- Learn Linux
- Learn Electronics
- Raspberry Pi
- LPI certification
- News & Reviews
Security should be one of the foremost thoughts at all stages of setting up your Linux computer. To implement a good security policy on a machine requires a good knowledge of the fundamentals of Linux as well as some of the applications and protocols that are used.
Security of Linux is a massive subject and there are many complete books on the subject. I couldn't put everything in this one tutorial, but this does give a basic introduction to security and how the techniques, and tools can be used to provide additional security on a Linux computer. Hopefully this will provide sufficient information to be able to investigate other sources of information.
Although Linux users are must less prone to viruses than some other major operating systems, there are still many security issues facing Linux users and administrators.
One of the most important steps in any task is to identify why you are doing it. Rather than just saying we need to make a system secure you need to consider what is meant by secure, what risks there are associated with any data that's available, what impact your security measures will have on your users. Without first considering any of these factors how else will you know if you've met your goal of making a system secure.
After establishing why security is to be implemented you should consider the aspects of security that are required. The main security requirements are:
Authorisation - Only allow those that need access to the data
Authenticity - Verifying they are who they say they are
Privacy / Confidentiality - Ensure personal information is not being compromised
Integrity - Ensuring that the data has not been tampered with
Non-repudiation - Confirmation that data is received. The ability to prove it in court
Availability - Ensure that the system can perform it's required function
Some security requirements are not ones that are directly under your control but are instead imposed upon you. These may be legal requirements (e.g. Data Protection Act 1998), compliance with standards (e.g. ISO 7984-2 International Standards Organisation Security Standard), or corporate policy. If you handle credit card transactions then you may be required to comply with minimum security standards as described by the Payment Card Industry (PCI).
Some of these standards are very vague (e.g. the Data Protection Act just specifies that appropriate security should be in place) whereas some may be more specific (e.g. a corporate policy may insist on a minimum length of passwords etc.).
Before being able to effectively protect a computer system you need to know who it is that is trying to attack your systems and what they are trying to do. I have shown some examples by answering a few questions about those who could potentially attack a computer system.
These words are commonly used when referring to security attacks, however the meanings are often misinterpreted or understood. I have taken these in order of how easy the term is to explain so as to avoid confusing these together. Note that other people may have different meanings when they use these terms.
Phreakers - Also known as Phone Phreakers, this term originates from what could be considered to be the earliest form of attacks against electronic systems. It's earliest for was to bypass the systems used in telephone systems allowing free or reduced price international phone calls. One of the earliest forms of this was when the American pay phone system used a certain frequency signal to indicate that a coin had been placed in the phone. It was discovered that the frequency of the signal was 2600 Hz, which was also the same frequency emitted from a toy whistle distributed with a popular make of cereals. By blowing the whistle into the phone when a request was made for payment the Phreaker could fool the operating into thinking that money had been deposited in the pay phone.
Crackers - These are people that gain unauthorised access to a computer. When people refer to hackers breaking into a computer then they are really referring to crackers.
Hackers - Using the traditional meaning of the word Hacker is not meant to imply any kind of illegal or immoral activities. The true meaning is of a computer enthusiast that understands the inner workings of a system and uses that knowledge to "hack" together programs etc. to perform a function. This was different to the traditional techniques or programming that are designed to follow a set structure and procedure to produce a finished piece of software. Due to incorrect use, including by the press, the word hacker has now come to take on two meanings. One is it's original meaning and the other is that of anyone who tries to penetrate a computer (crackers) or those who cause intentional disruption or damage (none-physical) to computer systems.
Throughout this tutorial I will normally refer to the perpetrator as an attacker, regardless of which of these categories she comes under, however where I do refer to a hacker I will normally mean the newer of these meanings.
Whilst some may object to my use of the word hacker, my justification is to turn to the definition held in the Oxford English dictionary which describes the popular use of the language and is considered a definitive guide to the English language:
"Hacker - computer enthusiast, esp. one gaining unauthorised access to files"
The Oxford Popular Dictionary, Parragon, 1995
By understanding the reasons for the attacks gives a basis for what protection can be used to protect the data. I have therefore taken a few examples of reasons for hackers. This includes the stereotypical examples and some that you may not necessarily think about. This is by no means complete, it does however highlight that there are different reasons that someone would want to attack your system.
