new rule with Webmin
- •Sharing Desktops with VNC
- •Inviting Your Friends to Use Your Desktop
- •Serving Up a New Desktop with VNC Server
- •Using tsclient to View Remote Desktops from Linux
- •Using tsclient with a VNC server
- •Using tsclient with an RDP server
- •Creating New VNC Desktops on Demand
- •Switching display managers in SuSE Linux
- •Switching display managers in Mandrake Linux
- •Connecting gdm and VNC
- •Exploring Your Network with lsof
- •Running lsof
- •Interpreting the lsof output
- •Reading file types
- •Discovering Network Connections
- •Other Timesaving lsof Tricks
- •Packet Sniffing with the Ethereal Network Analyzer
- •Starting Ethereal
- •Capturing packets
- •Applying filters to screen packets
- •Peeking in packets
- •Color-coding packets coming from your network
- •Getting Up and Running with Nessus
- •Installing programs Nessus needs to run
- •Installing Nessus
- •Adding a user to Nessus
- •Generating a certificate
- •Starting the daemon and the interface
- •Reading the grim results
- •Keeping Your Plug-ins Up-to-Date
- •Chatting in the Fedora Chat Room
- •Looking for Answers in the SuSE Chat Room
- •Processing Processes with procps
- •Using ps to filter process status information
- •Viewing ps output the way you want to see it
- •Making parent-child relationships stand out in a ps listing
- •Climbing the family tree with pstree
- •Finding processes with pgrep
- •Killing Processes with pkill
- •Killing Processes with killall
- •Closing Windows with xkill
- •Managing Users and Groups with the Fedora/Mandrake User Manager
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Managing Users and Groups with the SuSE User Administrator
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Adding and deleting log files from the viewer
- •Setting up alerts and warnings
- •Viewing your log files from SuSE
- •Monitoring your log files from SuSE
- •Customizing Your Log Files
- •Keeping an Eye on Resources with KDE System Guard
- •Finding and killing runaway processes
- •Prioritizing processes to smooth a network bottleneck
- •Watching your system load
- •Creating a new worksheet
- •Creating system resource logs
- •Displaying network resources
- •Using Synaptic to download and install Apache
- •Installing Apache from disc
- •Starting the Apache Service
- •Building a Quick Web Page with OpenOffice.org
- •Taking Your Site Public with Dynamic DNS
- •Understanding how dynamic DNS works
- •Setting up dynamic DNS
- •Updating your IP address
- •Installing the Fedora HTTP Configuration tool
- •Putting the HTTP Configuration tool to work
- •Watching Your Web Server Traffic with apachetop
- •Installing apachetop
- •Running and exiting apachetop
- •Navigating apachetop
- •Switching among the log files (or watching several at once)
- •Changing the display time of apachetop statistics
- •Accessing MySQL Control Center features
- •Viewing, managing, and repairing a database with the Databases controls
- •Putting the Server Administration controls to work
- •Adding a new user
- •Watching Your MySQL Traffic with mtop
- •Gathering all the packages that mtop needs
- •Installing mtop
- •Monitoring traffic
- •Building a MySQL Server
- •Installing the necessary packages
- •Starting the MySQL server
- •Replicating MySQL Data
- •Configuring replication: The three topologies
- •Setting up replication for a single slave and master
- •Choosing a Method to Back Up MySQL Data
- •Backing Up and Restoring with mysqldump
- •mysqldump backup options
- •Backing up multiple databases
- •Compressing the archive
- •Restoring a mysqldump archive
- •Making a mysqlhotcopy of Your Database
- •Archiving a Replication Slave
- •Taking Care of Business with MySQL Administrator
- •Installing MySQL Administrator
- •Starting MySQL Administrator
- •Choosing an SSL Certificate
- •Creating a Certificate Signing Request
- •Creating a Signing Authority with openssl
- •Creating a certificate authority
- •Signing a CSR
- •Exploring Your Certificate Collection with Mozilla
- •Introducing hotway
- •Getting Started with hotway
- •Setting Up Evolution to Read HTTPMail Accounts with hotway
- •Ringing the Bells and Blowing the Whistles: Your Evolution Summary Page
- •Installing SpamAssassin
- •Installing from the distribution media
- •Installing from RPM downloads
- •Starting the service
- •Fine-Tuning SpamAssassin to Separate the Ham from the Spam
- •Customizing settings
- •Saving your settings
- •Adding a New Filter to Evolution
- •Serving Up a Big Bowl of the RulesDuJour
- •Registering Your Address
- •Taming a Sendmail Server
- •Tweaking Your Configuration Files with Webmin
- •Serving up mail for multiple domains
- •Relaying e-mail
- •Using aliases to simplify mail handling
- •Deciding What to Archive
- •Choosing Archive Media
- •Tape drives
- •Removable and external disk drives
- •Removable media
- •Optical media (CDs and DVDs)
- •Online storage
- •Choosing an Archive Scheme
- •Full backups
- •Differential backups
- •Incremental backups
- •Incremental versus differential backups
- •Choosing an Archive Program
- •Estimating Your Media Needs
- •Creating Data Archives with tar
- •Backing up files and directories
- •Backing up account information and passwords
- •Targeting bite-sized backups for speedier restores
- •Rolling whole file systems into a tarball
- •Starting an Incremental Backup Cycle
- •Restoring from Backup with tar
- •Backing Up to CD (Or DVD) with cdbackup
- •Creating the backup
- •Restoring from a CD or DVD backup
- •Restoring from a disc containing multiple archives
- •Combining the Power of tar with ssh for Quick Remote Backups
- •Testing the ssh connection to the remote host
- •Creating a tar archive over the ssh connection
- •Backing up to tape drives on remote machines
- •Backing Up to a Remote Computer with rdist and ssh
- •Testing the ssh connection to the remote host
- •Creating the distfile
- •Backing up
- •Getting Started with CVS
- •Checking whether CVS is installed
- •Discovering what to use CVS for
- •Creating a CVS Repository
- •Populating Your Repository with Files
- •Simplifying CVS with cervisia
- •Installing cervisia
- •Putting files in your sandbox
- •Adding more files to your repository
- •Committing your changes
- •Browsing your log files
- •Marking milestones with tags
- •Branching off with cervisia
- •Using the libcurl Library (C Programming)
- •Uploading a File with a Simple Program Using libcurl
- •Line 7: Defining functions and data types
- •Line 14: Calling the initialization function
- •Lines 18– 21: Defining the transfer
- •Line 23: Starting the transfer
- •Line 26: Finishing the upload
- •Installing the Ming Library
- •Building a Simple Flash Movie with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Building Interactive Movies with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Doing the curl E-shuffle with PHP
- •Combining PHP with curl and XML: An overview
- •Checking out the XML file
- •Downloading and displaying the XML file with a PHP script (and curl)
- •Sending E-Mail from PHP When Problems Occur
- •Debugging Perl Code with DDD
- •Installing and starting DDD
- •Examining the main window
- •Reviewing and stepping through source code
- •Making Stop Signs: Using Breakpoints to Watch Code
- •Setting a breakpoint
- •Modifying a breakpoint
- •Opening the data window
- •Adding a variable to the data window
- •Changing the display to a table
- •Using the Backtrace feature
- •Using the Help menu
- •Making Fedora Distribution CDs
- •Downloading the ISO images
- •Verifying the checksums
- •Burning an ISO File to Disc at the Command Line
- •Finding the identity of your drive
- •Running a test burn
- •Burning the distribution discs
- •Burning CDs without Making an ISO First
- •Finding setuid quickly and easily with kfind
- •Finding setuid and setgid programs at the command line
- •Deciding to Turn Off setuid or setgid
- •Changing the setuid or setgid Bit
- •Who Belongs in Jail?
