kaos.theory: fractal blog

Saw this post about a “10 step approach to a secure server” and decided to sort through old courseware I’d written and filter through my bookmarks to provide readers with a fairly comprehensive list of resources for hardening a Linux box (regardless of flavor/distribution/vendor/purpose).

Bearing in mind that there are probably several hundreds of websites and whitepapers that talk to this topic, I’ve tried my best to filter the wheat from the chaff, leaving only those resources that I believe are valuable and offer some unique insight, perspective or technique…

I will also try to keep this page up-to-date by adding new resources as I find them.

Technorati Tags: linux, security

From Hardening Linux: a 10 step approach to a secure server, which provides a basic, high-level overview of the hardening process:

This list of steps is intended as a guideline with a practical approach. We’ll try to provide a complete picture without getting into unnecesary details. This list won’t replace a good book on secure systems administration, but it will be useful as a quick guide.

You should probably at least look over Cert’s UNIX Configuration Guidelines prior to beginning the process, as it should help to give you a good framework for understanding what you are trying to protect and how.

This document describes commonly exploited UNIX system configuration problems and recommends practices that can be used to help deter several types of break-ins. We encourage system administrators to review all sections of this document and modify their systems to fix potential weaknesses. In addition to the information in this document, we provide three companion documents that may help you.

• http://www.cert.org/tech_tips/intruder_detection_checklist.html
contains suggestions for determining if your system may have been compromised
• http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
contains suggested steps for recovering from a root compromise on a UNIX and Windows NT systems
• http://www.cert.org/tech_tips/security_tools.html
contains descriptions of tools that can be used to help secure a system and deter break-ins

A couple of oldies but goodies from the September and October 2002 issues of Linux Magazine. First, Hardening Linux Systems, which covers securing the physical system and installing the OS:

• Hardening activities must be performed before the system is placed on the network. Why? Because any system attached to a network prior to hardening has a chance, however small, of already being modified. You must begin the hardening process from a known, good system state. You must reinstall the operating system before you harden an existing system.
• Successful hardening is based on a least-privilege security model. The system should be open only as much as is needed to function properly. Similarly, users should be given the minimum amount of access that they need.

Then, Hardening, Part 2:Securing Services, which goes into detail on finding and disabling/removing unnecessary services and chrooting/sandboxing those that are necessary for proper functionality of the host.

And, of course, dated but absolutely necessary pre-requisite reading, Improving the Security of Your Site by Breaking Into it by Dan Farmer and Wietse Venema.

Check out the extensive, if poorly organized, Linux-Sec.net:

Hardening Methodology

1. Read the various Security and Hardening HowTo
2. Create a Network and System Admin Policy
3. Install from a Linux CDROM into the properly sized disk partitions
4. Apply all Patches for that particular linux distribution
5. Compile and install your own kernel Kernel-HOWTO
6. Turn off unused daemons and harden services , Change file/directory permissions
7. Add additional security updates for various servers
8. Test/Audit your new server for Exploits/Vulnerabilities
9. Install and Monitor Your Servers and Networks
10. Install your Intruder Detection System ( IDS )
11. Backup your tested/clean server
12. Read and Understand your Security log files and messages
13. Send yourself emails and pages when a security breach occured
14. Upon a security breach, Find out how, when they got into your system and fix the vulnerability
15. Repeat from the beginning with the cdrom installs

The Arctic Region Supercomputing Center has a guide on The First Ten Steps to Securing a UNIX Host, based on methodologies for securing their Irix hosts.

You might also find some useful gems at the SANS InfoSec Reading Room - Security White Papers page.

I can highly recommend the use of Bastille (which was covered in the Open Source Security Tools class I wrote for VeriSign in 2000). Bastille not only helps to automate the hardening process, but can be an excellent educational tool as well, walking the user through each step of the hardening process with a well-designed interface and extensive documentation:

The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularly reporting on each of the security settings with which it works. Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX and Mac OS X.

There are a some excellent tools and documentation at the Center for Internet Security - Linux Benchmarks page.

And finally, a few distro-specific resources:

Securing and Optimizing Linux, RedHat Edition (a very thorough guide)
Internet Server Security and Configuration Tutorial (also RedHat-centric)
Gentoo Security Handbook

The rest (mostly just repetition), for your bookmarking pleasure:

• A very limited document at NACS - Securing a UNIX Machine
• Another list of lists at Linux-Sec.net
• An old article at Linux Gazette on Securing Your Linux Box LG #34
• UVa’s UNIX/Linux Security Best Practices
• Lance Spitzner’s Preparing Your Linux Box for the Internet
• A few guides that SANS would love to sell you
• TICM - The Firewall Hardening Guide v0.1

Please feel free to let me know if I’ve forgotten or excluded any notable sites, documents, tools or techniques in this list!