Download (direct link):
It is also an excellent idea to occasionally screen the files that contain a record of all the logins onto your computer: /var/log/secure (the most recent log) /var/log/secure.1 (older log)
/var/log/secure.2 (yet older log), etc. There are also other useful log files in the directory /var/log that you might want to view, check them out from time to time. The most typical "warning" sign is a scanning of the ports on your computer: there are repeated entries on connection request from the same IP number to your system telnet, ftp, finger and other ports--somebody tried to learn more about your system.
If you never use remote connections to your home Linux machine, it is an excellent idea to restrict the rights to use the "server side" network services (all the network services are listed in the file /etc/inetd.conf) to the machines on your home network. The access is controlled by two files: /etc/hosts.allow and /etc/hosts.deny . These access-control files work as follows. When an outside connection is requested, the file /etc/host.allow is scanned first and if the name of the machine from which the connection is requested is matched, the access is granted (irrespectively of any entry in /etc/host.deny ). Otherwise, the file /etc/host.deny is scanned, and if the name of the machine from which the connection is requested is matched, the connection is closed. If no matches are found in either file, the permission is granted.
B. Staehle (a Linux modem guru) wrote to me to advice not to install network services at all. "If your network services are not configured properly, you may wind up with your computer owned by some script kiddie. A newbie should _never_ be allowing services (ftp, telnet, www) to the world. If you "must" install these, make sure to only permit connections from systems you control. The file /etc/hosts.deny should contain
and /etc/hosts.allow should only have ALL: 127.0.0.1
to permit connections only from that named host. Do NOT use hostnames! " <end of Bill advice>.
Indeed, my /etc/host.deny is exactly as adviced above (ALL: ALL), but my /etc/hosts.allow two extra trusted computers to connect to all my network services, and another computer to access telent and ftp: (the IP numbers are fake):
ALL: 127.0.0.1, 220.127.116.11, 18.104.22.168
in.telnetd, in.ftpd: 22.214.171.124
In the examples above "ALL: ALL" stands for "ALL services, ALL Hosts", meaning "connections to any local network service" coming from "any host".
For more info, check the excellent "Linux Network Administrator Guide" which is surely present on your RedHat (or whatever) distribution CD. I printed this book and had it hardcovered.
To verify which services your computer offers to the outside world, you may want to use a web-based tool. Go to: http://scan.sygatetech.com/ and click on "scan now".
Here are some other places that may be able to scan you: http://crypto.yashy.com/ http://davidovv2.homestead.com/freetoolsservices.html http://privacy.net/ http://scan.sygatetech.com/
Part 4: Linux Newbie Administrator FAQ
Linux Newbie Guide by Stan, Peter and Marie Klimas
http://security1.norton.com/us/intro.asp http://suicide.netfarmers.net/ http://trojanscanner.com/cgi-bin/nph-portscanner http://www.doshelp.com/dostest.htm http://www.dslreports.com/secureme/ http://www.dslreports.com http://www.earthlink.net/freescan/ http://www.grc.com http://www.hackerwhacker.com/ http://www.nessus.org http://www.netcop.com/newscan/fullscan.html http://www.privacyscan.org http://www.sdesign.com/cgi-bin/fwtest.cgi http://www.sdesign.com/securitytest/index.htmll http://www.securityspace.com/ http://www.vulnerabilities.org/nmapemail.html http://grc.com http://www.dslreports.com/scan http://www.dslreports.com/security/sec025.htm
For security reasons, it is also a good idea not to advertise the OS/version that you use. I replaced the contents of the file /etc/issue and /etc/issue.net which on my computer read:
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
with something like this:
WARNING: THIS IS A PRIVATE NETWORK
UNAUTHORIZED USE IS PROHIBITED AND ALL ACTIVITIES ARE LOGGED
IBM S/390 LINUX
This blends a joke with a little bit more security (I hope).
The contents of the files /etc/issue and /etc/issue.net are recreated at every reboot (when the script /etc/rc.local is run). So, to make the changes permanent, I can make these files read-only for all users (as root):
chmod a=r /etc/issue*
Instead of the last command, I could have edited (as root), the script /etc/rc.d/rc.local and commented out 5 lines with ### so that the relevant part reads:
# This will overwrite /etc/issue at every boot. So, make any changes
# want to make to /etc/issue here or you will lose them when you reboot ### echo "" > /etc/issue
### echo "$R" >> /etc/issue
### echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue
### cp -f /etc/issue /etc/issue.net ### echo >> /etc/issue
Another good security measure is to disable ping. Ping is a sonar-like response that your computer sends back when inquired by another computer. It is mostly useful for setup and debugging, to probe whether your machine is available on the network. It can also be used for probing your machine and/or attacking it by flooding with ping requests ("ping of death"). To disable my machine response to pingging from the net, I use the IP masquarading. I took and slightly modified the following command and explanation from http://www.securityfocus.com/focus/linux/articles/linux-securing2.html: