Strict Standards: Declaration of Walker_Comment::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::start_el() should be compatible with Walker::start_el(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::end_el() should be compatible with Walker::end_el(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/drkaos/kaos.to/blog/wp-includes/comment-template.php:0) in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/drkaos/kaos.to/blog/wp-includes/comment-template.php:0) in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

Strict Standards: Redefining already defined constructor for class ftp_base in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/lib/ftp_class.php on line 56

Strict Standards: Redefining already defined constructor for class ftp in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/lib/ftp_class_sockets.php on line 8

Strict Standards: Redefining already defined constructor for class WP_Dependencies in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-support/wordpress-support.php(10) : runtime-created function(1) : eval()'d code(1) : eval()'d code on line 1
1001 ways to harden Linux | kaos.theory: fractal blog

1001 ways to harden Linux

Saw this post about a “10 step approach to a secure server” and decided to sort through old courseware I’d written and filter through my bookmarks to provide readers with a fairly comprehensive list of resources for hardening a Linux box (regardless of flavor/distribution/vendor/purpose).

Bearing in mind that there are probably several hundreds of websites and whitepapers that talk to this topic, I’ve tried my best to filter the wheat from the chaff, leaving only those resources that I believe are valuable and offer some unique insight, perspective or technique…

I will also try to keep this page up-to-date by adding new resources as I find them.

Technorati Tags: ,





From Hardening Linux: a 10 step approach to a secure server, which provides a basic, high-level overview of the hardening process:

This list of steps is intended as a guideline with a practical approach. We’ll try to provide a complete picture without getting into unnecesary details. This list won’t replace a good book on secure systems administration, but it will be useful as a quick guide.

You should probably at least look over Cert’s UNIX Configuration Guidelines prior to beginning the process, as it should help to give you a good framework for understanding what you are trying to protect and how.

This document describes commonly exploited UNIX system configuration problems and recommends practices that can be used to help deter several types of break-ins. We encourage system administrators to review all sections of this document and modify their systems to fix potential weaknesses. In addition to the information in this document, we provide three companion documents that may help you.

A couple of oldies but goodies from the September and October 2002 issues of Linux Magazine. First, Hardening Linux Systems, which covers securing the physical system and installing the OS:

• Hardening activities must be performed before the system is placed on the network. Why? Because any system attached to a network prior to hardening has a chance, however small, of already being modified. You must begin the hardening process from a known, good system state. You must reinstall the operating system before you harden an existing system.
• Successful hardening is based on a least-privilege security model. The system should be open only as much as is needed to function properly. Similarly, users should be given the minimum amount of access that they need.

Then, Hardening, Part 2:Securing Services, which goes into detail on finding and disabling/removing unnecessary services and chrooting/sandboxing those that are necessary for proper functionality of the host.

And, of course, dated but absolutely necessary pre-requisite reading, Improving the Security of Your Site by Breaking Into it by Dan Farmer and Wietse Venema.

Check out the extensive, if poorly organized, Linux-Sec.net:

Hardening Methodology

1. Read the various Security and Hardening HowTo
2. Create a Network and System Admin Policy
3. Install from a Linux CDROM into the properly sized disk partitions
4. Apply all Patches for that particular linux distribution
5. Compile and install your own kernel Kernel-HOWTO
6. Turn off unused daemons and harden services , Change file/directory permissions
7. Add additional security updates for various servers
8. Test/Audit your new server for Exploits/Vulnerabilities
9. Install and Monitor Your Servers and Networks
10. Install your Intruder Detection System ( IDS )
11. Backup your tested/clean server
12. Read and Understand your Security log files and messages
13. Send yourself emails and pages when a security breach occured
14. Upon a security breach, Find out how, when they got into your system and fix the vulnerability
15. Repeat from the beginning with the cdrom installs

The Arctic Region Supercomputing Center has a guide on The First Ten Steps to Securing a UNIX Host, based on methodologies for securing their Irix hosts.

You might also find some useful gems at the SANS InfoSec Reading Room - Security White Papers page.


I can highly recommend the use of Bastille (which was covered in the Open Source Security Tools class I wrote for VeriSign in 2000). Bastille not only helps to automate the hardening process, but can be an excellent educational tool as well, walking the user through each step of the hardening process with a well-designed interface and extensive documentation:

The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularly reporting on each of the security settings with which it works. Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX and Mac OS X.

There are a some excellent tools and documentation at the Center for Internet Security - Linux Benchmarks page.

And finally, a few distro-specific resources:

Securing and Optimizing Linux, RedHat Edition (a very thorough guide)
Internet Server Security and Configuration Tutorial (also RedHat-centric)
Gentoo Security Handbook

The rest (mostly just repetition), for your bookmarking pleasure:

Please feel free to let me know if I’ve forgotten or excluded any notable sites, documents, tools or techniques in this list!

Share and Enjoy:
  • Technorati
  • Digg
  • del.icio.us
  • Facebook
  • TwitThis
  • Slashdot
  • StumbleUpon
  • Google
  • Pownce
  • Reddit
  • Fark
  • Ma.gnolia

8 Responses to “1001 ways to harden Linux”

  1. boredumb » Mt. Dora, Here we come! Says:

    [...] - all good things to do while in Mt. Dora. Next week, I may spend a few hours reading the 1001 ways to harden your Linux box. If you’re a Windows folk, y [...]

  2. tonetheman links » Says:

    [...] rk” title=”Permanent Link: “>
    Filed under: links — tone @ 7:42 am

    1001 ways to harden liunx how to setup a vpn backup thunderbird

    [...]

  3. ccarlo74 Says:

    Look also at http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf which is an updated version of the RedHat one.

  4. dr.kaos Says:

    thanks for the pointer, ccarlo74, i’ll update the post shortly…

  5. Ravi Says:

    Hello,
    I came across your blog while browsing digg.com . Thanks for this interesting post. However, I have some constructive suggestion to make. This blog will be read by more linux enthusiasts if you could change the colors of the site. Some of the text could hardly be read.

    Regards
    Ravi
    http://linuxhelp.blogspot.com

  6. Johnnycsh Says:

    Hi all,

    How can i harden my linux box from other people to take my hard disk to mount to their linux box? I want to prevent people steal my file from my hard disk.

    Thanks.

    Rgds,
    Johnny

  7. Marc Says:

    Greetings,

    I love you OS, but want to install it to my HD. Is there any way I can install this to the HD?

    Regards,

    Marc

  8. Patrick Farrell Says:

    @Johnyycsh

    You need to use TrueCrypt to encrypt your hard disk.
    http://www.truecrypt.org/

    Don’t take my word for it, though. Here’s a link to respected cryptographer Bruce Schneier’s comments on it:
    http://www.schneier.com/blog/archives/2006/05/truecrypt.html

    Patrick Farrell
    http://patf.net/blogs

Leave a Reply

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.