Just for fun - Typically someone in further or higher education that uses the college or universities computer facilities to attack another computer over the Internet. Whilst there are indeed a number of attackers that match this description it is important to recognise that these are not the only type of hackers. This person will typically have limited resources and normally does it, just for fun; or to prove their intelligence etc. However they may be part of a larger group united using the Internet. Whilst many do not intend to commit malicious damage they may discredit your company name, they may cause accidental damage, and may open the door for others.
Commercial espionage / sabotage - Whilst espionage normally congers up the image of James Bond fighting a host of bad guys the reality is much less dramatic.
There is potentially a risk from competitors wanting to gain a competitive edge. For example if you are bidding for a contract and your competitor is able to find out details of your bid, they could easily undercut you and win the contract. Alternatively by putting your web page out of action, customers could be encouraged to try the competition.
This kind of attacker normally has a lot of resources, both financial and in man power, at it's disposal and has very specific targets. If your organisation is involved in military contracts there may be a real Ernst Stavro Blofeld trying to steal the technology to take over the world.
Fighting a cause - Other groups that may wish to attack your company are those that are fighting for a cause or defending a belief. Whilst there are a number of obvious extremist groups such as terrorists or the extremist animal rights groups this could equally apply to less controversial areas where someone has a different opinion.
Disgruntled employees - So far I have mentioned attackers external to the organisation, however it is sometimes the case that the greater risk lies from employees within the organisation. These could already have authorised access to a computer, and already be inside the firewall. They could then use that access against the organisation and exploit other holes in the system. Whilst these people can have different motives one of the most obvious is for someone that has been fired, disciplined or who is not satisfied with their current standing in the organisation. Defending against the internal employee can be more challenging as methods need to be found to limit access without preventing others for performing their job. To tighten up security to the point where employees cannot do their job properly is an indirect Denial of Service.
Unintentional user error - Whilst normal users may not be trying to cause any damage to the system it's possible that they could cause some accidental damage to data. By limiting a users access user errors can be contained to a reasonable extent. This could be in the form of a programming error as well as incorrectly typing instructions into a program.
There are a number of different types of attacks that take place. These may be different depending upon the services you offer or the type of attacker that is targeting you. These are areas that are looked at later to determine methods of protection. This list is not intended to be a complete list however it does give an idea of what areas to focus your attention on. New methods are still being developed and a security administrator has to ensure that they don't get left behind.
Reading data - Typically associated with espionage or theft, computer systems often contain information that needs to be kept confidential or secure. This could vary from emails discussing the price of a bid for a project to personal information or bank details. The disclosure of this information could severely damage the company or have legal implications. In the UK the storing of personal data is covered by the Data Protection Act (1988). The principle of the act states that personal data shall "Be surrounded by proper security." See http://www.dataprotection.gov.uk/ for more details.
Changing data - Potentially even more serious is that an attack could gain sufficient access to be able to update data. This could be for sabotage, as a means of discrediting the organisation or leaving a calling card. One of the biggest risks is that data could be modified and not noticed. The cases that tend to get a high profile in this area are where attackers replace web pages with their own modified versions.
Denial of service - Denial of Service (DoS) attacks are where the attacker disables, or makes unusable the services provided by the system. An earlier DoS attack was the "Ping of Death". By creating a ICMP echo command that was larger than the maximum allowable size a computer could be made to fail. In fact this vulnerability was found to exist on Windows Vista, ten years after the bug was originally fixed in the earlier versions of Windows (http://www.v3.co.uk/v3/news/2249151/ancient-flaw-hits-vista) . Many of the DoS attacks in the past were addressed by fixing bugs there is a more problematic threat known as Distributed Denial of Service. The first well known example was the attacks against Altavista and Yahoo in early 2000, but similar attacks have be launched against various sites including Twitter during 2009, and more recently against sites responsible for filtering Pirate Bay and other file sharing sites. The distributed Denial of Service attack works by the attacker, or more likely attackers, planting trojan horses on lots of different machines. When these trojan horses are triggered simultaneously they mount an attack directly against a single system. The combined effect of thousands of simultaneous attacks prevents the system from operating. This form of attack is getting more and more sophisticated and security administrators are devoting more resources to tackling this kind of problem.
Access to computer - Whilst for some systems you may allow other users onto your system sometimes these user accounts could come under attack. The computer may not contain any confidential material and the user may not be able to write to any data however they could still use your system to cause damage. If someone manages to attack a computer that borders between a secure and insecure network then they could use your machine as a method of traversing between the two networks. Another technique to use your computer to attack another is in the distributed denial of service. The attacker could plant a Trojan horse on your computer so that when triggered it attacks another computer. This could be potentially embarrassing if someone found that systems belonging to your organisation were used to commit one of these crimes. Indeed it could even look as though it was someone from inside your organisation that perpetrated the crime.
The first generation of hackers were typically intelligent people with a great deal of understanding of how computers work. They could identify bugs in systems and then use their knowledge of computers to exploit the bug. Whilst there are still a lot of hackers that can do this there is also another type of attacker that waits until someone else has found a way into a computer and then uses the same technique. They can just take programs and scripts written by hackers and run them against systems hoping to find a way in. I have not referred to them as hackers as they do not have the knowledge of computers to back up their curiosity, they are sometimes referred to as "Script Kiddies" (regardless of their actual age). Here is a list of some of the techniques used to gain access. This purely gives an idea of some of the methods used and does not list all the available methods.
Password guessing - Some systems or services may have default passwords when they are installed. Some attackers will just try some standard user names and passwords in the hope they will be lucky and find a easily guessed password. Some people may set the password to be the same as the user name which is one of the standard things the person will try. This method relies on users or administrators not using secure passwords.
Social engineering - This technique works by working on the failings of people rather than the insecurity of computers. One technique is to phone a help desk pretending to be an employee and trying to get them to give you the password over the phone. It is also possible the other way around pretending to be a system administrator and asking the user for their user name and password. Another technique, known as shoulder surfing, is where the attacker would stand behind someone whilst they typed their password into the keyboard, watching what keys are pressed. These are techniques that depend upon the security training (or rather lack of it) that the employees have.
Trojan horses - Trojan horses are programs planted in a computer which appear to be harmless. These could be left by another user of the system or placed on a previously hacked site that is used to distribute software, they could also be sent as E-mail pretending to be a useful tool or fun game. When a trigger is activated then the hacker can gain access to computer or get the program to run a certain command.
Virus - A virus is a programs designed to self replicate itself. These may have a malicious pay-load that is run to compromise the system in question.
Software bugs - If software has not been written correctly there are sometimes bugs that can lead to a security exposure. One example is that a program designed to handle a certain amount of data can be broken by bombarding it with too much data. This is sometimes done by overrunning the buffers with data causing data to be stored in memory not allocated for that purpose. This could result in the system crashing (e.g. the Ping of Death) or in a trusted program providing access to the system.
Address spoofing - In trusted environments it is sometimes configured that other computers known to be safe are allowed access to that computer without any further authentication. Whilst this makes administration easier it does have potential problems in that another computer could masquerade as one of these trusted computers. By configuring a computer with the same IP address as a trusted one, which is down or has been forced down, the attacker would have access to other systems the same as if they had been given official access on the trusted server. In a lot of environments it is therefore considered to be bad practice to enable services that rely on these trusted computers.
This is by no means a comprehensive list of methods however it does give an idea of areas that computers can be vulnerable.
Increasing the level of security of a system will often involve adding barriers to the legitimate users of the system. This can take many forms including limiting how users can access a system, changing how the system responds to forgotten passwords or by reducing the performance of a system. It also involves a lot of additional work for the system administrator and security expert.
To decide on the appropriate amount of security to apply you first need to identify the risks and the extent of the damage that insufficient security would cost the business. The cost in breach of security may take the form of lost business, additional cost incurred or damage to the company reputation. Assessing the risks in this way a picture can be generated as to what level of security is appropriate.
The security requirements need to be considered across all the different environments and systems covered by the organisation. This may mean expecting certain standards from other companies who may host part of your computing services or who provide a service on which you are reliant.
