|
It has often been asked what can be done to secure
a Linux box that is online. There are actually a fairly large number of things but some are a little too deep for
the average user and some are too much like work. I am just going to touch on basics that anyone can do.
If your Unix based OS uses an inetd.conf file you can either delete it or just leave in the lines for services
you want to provide. The easiest thing to do is vi /etc/inetd.conf as root, scroll down below the telnet
and ftp lines and hold down the d key. Telnet and ftp are the only two lines that I leave in most boxes and then
I # them out.
By eliminating these services, you are NOT deleting the ability to telnet, etc; you are just denying anyone from
outside access in. So you can still ftp to your hearts content, you just can't ftp into your box from another.
That is why I usually # out the two lines instead of delete them. Sometimes you need fast access for a moment.
After you are done editing or deleting your inetd.conf file, you need to restart inetd. It is done
like this in Linux boxes...
killall -HUP inetd
That's it, reboots are for weenies. 
On Solaris boxes before 8 you need to...
ps -aux | grep inetd
Then take the PID and HUP it.
kill -HUP 836
You can also kill using a -1 from what I understand.
If you use Redhat 7 or newer you can run setup as root
and turn off services like sendmail if you don't use them. You can also allow or deny certain accesses via the
built-in firewalling.
The above are just really simple basics that will help a great deal. Next up are some things you should do all
the time. Use OpenSSH or SSH to do all communications between boxes. Instead of ftp, try using sftp or scp. Basically
they encrypt the traffic so that anyone using a sniffer won't see your passwords in plain text.
Make sure that whatever password you use for your e-mail is different from your regular passwords. This is because
when you have your e-mail program setup to check for new mail every so often, it sends your password in plain text
too. So if you have it set to check your e-mail every two minutes, then every two minutes you are broadcasting
your password to the world.
Be sure to log into all your boxes as a user, NOT root. This is a practice that you need to do all the time anyway
just so you don't hose something in your box by accident. Give yourself a user account and get used to using it.
The password for all Unix based operating systems in standard form is supposed to be from 6-8 characters in length
using a mix of numbers, upper and lower case letters and at least one symbol.
Any password less than 6 characters is too easy to crack and any password over 8 characters is worthless after
the 8th character. Unix only looks at the first eight, after that is ignored unless you have a modified password
program.
The easiest way to remember your passwords is to make them mean something. Never ever use a person's name, anniversary
or anything like that. Use something like, uh, a saying or lyrics from a song, poem, line from a book, etc. Then
tweak it. Let's say I want a password for posting on a forum:
I post here as often as I can
You can tweak it so it makes a password, this is one
possibility...
iPh@0a1c
See how it works? (i Post here @s 0ften as 1 can)
You'll need a separate password for your user accounts, root accounts, etc. Try never to use the same password
for root and user account, etc. You need to change your passwords about every month or two although sometimes you
can go three months. I am not too worried about my forums accounts so I rarely change those but my user and root
accounts on servers are changed regularly.
You can also use a router for a firewall or actually set up a real firewall. Firewalling is also possible on the
box in question.
Try to remember that as long you you have a network connection, you are vulnerable to attack. There really isn't
much you can do about it except prepare for the worst and do your best to minimize your danger.
Internet security is a huge business. I only touched lightly on a few things you can do to help lock down your
stuff. There are definitely more things that you can do.
Oddly enough, when I want to crack a box, err, uh, when
I need access to a box that I, uh, seem to have lost or forgotten the password to, I can usually get access by
one of these things first: ask someone nearby, look on the monitor for a post-it note, look on the desk for a scrap
of paper, try the name of their wife, child, dog, etc.
Try to keep the servers in a physically secure area too. If I have physical access to a box, I have root. I'm not
even into cracking and I can still gain access to more boxes than I want to.
Security starts and ends with the user.
|
xBill
Viands