iTWire - Hardening Linux

Technology news and Jobs

Information Technology News

Hardening Linux

by David M Williams

Sunday, 12 August 2007

Page 2 of 3

As mentioned, xinetd handles services which may only have periodic use and for which it would be wasteful to run independent listening processes for each and every one. The ramification of this is that services which do have anticipated high use are running stand-alone and from system boot, and which are not controlled by xinetd.

An example of this is the Apache web server. It runs as its own service. To disable Apache – or any other server software – you have two basic options. The first is to simply uninstall the application, or to stop it running and then prevent it restarting at boot time. To achieve the first, refer back to your distro’s package management tool. To achieve the second, use its /etc/init.d script followed by the 'stop' parameter. At worst, the brute force method will always work: run ps aux | grep httpd or ps aux | grep apache2, depending on your distro. As above, the second column is the PID. Enter kill -9 xxx where xxx is the PID.

This stops the process running immediately. However, as yet there’s nothing to stop it starting again when you next reboot. To solve this enter the command ntsysv. This is a simple tool to configure Linux runlevels and the services that run at each runlevel. Merely uncheck the box next to Apache, and similarly for any other services that auto-run which you do not use. A text tool to achieve the same thing, albeit with more skill required, is chkconfig.

Patching the OS

An essential requirement to maintaining security is to keep your operating system up-to-date. This ensures you receive updates to fix known exploits and vulnerabilities, as well as bug fixes and performance and feature enhancements.

Most Linux vendors provide information on available updates. For instance, Red Hat publish their list at www.redhat.com/security/updates/notes. (Information on Red Hat’s update and support policies, including how to sign up for automatic notification of errata is at www.redhat.com/security/updates.)

Other distro users can find links at Linux-Sec.net’s list of online security patches and updates by vendor.

Bastille

With the basics of manual hardening down pat, let’s check out a free open-source tool to automate and simplify the process. Bastille will disable unnecessary services and install operating system updates as well as configure a firewall, enforce password policies, create a second root-level account and more. What’s nice is that Bastille leads the user through a simple series of yes/no questions, giving a detailed explanation of why each question is asked and what will happen if ‘yes’ is chosen. It doesn’t merely expect guesswork, nor does it blindly alter your system – instead, it genuinely hardens your computer and educates on security in the process.

Pleasantly, you’re also not locked in to Bastille’s changes should you decide some of the setting changes weren’t for you. Running RevertBastille automatically restores the state of all config files and settings to just how they were before Bastille made any changes. Obviously, if you make changes to your system manually after running Bastille, you will lose these too so it is best to test changes as soon as possible after applying to ensure you won’t harm anything else if you need to revert.

Unfortunately, Bastille is not for everyone: versions exist for Red Hat, SUSE, Debian, Gentoo and Mandrake (as well as non-Linux UNIX variants HP-UX and MacOS X). If you do run one of those systems, you really are well-advised to run Bastille. You can download the latest version from SourceForge.

Let's give Bastille a run-through.

<< First page < 1 2 3 Next page > Last page - Post your comment >>

< Next story in category		Previous story in the category >

Sponsored Releases

Latest jobs

Sporting Club Scores Communications Win

Today on iTWire

iTWire and you