Part of the security policy should also identify any systems that are more vulnerable and therefore need a higher level of security than others. Whilst in the ideal world every system would be completely secure and safe from attack this is not the case in reality. The resources required and the effort involved in trying to secure all systems to the same level may leave exposures or cause such an impact as to prevent the system operating correctly.
An example of how different systems can be categorised is shown below. In this scenario each system is categorised under three headings. These are red for high risk, yellow for medium risk and green for minimum risk. These may be very different depending upon the requirements of your organisation.
|Red - High Risk||Yellow - Medium Risk||Green - Low Risk|
|Internet web server||Intranet web servers||Users personal computers|
|Firewalls||Internal database servers||Print servers|
|Secure servers||Non-essential services
(e.g. messaging systems)
|Payroll / financial systems|
The red high risk systems are firstly those that customers will see such as the Web Server; those that protect the internal networks from the external networks such as firewalls (see later for details); those carrying sensitive information such as the Secure Servers and any systems that hold information that could damage the company if they were released such as the payroll and financial systems.
The yellow medium risk systems are those on which the business relies however are not accessible to the general public. These are usually internal servers that are protected from outside of the company network by firewalls. The systems under this category should still be considered a high risk if a business function is completely reliant upon them. For example a call receipt desk that handles customer orders would be unable to operate if it could not access the order system.
The green low risk systems are those where an attack would only have limited effect. For example a PC on a single persons desk, a print server; or a service that the organisation does not depend upon to continue to function, e.g.. a peer to peer messaging system that in the event of failure could be bypassed by using the telephone. When systems are put into the low risk category then the overall risks must be considered. For example do users PC's contain confidential material, in which case that computer may need to be graded a higher risk than one used for less important data. Another factor to be considered is that if someone was able to break into a print server or personal computer could they then use this to inflict more serious damage?
These categories must also be used in conjunction with the organisations security policy (see later). As an example you may decide that because of confidential information stored on a users laptop computer you really want to upgrade this to a medium risk, however the security policy states that all medium risk systems must be stored in a secure room with no user access except when the system needs repair. By putting the laptop in the medium risk category you have just removed it's usefulness as a portable system, indeed the user may not even have access to it. Therefore a degree of flexibility needs to be included when the risk analysis is performed, or by including sufficient flexibility within the company policy. For example an exception could be made to allow laptops to be taken out of the office as long as they had data encryption.
After identifying which systems are at risk, it is also important to consider what the risks to that system are. This should be achieved by considering the impact of the different types of attacks. I have used an example below of some of the high risk systems to determine the impact of different types of attacks. These are shown in the table below:
|Web server||Firewall||Secure servers||Payroll / financial|
|Denial of service||High||High||High||Medium|
|Normal user login||Low||High||High||High|
As you can see from the table certain types of breaches can have a more damaging effect. Looking at the Web server someone being able to read data is pretty low as the data stored on the web server is generally available to anyone, however if someone was able to change the data or prevent the service from working (Denial of Service) then the impact, and reputation would be severely hit. On the firewall every type of breach can be serious as it could then be used to target a less secure system inside of the internal network.
The actual impact is also dependant upon the data for which they can read. It is obviously much worse if the user is able to read the information that is categorised as confidential (say for example in a secure part of the web server) than say a document giving directions to the location of the next social event.
By identifying the impact a better strategy can be developed on where to invest the available resources.
As well as identifying which systems hold any sensitive data the actual data itself should be categorised depending upon it's sensitivity. This is particularly useful in deciding which users on a system should be able to access what files. If you limit the access of individual users then this limits the damage that the user can do and if the userid becomes compromised limits the damage that the attacker can do.
More useful than categorising by sensitivity it is useful to group the data into similar access requirements. This is likely to be grouped by departments that handle a certain function.
Then against each of the categories it should be identified who should have what access. Once method of doing this is known as CRUD analysis. This is simply a case of:
Who can create the data?
Who can read the data?
Who can update the data?
Who can delete the data?
You may however set this up differently depending upon what policies are available with your system. You may be running an application that has a different authorisation model to the standard read, write, execute which is supported by the filesystem (eg. Lotus Notes or other database driven application).
This analysis can then be used to create groups with the appropriate access. This also has the advantage of making access easier to manage by associating users with groups rather than having to set-up authority on an individual basis.
Having analysed the security requirements in the previous section you can now set about work on your own security policy. It may involve writing a security policy from scratch or may be a case of looking to apply a mandated corporate security policy. Even where the security policy is already provided there may be additional steps that may be more appropriate to certain systems.
If you are creating your own security policy there are a number of factors you need to consider.
You should ensure that you have covered any of the principles Authorisation, Authenticity, Privacy / Confidentiality, Integrity, Non-repudiation and Availability as they apply to your system. Also consider how this is going to be implemented by the users and system administrators. If a security process is hard to implement or restricts someone from doing their job then you may find that the process gets ignored or is not complied with.
When setting up a security policy you should also consider how this can be enforced and audited.
There are a number of possible security exposures on any computer. Whilst it is practically impossible to fully secure a computer whereby the computer can still fulfil a purpose there are a number of steps that can be carried out to minimise the exposures. These are often referred to as security holes or back doors which need to be closed.
There are also a number of steps that can be taken to try and identify if a machine is under attack or indeed if it has already been penetrated. By regular monitoring of suspicious activities then steps can be taken to limit any damage and to secure against further attack.
Most physical security principles are fairly obvious. If physical access is available to the computer then it's normally trivial to attack a computer by booting into a live CD and then accessing the local disk. Data can be protected from theft by encrypting the disk, but it may still be possible for someone to destroy the information instead.
All production servers should be kept in a secure machine room with restricted access, preferably using an electronic access system or manual key sign-out process to track the physical access. You may also need to consider physical monitoring such as CCTV monitoring (a requirement for PCI compliance).
As well as the obvious areas of physical access to a specific computer or server the physical access to the local area network should also be considered a physical asset to be controlled. Many internal networks implement DHCP for the allocation of IP addresses, which makes accessing a network as simple as connecting a portable computer to a network point; even where DHCP isn't available it's usually possible to monitor the network and find the required information that way.
The normal user authentication is based upon the user being able to provide the correct username and password. The username is not something that has to be kept secret as it is readable by anyone on the system however the password is encrypted and should only be known by the user. The algorithm used to encrypt the password is a one way password which cannot be reversed. Instead when a user enters their password it is encrypted using the same algorithm and compared against the original.
Traditionally in UNIX the password was kept in the /etc/passwd file which was readable by all users on the system. Modern Linux distributions use a shadow password file with restricted read permission.
The following extract shows how this is implemented.
The /etc/password file still contains username details however has an asterix (*) where the password should normally be:
root:!:0:0::/:/bin/bash daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: imnadm:*:200:200::/home/imnadm:/bin/bash stewart:!:1007:1007:Stewart Watkiss:/home/stewart:/bin/bash
Then the password is stored encrypted in the /etc/shadow file that can only be accessed by root or members of the security group.
The password shown above is actually the same as the username stewart. I have shown this as an example of how a username is encrypted so that it cannot be easily understood. This is a very insecure password, the password should NOT be the same as the username. If you try giving another username the same password as I've used it will almost certainly have a different encrypted password. The reason for this is that the lastupdate entry is also used in the encryption algorithm to produce unique passwords.
Obviously this is not a real password on my computer - so no need to try it.
It is important that the password file is kept secure, because although the passwords are encrypted it is possible to perform a dictionary attack against the encrypted passwords. These work by taking words from a dictionary and encrypting them as passwords and then comparing them against the password file. If there are any matches then the password is provided. These can be more sophisticated by replacing letters with numbers e.g. 1 instead of I etc. and by using different dictionaries the chance of getting the password is better. These programs are freely available two examples being "Crack" or "John the Ripper". These can be run by system administrators to ensure that people are using secure passwords. It is also possible to have the system check for insecure dictionary passwords when the password is created.
If you keep a computer off the network then the only security risk exists from people able to physically get access the the computer. Once you connect to a network it can potentially become a target for anyone or any computer around the world. When considering the security for a networked computer then we need to consider the security to prevent someone logging onto the computer, but also the security of data that is transmitted over the network.