- •Using UML to Jail Programs
- •Using lsof to Find Out Which Files Are Open
- •Debugging Your Environment with strace
- •Investigating Programs with ltrace
- •Handy strace and ltrace Options
- •Recording Program Errors with valgrind
- •Hardening Your Hat with Bastille
- •Downloading and installing Bastille and its dependencies
- •Welcome to the Bastille
- •Addressing file permission issues
- •Clamping down on SUID privileges
- •Moving on to account security
- •Making the boot process more secure
- •Securing connection broker
- •Limiting compiler access
- •Limiting access to hackers
- •Logging extra information
- •Keeping the daemons in check
- •Securing sendmail
- •Closing the gaps in Apache
- •Keeping temporary files safe
- •Building a better firewall
- •Port scanning with Bastille
- •Turning LIDS On and Off
- •Testing LIDS before Applying It to Your System
- •Controlling File Access with LIDS
- •Hiding Processes with LIDS
- •Running Down the Privilege List
- •Getting Graphical at the Command Line
- •Getting graphical in GNOME
- •Getting graphical with KDE
- •Staying desktop neutral
- •Index
Hardening Your Hat with Bastille |
459 |
The umask for every process is inherited from the user account that starts the process. The umask controls the permissions for a file; the permissions are assigned when the file is created. If the umask lets everyone read and write everything, your system isn’t very secure. Accept the default answer of Yes and click OK.
What umask would you like to set for users on the system?
The umask setting affects file permissions. The default answer, 077, is the most secure setting. With a umask of 077, new files are protected so that only the file’s owner is allowed read, write, or execute access. You may want to relax this setting a bit, depending on your work environment. If you’re a tight-knit, trustworthy group that knows better than to keep any sensitive information in unencrypted files, you’ll be safe enough with a lower umask setting. Technique 27 contains helpful information about interpreting and setting file permissions. Enter your umask level and click OK.
Check out Technique 28 for some helpful ideas about encrypting documents.
Should we disallow root login on tty’s 1-6?
This question is phrased a little strangely. If you answer Yes to this question (which we recommend), you must have physical access to your computer to log in as user root. That’s a good idea because if intruders manage to steal your root password, they’ll need to be seated at the console before they can use it (or, they’ll have to steal a second, nonprivileged password as well).
Disabling root login on tty lines does not prevent you from gaining superuser privileges when you’re logging in remotely; you’ll just have to log in with a nonprivileged account first and then use su to give yourself superuser privileges.
We think this one’s a good idea, so check the Yes box and click OK.
Making the boot process more secure
Would you like to password protect the GRUB prompt?
This is a touchy one. If you enable it, you’ve got a really secure system. But if you forget the boot password, you’re out of luck; you pretty much need to reload the operating system at that point. We suggest choosing No, for safety’s sake. While this may seem like you’re leaving your boot process unprotected, you’re really ensuring that you can get back in without completely reinstalling Linux from scratch if you accidentally forget your boot password. Click OK when you’ve made your choice.
If you do choose to not password protect your boot prompt, be sure that you control physical access to your workstation. Anyone with physical access to your machine will be able to boot it if there is no GRUB password.
Would you like to disable CTRL-ALT-DELETE rebooting?
Many of these questions have to do with the physical security of your system. If your system is behind a locked door, you may want to leave some of these loopholes open for your use. We usually accept the default answer of No for the sake of convenience. That way, anyone with physical access to the workstation keyboard can reboot your computer.
Would you like to password protect single-user mode?
It’s a good idea to protect single-user mode, especially if you’ve left Ctrl-Alt-Delete rebooting active. If single-user mode is unprotected, anyone with physical access to your computer can reboot your system, lock out all users (including you), and change the root password. If you do choose to password protect single-user mode, anyone choosing to boot into single-user mode will be prompted for a password at boot time. Accept the default answer of Yes and click OK.
460 Technique 60: Securing the Fort with Bastille
Securing connection broker
The secureInetd server (xinetd) acts as a connection broker for a number of network services. xinetd listens for client requests coming in on specific ports and starts the associated server when a request arrives.
Would you like to set a default-deny on TCP Wrappers and xinetd?
If your computer has multiple network interfaces, you can define a default policy that determines whether your services are offered only to your local network, or provided to the world. It’s a good idea to follow Bastille’s recommendation and choose No. Click OK to continue.
Should Bastille ensure the telnet service does not run on this system?
Yes, please. telnet is very insecure and can give a hacker an easy way to break into your computer. You and your users will benefit from using ssh instead. Accept the default answer (Yes) and click OK.
Should Bastille ensure inetd’s FTP service does not run on this system?
Unless you really need an FTP server, it’s a good idea to accept the default answer of Yes. You can use the scp program to copy files securely instead (see Technique 33). Click OK.
