Linux security guide Part-1


Hi guys, I’ve decided to write up a brief series of article on how you can monitor your Linux box and check whether it has been compromised. This guide will be brief, straight to the point and geared towards beginner Linux users. It will also state some of the best practices and some good prevention methods that can be used to reduce the security risk of your Linux box.

Note:  This guide will be generic and applicable to all Linux distros. I will not bother going into the details on how you can install a particular utility for your distro since there are probably a thousand distros out there. Also the commands that are meant to be executed in terminal are written in bold letters and enclosed in quotes.

First of all security is a pretty broad term, and there’s many aspects of it…so it’s not practical enough for me to cover everything in a single guide. Thus I’ll just focus on the important parts and assume that you are at-least comfortable with the command-line and know the basics of Linux. So, let’s get started.

Network:

So first of all we need to monitor our network since from a security perspective, it’s the first thing that comes to mind when we think about a computer connected to the Internet. We have several command-line utilities that can be used, I’ll just stick to some of my favorites for now.

1) Closing unused services/ports and scanning with Nmap

Nmap is an excellent tool to scan our own computer. We can see what ports and services are open, and whether there are any back-doors listening for remote connections. Install nmap from your package manager, and keep reading.

We can do a basic scan on our own computer by typing the following commands below.

To scan for open ports type: “sudo nmap -sS -p 1-65535 -v localhost

To scan for services running on open ports, type: “sudo  nmap -A -p 1-65535 -v localhost

The commands above scans for open ports and services, you should see something like this:

Note that in my case there are two open ports: 631 and 10,000.

The service ipp is “Internet Printing Protocol” which is used for printing related tasks; I can leave that open since occasionally I do use a printer, etc.

As for port 10,000 it’s a firewall (Shorewall Firewall) running with a front-end called “Web-min”. Webmin and shorewall firewall are great combination that may be you should check out, but for now we’ll just skip that part.

Once you’re done with the scan, you may find a lot of services like cups, avahi-daemon, etc. running on your system. There’s no need to start panicking right now, since some of them are usually installed by default on distros like Ubuntu. If you’re not using a particular service, I would definitely recommend that you remove it since it may pose a security risk in the future.

Consult your distro’s documentation or do a quick search on Google to find out how you can add/remove services specific to your distro. Again for knowing what a particular service is related to and whether you should consider removing it, Google is your best friend.

Let me give an example related to  Sabayon Linux (Gentoo based distro):

To remove a service: “rc-update del <service name> default

To add a new service: “rc-update add <service name> default

For example if you want to remove avahi-daemon, you can type: “rc-update del avahi-daemon default

Also in case you want to directly add/remove a particular service you can do something like this:

# Command below lists the scripts/services that are available, not necessarily active

ls /etc/init.d/

# The command below stops a particular service – cupsd

/etc/init.d/cupsd stop

Note that the “stop” keyword stops the service you can also use other keywords like “status” or “start” to check the status and start the service respectively.

Obviously I expect you to have root level priviledges to successfully carry out the commands.

Closing unused services and open-ports can dramatically reduce the security risk of your Linux box. The more services and open ports you have running, the greater the risk of a security breach.

This concludes the tutorial for today, and I have decided to write the entire guide in parts since I don’t have the time to write everything in a day. If this guide interests you then consider subscribing to my blog through rss or email, which ever is convenient. The next part will focus on network (we still have a lot to talk about) and I’ll discuss other network monitoring tools, so see you soon!

Advertisements

5 Comments

  1. Nice start to securing Linux box 😉

    Also to find out ALL of the network services I advise you to scan all 65535 ports, since a backdoor might be listening on some high port not scanned by nmap which by default only scans 1000 ports.

    So do: nmap -sS -p1-65535
    or: nmap -A -p1-65535

    Also you can add: netstat -nltup to list all the services which are listening on udp and tcp ports and also get their PID and process name.

    Also: netstat -ntup , to list all the connections, as you might have reverse connection backdoors.

    netstat can be not that reliable if your box is already compramised (the attacker can replace netstat with his own netstat to hide connections), so nmap is a good way to go.

    Also maybe analyze some traffic via wireshark or tcpdump tools to see if any very hidden connections are in the system.

    • Thanks once again S3my0n, that’s a very informative post. I’ll update the post so that Nmap scans all ports, for some reason I left that out.

      As for usage of other utilities like netstat, lsof, tcpdump, htop, iftop, iotop I have plans on including those in the next tutorials as I didn’t have enough time to write about them on the first part.

      I really appreciate you helping me out with my posts, thanks a lot S3my0n ^^

  2. Scanning localhost from your own connection isn’t the best idea really. Most likely, if you have a firewall, you can access some ports internally that are not available outside of your LAN. You really need to scan your IP address from outside your LAN to see what is accessible and viewable by the outside internet. Other than that, good tips 😀

  3. Thanks for your suggestion, what you said is correct but this guide has yet to be finished.

    I’m aware of some good online based firewall testers like “Shields up” but I didn’t have the time to finish writing the guide in depth.

    I can assure you I’ll put up the effort to complete it with in the next few months 🙂

  4. No problem 😉 Just figured I’d add my 2 cents. If you use something like nmap with tor and scan the actual public IP address of your system, then it will show the results how they look to the outside world, I believe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s