One method of providing security is to separate the network that the computer resides on from other networks and in particular the Internet. This could be done by ensuring there is no physical routes to any other networks, but usually some form of Internet access is required. In this case a dedicated firewall can be used to provide separation from the more secure internal networks to the Internet.
A firewall uses a set of rules which determines which traffic is allowed to pass and in which direction. These are normally used to separate internal networks from external ones (such as the Internet or other business partners), but could also be used to separate different internal networks to prevent someone with access to one network form accessing another part of the company for which they are not authorised.
If using an internal wireless network then not only is there a risk of people accessing the network through a firewall, but the network signal itself could be intercepted or hijacked. This would allow someone to either see the traffic being passed over the network or impersonating an internal machine to bypass the firewalls.
This can be secured by implementing WPA wireless network encryption (note that the older WEP encryption is no longer considered to be secure) or by tunnelling network traffic through a secure connection such as by using VPN tunnelling software. The latter has the advantage that it will also provide protection when using a public network service such as that provided in hotels and wireless hotspots.
If using unsecured protocols such as telnet and FTP the passwords are sent unencrypted across the LAN. It can be possible for someone with a sniffer or LAN trace tool on the LAN to see these unencrypted passwords. If using unsecured network protocols then additional physical security may be required against network ports and restrictions on where that traffic may be routed. In some cases the better option is to switch to a protocol with built in security such as ssh, which encrypts any data transmitted.
Another form of protection is to secure the computer by blocking certain network access based on limiting running protocols (disabling services), blocking inbound connections (using the personal / in-built firewall), by configuring the network protocols to restrict access (eg. By IP address or by blocking certain users from remote logins) or by adding additional restrictions using other software (eg. Tcpwrappers).
Running Windows on a computer and anti-virus software is a must to protect against viruses and spyware software. In the Linux world there are currently no active viruses "in the wild". This may change in future, but for now there is no significant immediate risk to the local machine from viruses. There is however a risk that a Linux machine could harbour a virus that could get inadvertently passed onto others whose choice of operating system is at higher risk of viruses. It is therefore recommended to run an anti-virus at least on an occasional basis to provide some level of security for those using other operating systems. There are a few different anti-virus packages available either for free or available to purchase.
If using open protocols such as telnet and FTP the passwords are sent unencrypted across the LAN. It can be possible for someone with a sniffer or LAN trace tool on the LAN to see these unencrypted passwords. If using open network protocols then additional physical security may be required against network ports and restrictions on where that traffic may be routed.
In many instances it is possible to change to a different more secure protocol. For example the ssh suite of programs (ssh / sftp) can be used to replace telnet and FTP. SSH uses encryption to prevent anyone from sniffing either the password or the data being passed over the connection.
Another way of providing additional security when using less-secure networking protocols is to encapsulate the information over secured network tunnels. This can be done using VPN software or hardware, or by using ssh to establish a tunnelled connection. If you are creating the VPN connection using a dedicated hardware solution (VPN Gateway) you need to consider whether the traffic can be sniffed in the network between the computer and the VPN gateway.
All significant software has bugs. It's a fact of life.
When a bug is found, especially where security related bugs are concerned, then a fix (or patch) is often provided to fix that bug. These can usually be downloaded using the Software Update checker included in most Linux distributions. If software is installed form unsupported repositories or outside of the normal software installation process then the system administrator is usually responsible for ensuring patches are up-to-date and may need to follow bug reporting information as well as performing manual updates as required.
Once the computer has been secured then it should be tested to see if there are any unplanned potential exposures. This can taken the form of network port scanning and/or dedicated security software that can fully analyse a system from both local software and networking aspects. The practice of testing access is called penetration testing. Tools for security testing are available as either open-source or closed-source proprietary software.
A popular open-source network scanner is Nmap, which can be used over the network to show network vulnerabilities.
You should only use penetration testing tools on systems that you are authorised to. Running these against other systems could be a considered a criminal act.
This has explained the different factors that need to be considered when working on a security solution for a Linux system. Although the names of some tools have been included it has not gone into the details of how to configure the tools or what changes should be made to the system to lock out potential attackers. Having worked through this information it should be possible to work out a plan on which areas to focus resources and provide enough background knowledge as a platform for further research.