Would you like to display “Authorized Use” messages at log-in time?
This isn’t a bad idea. If you catch a cracker in your system, a “legaleeze” banner may help if you choose to prosecute. Accept the default answer of Yes and click OK.
The banner is placed in /etc/issue. Add specific information about your site to the banner. If you’re running a corporate site, it’s a good idea to seek legal advice about the banner verbiage.
Click OK to continue.
Who is responsible for granting authorization to use this machine?
Enter contact information in the Answer field and click OK.
Limiting compiler access
Would you like to disable the gcc compiler?
If you choose to disable the gcc compiler, hackers who do get into your system won’t be able to compile troublemaking software without the root password. However, if your users regularly compile programs, they’ll need access to gcc. Check the box next to the answer that best suits your company’s scenario and then click OK.
Limiting access to hackers
Would you like to put limits on system resource usage?
A denial of service attack shuts down your system by tying up system resources. Limiting system resource usage can make most denial of service attacks somewhat ineffective. If you’re on a machine shared by many users, it’s a good idea to limit system resources. On your own personal machine, you may want to accept the default of No. Check the appropriate box and click OK.
Should we restrict console access to a small group of user accounts?
On some systems, if you log in at a console (as opposed to logging in across the Net), you gain special privileges (such as the ability to mount drives). Accept the default of No and click OK to continue.
Logging extra information
Would you like to add additional logging?
If you choose Yes, this setting enables additional logging. Kernel messages are sent to /var/log/ kernel, and system errors and warnings are sent to
Hardening Your Hat with Bastille |
461 |
/var/log/syslog. You can also view the optional logs by pressing Ctrl-Alt-F7 and Ctrl-Alt-F8. These files won’t interfere with the regular log files. Accept the default answer of Yes and click OK. Then click OK
to continue.
Do you have remote host logging?
You really only need to have sendmail running in daemon mode if you’re running a mail server. If you’re not running a mail server, accept the default answer of Yes and click OK.
Would you like to run sendmail via cron to process the queue?
If you’ve configured your computer to write system log files to a remote host, click Yes. If not, click No and click OK to continue.
What is the IP address of the machine you want to log to?
If you answered Yes to the last question, enter the IP address of the remote machine and click OK.
Keeping the daemons in check
Bastille uses the answers to your questions in this module to decide if it’s safe to disable daemons (background server processes) running on your system that might leave an open door for a hacker.
Would you like to disable apmd?
This daemon monitors battery power on notebook computers. If you frequently work off the grid, you may want to leave apmd turned on; otherwise, click OK to accept the default answer of Yes.
Would you like to disable GPM?
GPM is a daemon that makes the mouse work when you’re running in console mode (that is, when you’re not using X Windows). If you’re planning on working in console mode, but want to retain your mouse functionality, click No; otherwise, choose Yes and click OK.
Securing sendmail
Do you want to stop sendmail from running in
If an outbound message doesn’t make it through to its destination on the first try, choosing Yes schedules a cron job telling the mail queue to try again in 15 minutes. Accept the default answer of Yes and click OK.
Would you like to bind the web server to listen only to the localhost?
If you choose this option, only your machine can access your Apache Web server. It’s kind of pointless unless you do a lot of Web development and need to preview your pages in a live server. Accept the default answer of No and click OK.
Would you like to bind the web server to a particular interface?
If you have two network cards, choose Yes to tell Apache to listen to only one card. This is particularly useful if you’re hosting a Web server for inhouse data distribution. Make your choice and click OK.
If you chose Yes, enter your card’s IP address and click OK.
Closing the gaps in Apache
If you have an Apache server running on your system, you’ll be prompted to answer a series of questions designed to better tailor the security surrounding your server.
The next few questions help close specific security gaps in Apache. Click OK to continue.
daemon mode?
462 Technique 60: Securing the Fort with Bastille
Would you like to deactivate the following of symbolic links?
Deactivating symbolic links helps prevent visitors from viewing files that are not included in the Web page directories. Accept the default answer of Yes and click OK.
Would you like to deactivate server-side includes?
A server-side include (SSI) is a program that generates or modifies an HTML Web page. If intruders manage to inject a Trojan server-side include program on your system, they can exploit your Web server to their liking. If you disable server-side includes, it’s one less security risk. Accept the default answer of Yes and click OK.
Would you like to disable CGI scripts, at least for now?
If you’re not using them, shut ’em down. Accept the default answer of Yes and click OK.
Would you like to disable indexes?
If you turn off the indexes, people can’t discover the things that you’ve left lying around on your Web server. To access any page, the visitor needs to start with a specific address and then browse using links that you provide. If you leave automatic indexes enabled, Apache will happily create indexes on the fly, possibly exposing your dirty laundry. As a rule, we think it’s a good idea to turn off automatic indexes. Check the box next to Yes and click OK.
Keeping temporary files safe
Would you like to install TMPDIR/TMP scripts?
This creates a safe temporary directory for each user. If you can’t all share one temporary directory, you have the option to create individual directories. Based on your system usage, choose your option and click OK.
Building a better firewall
Would you like to run the packet filtering script?
If you choose this option, you’re led through a series of questions to build and customize your firewall. Choose Yes and click OK if you want to configure a Bastille firewall. The Bastille firewall is a very robust and highly customized piece of software. We’ll try to offer some guidance as you go, but you’ll need to keep the requirements of your network in mind as you answer the questions.
Do you need the advanced networking options?
Generally, answer No if you’re on a small system, and Yes if you deal with multiple interfaces or provide IP Masquerading services. Enter your choice and click OK.
DNS Servers:
Most Linux distributions use kernel version 2.4 (or later), so you can safely ignore this question. Just accept the default value and click OK.
Public Interfaces:
List the names of all the network interfaces connected to public networks. If you have an Ethernet card in your computer, type eth+. If you have a modem attached to your computer, type ppp+ slip+. If you have both, enter eth0 ppp+ slip+. Click OK to continue.
TCP services to audit:
Bastille wants to know which TCP services you want to log. Bastille logs connection attempts on the following services by default:
telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
But you can customize it to better suit your needs. Accept the default or customize the answer, and then click OK.
Hardening Your Hat with Bastille |
463 |
UDP services to audit:
Specify any UDP services that you want to log. The default connection is 31337, a well-known security hole. Add any ports you want to monitor or accept the default and then click OK.
ICMP services to audit:
Specify any ICMP services that you want to audit. This includes logging for connection attempts from services like ping. Unless you have a specific security concern that you want to address, accept the default and click OK.
TCP service names or port numbers to allow on public interfaces:
If you’re running a Web server and want to allow public access, you need to make port 80 accessible to the public. Another port you may want to leave open is 22 — ssh gains access through port 22. Enter the port numbers in the Answer field (separated by a blank space) and click OK.
UDP service names or port numbers to allow on public interfaces:
If you’re running caching or DNS servers, you need to allow access to port 53. For most workstations, leave this blank and click OK.
You’ve likely just hit a blank window — no questions, no answers. This is a good time to get a cup of coffee and stretch. More questions are coming when you click OK.
Force passive mode?
This option determines how FTP clients on your system access other servers. Forcing passive mode is more secure, but is also somewhat inconvenient for your users. Unless you have a very high-profile network with serious security risks, it’s probably a good idea to accept the default of No and click OK.
Bastille recommends a series of services you should consider blocking. You can find the names that correspond to the default entries in the file /etc/protocols. As Bastille says, this question is not important for 2.4 (and higher) kernels. Most distributions use a 2.4 (or higher) kernel, so we recommend accepting the default entry.
UDP services to block:
Like the TCP services, Bastille recommends the UDP services you should block. Click OK to accept the default.
ICMP allowed types:
The default recommendations from Bastille are good:
destination-unreachable: Allows other servers to inform you when a connection fails
echo-reply: Must be enabled for ping to work
time-exceeded: Must be enabled for traceroute to work
Enable source address verification?
Enabling source address verification helps the kernel block traffic with falsified addresses. It’s a very good idea to accept the default answer of Yes and click OK.
Break time again. Click OK to continue.
Reject method:
The reject method determines how the kernel deals with blocked traffic.
If you choose to reject the traffic, a remote machine feeling around for a connection gets a polite reply stating that the requested service is not available. The disadvantage of this kindness? Now potential intruders know you’re out there if they want to launch an attack.
TCP services to block: