Ask a network administrator in any large organization to
compare Linux with network operating systems like Windows NT or Novell, and
chances are he’ll admit that Linux is an inherently more stable and scalable
solution. Chances are he’ll also admit that when it comes to securing the
system from outside attack, Linux is possibly the most difficult of the three
to work with.

This perception is not an uncommon one — many network
administrators new to Linux find it hard to transition from a point-and-click
security configuration interface to one based on editing complicated and
hard-to-locate text files. Most administrators are well aware of the need to
manually put in roadblocks and obstacles to trip up would-be hackers and ensure
that your company’s data stays secure; it’s just that in the unfamiliar Linux
world, they’re not completely sure of their bearings or where to start.

That’s where this document comes in. It outlines some easy
things administrators can do to make their Linux server more secure and
significantly reduce the risk they face. This tutorial lists seven such items,
but you can find many more in the Linux manuals and discussion forums.

1. Protect the root account

The root, or superuser,
account on a Linux system is like a backstage pass at a Stones concert — it
allows you access to anything and everything. For this reason, it’s well worth
taking extra steps to protect it. Start by setting a hard-to-guess password for
this account with the passwdcommand,
change it on a regular basis, and restrict knowledge of the password to a few
(ideally, only two) key people in the organization.

Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid
users leaving a root terminal “open”, set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might
contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to
perform specific administrative tasks, and discourage users from logging in as root by default.

Tip: Once you’ve closed these holes, the next
step is to require that every normal user account must have a password and
ensure that passwords do not use easily-recognizable heuristics such as
birthdays, user names or dictionary words.

2. Install a firewall

A firewall lets you filter data packets traveling in and out
of your server and ensures that only those packets matching pre-defined rules
are permitted to enter or exit. A number of excellent firewalls are available
for Linux, and firewall code can even be compiled directly into the kernel.
Begin by defining input, output and forwarding rules for packets leaving and
entering your network, using the ipchains or iptables commands. Rules may be specified
on the basis of IP addresses, network interfaces, ports, protocols or
combinations of these attributes; these rules also specify what action (accept,
reject, forward) to take when a match occurs. Once the rules are installed,
test the firewall extensively to ensure that no holes exist in it. A good
firewall is your first line of defense against common attacks like the
distributed denial of service (DDoS) attack.

3. Use OpenSSH for network transactions

An important issue in client-server architecture involves
the security of data being transmitted over the network. If network
transactions take place in plaintext, it is possible for a hacker to
“sniff” the data packets being transmitted and thus gain access to
sensitive information. You can close this hole by using a secure shell utility
like OpenSSH to create a
secure encrypted “tunnel” for your data to pass through. Encrypting
your connections in this manner makes it extremely hard for unauthorized users
to read the data going back and forth between network hosts.

4. Disable unwanted services

Most Linux systems are installed with a wide variety of
different services enabled, such as FTP,
telnet, UUCP, ntalk
and
so on. In most cases, these services are rarely used and leaving them active is
like leaving your windows open for a burglar to slip in. You can disable these
services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and
then restarting the inetd or xinetd daemon.
Additionally, some services (for example, database servers) may start up by
default during the boot process; you can disable these by editing the /etc/rc.d/* directory
hierarchy. Many experienced administrators disable all system services, only
leaving SSH communication ports open.

5. Use a spam and anti-virus filter

Junk e-mail and viruses annoy your users and can sometimes
cause critical network failures. Linux is surprisingly resistant to viruses,
but client machines running Windows may be more susceptible. Therefore, it’s a
good idea to install a spam and virus filter on your mail server itself, to
“defang” suspicious messages and reduce the risk of a chain of
collapses.

Begin by installing SpamAssassin, a leading
open-source tool that uses a combination of different techniques to identify
and flag spam; the program also supports user-based whitelisting
and greylisting for greater accuracy. Next, install procmailfor user-level filtering based on regular expressions; this
tool allows automatic filtering of received email into mailboxes, at both a
user and system level. Finally, install Clam Anti-Virus, a free anti-virus toolkit that
integrates with sendmail and SpamAssassin
and supports on-access scanning of email attachments.

6. Install an intrusion detection system

Intrusion detection systems (IDS) are early warning systems
that let you know if changes occur on your network. They’re a great way to
identify (and prove) attempts to break into your system, although at the cost
of increased resource consumption and potential red herrings. There are two
fairly well-known IDS’ you can try: tripwire, which tracks
file signatures to detect modifications; and snort, which use rules-based directives to
perform real-time packet analysis and search and identify attempts to probe or
attack your system. Both packets can generate e-mail alerts (among other
actions) and are useful when you suspect your network is being compromised but
need definitive proof.

7. Perform regular security audits

When it comes to securing your network, this final step is
possibly the most important. Here, you put on a black hat and do your best to
circumvent the defenses you erected in the previous steps. Doing this provides
you with an immediate and objective assessment of how hard your system really
is, and identifies potential vulnerabilities that you should fix.

A number of tools are available to help you in this audit:
you can attempt to hack your password files using password crackers like Crack and John the Ripper; you can use nmap or netstat to look for
open ports; you can sniff the network using tcpdump; and you can try exploiting
publicized holes in your installed programs (Web server, firewall, Samba) to
see if they offer a way in. If you do manage to find a way past your obstacles,
rest assured that others will too; take immediate measures to close the
openings.

Protecting your Linux system is an ongoing task, and so you
shouldn’t rest easy once you’ve done the steps above. Visit the Linux security
forums for more security tips, and be proactive in monitoring and updating the
security of your system. Good luck!