Open Source

Lock down your system with Bastille Linux

Use Bastille Linux to perform common security tasks that can quickly and easily lockdown a Linux system.

Bastille Linux can help you tighten the security on your network. Originally designed to assist new Linux users unfamiliar with proper security procedures, Bastille has since become robust enough for administrators of any level. Bastille Linux is not a complete distribution; rather, it's a program that walks you through an in-depth security audit. Currently, only Red Hat and Mandrake are supported, but additional distributions are on the way. Bastille is easy to use, offers clear explanations, and enables you to undo changes, making it an excellent means by which to analyze your current setup, assess and improve the security of your system, and close potential holes before they can do you harm.

Installing Bastille Linux
Installation is fairly straightforward, but it does require a few separate downloads. You need to obtain and install the correct Perl module prior to installing Bastille itself. Your decision will be based on what distribution you are running (Red Hat or Mandrake) and your environment type (graphical or text-based). Next, download the main Bastille RPM and then the Bastille Perl-UI module (Table A). The two options for the Perl-UI are either Perl-TK (graphical) or Perl-Curses (text).

Table A
Perl Module Red Hat Mandrake
Graphical <a href=” ftp://ftp.redhat.com/pub/redhat/linux/7.1
/en/DMA/CPAN/RPMS/perl-Tk-
800.022-11.i386.rpm”>perl-Tk-
800.022-11.i386.rpm</a>
<a href=” ftp://ftp.rpmfind.net/linux/Mandrake
/8.1/i586/Mandrake/RPMS
/perl-Tk-800.023-2mdk.i586.rpm”>
perl-Tk-800.023-2mdk.i586.rpm</a>
Text <a href=” ftp://ftp.redhat.com/pub/redhat/linux/7.1
/en/DMA/CPAN/RPMS/perl-Curses-
1.05-10.i386.rpm”>perl-Curses-1.05-10.i386.rpm</a>
<a href=” ftp://ftp.rpmfind.net/linux/Mandrake
/8.1/i586/Mandrake/RPMS/
perl-Curses-1.06-1mdk.i586.rpm”>
perl-Curses-1.06-1mdk.i586.rpm</a>

Here are the installation steps:
  1. Download your choice from above and then install with the following command:
    rpm -ivh --nodeps perl-Curses-1.05-10.i386.rpm
  2. Download the main Bastille Linux RPM.
  3. Download one of the Bastille Perl-UI modules, graphical or text.
  4. Install the main Bastille RPM and the Bastille Perl-UI at the same time with the following command:
    rpm -ivh Bastille-1.3.0-1.0.i386.rpm Bastille-Curses-module-1.3.0-1.0.i386.rpm

The program should now be ready to go. Bastille Linux also provides a source tarball and source RPM on its Web site, as well as links to RPMs for older distributions. If you encounter any problems with the installation, first confirm what version of Red Hat or Mandrake you're running, and then check the Web site.

Running Bastille Linux
Once Bastille is installed, run the command InteractiveBastille as root to start the program. It is recommended you run Bastille after a fresh install, but it is not required. The program, actually a set of Perl scripts, is designed with a user-friendly interface that explains each step along the way (Figure A).

Figure A


With each recommendation you can read a short description of what each script does and the possible impact on your system and its users (Figure B).

Figure B


You can select Yes or No for each recommendation, comfortable in the knowledge that you can always undo your choices later. Modifications are not made until the end, so you can peruse all the possibilities and then exit cleanly without changing your system. Below are some of the options to choose from.

File permissions
  • Remove nonroot access to common administration utilities, such as linuxconf, fsck, and ifconfig. By default, standard users have access to programs from which they may gather detailed system information. Limiting what can be learned about your system can do much to stop hack attempts.
  • Disable “SUID root” (set user-ID root) for specific programs. This allows regular users to run certain programs like dump, restore, and ping, which would normally be root-only. Once again, the idea here is that “less is more.” The less a possible hacker has to work with, the better.

Account security
  • Install password aging. Making users change their passwords regularly is always a good idea. If a password never has to be changed, a hacked account could last forever.
  • Limit use of cron to administrative accounts, lowering the possibilities of abuse. Typical use of cron is, of course, not a problem and may be necessary for certain individuals. The best bet is to enable it on a case-by-case basis, letting you track its use.
  • Restrict root logins on TTY’s 1-6. Preventing local root login forces would-be hackers to require a user account, even if they have the root password. Logging in as root is never a good idea anyway; it’s best to login as a user and then su as needed.

Boot security
  • Password-protect your Linux Loader (LILO). If local access is available, someone could reboot your server and gain access. Putting a password at the LILO command line adds an additional level of protection.
  • Set LILO delay time to zero. LILO will typically pause for a number of seconds, allowing you to enter alternate boot commands. Setting the delay to zero causes the system to immediately boot its standard image.
  • Disable [Ctrl][Alt][Delete] rebooting. If local access is available, this will limit a person’s ability to restart your Linux system. Local access attempts are one of the more difficult methods to protect against, and Bastille provides some outstanding options in this area.

Secure INETD
  • Turn off Telnet access. Telnet is not secure and transmits data in clear text. Passwords and other information can be “sniffed” with the proper tools. A secure alternative such as SSH is highly recommended.
  • Turn off FTP access. This is not always an option, but it can be a good idea. Not only is it a clear text protocol like Telnet, but FTP daemons have a history of being compromised. Secure options such as SCP and SFTP are once again highly recommended.

Increased logging
  • Set up logging to additional files. This will copy system messages to a nonstandard location that hackers may not know exists. If hackers gain access to your Linux box, they can easily remove the log files, which may provide helpful clues in determining what was done and who was responsible. Although this will not prevent a hack attempt, it may aid in future prevention.
  • Enable remote logging. This will allow the server to not only continue logging normally, but also to copy messages onto a remote system. Hackers will then need to take the extra step of hacking into another Linux system to cover their tracks.

Securing Sendmail
  • Turn off daemon mode. If you are not running Sendmail as a full-time mail server, there is no reason to have it constantly running. Bastille will allow you to set Sendmail to run every few minutes to process outgoing mail queues.
  • Disable VRFY and EXPN. VRFY allows a remote user to verify that an address exists on the server and EXPN is used to expand aliases. While these might normally be helpful tools, spammers and hackers have used them to obtain e-mail addresses and account information.

Create a firewall
If you do not already have a firewall running, Bastille Linux will help design one for you. With support for both 2.2 and 2.4 kernels (ipchains and iptables, respectively), as well as Network Address Translation (NAT), Bastille couldn’t make it any easier. Just follow the clearly outlined steps and you shouldn’t have any problems.

An excellent tool
These are just a few of the options Bastille Linux offers. With this simple and easy-to-use program, you can tighten security on your current Red Hat or Mandrake system and sleep better at night. It’s worth downloading and running the program just to see all the features.

Of course, no single distribution or program can protect you from every attack. Behind every good server is a vigilant admin who watches the log files, monitors inbound connection attempts, and keeps up with current security issues.
0 comments

Editor's Picks