|
Division of IT: Security
Best Practices: Unix Systems
Remove or disable all unused services
- This should be the first thing that happens before a machine is connected to a network. Most Internet (TCP and UDP) as well as RPC type services are started from inetd (or xinetd). To disable the services comment out the entries in /etc/inetd.conf (in the case of inetd), or disable the services in /etc/xinetd.conf or /etc/xinetd.d/ (in the case of xinetd).
Enable logging to a remote, secure, syslog server
- In the event of a compromise, many attackers attempt to cover their tracks by tampering with system logs (found in /var/adm or /var/log). Enabling syslog to send events to a remote machine will help preserve a copy for later review, or early detection of events. Monitor these logs for suspicious or irregular activity. You should check your logs a minimum of once a week.
Disable telnet and authenticated-ftp access, instead rely on SSH
- Sniffing passwords is a fairly easy task. Most desktop and server machines have the CPU power to make use of only using SSH (or other secure protocols) to access and use resources over un-trusted networks.
- http://www.openssh.org/ and http://www.ssh.com/ - Secure Shell resources
Make use of MD5 and shadow password facilities
- Make use of modern password and accounting mechanisms. Better yet, deploy Kerberos. This can help to ensure that user accounts are not compromised by weak password settings.
- http://web.mit.edu/kerberos/www/ - MIT Kerberos
Setup and test backup and restore procedures
- Ensure that nightly backups are happening. Double check that data can be restored from tape when needed. If you can also make sure that you have an off-site copy (or tape) in case the worst happens.
Enable file-system protection
- Make use of mount settings on partitions that wouldn't normally have executables residing in them. Disable SUID binaries and device creation on user home directories.
Make use of Tripwire
- After installing the basic operating system on the machine from a trusted source, install Tripwire. This will give a baseline from which to make sure files have not been compromised on the system in the event of a break in. Remember to be proactive about reading the output that Tripwire produces.
- http://www.tripwire.org/ and http://www.tripwire.com/ - Tripwire resources. You should check reports and update the database every two weeks.
Make use of Port-Sentry and TCP Wrappers
- Protect your ports and systems from systems that shouldn't be talking to it.
- ftp://ftp.porcupine.org/pub/security/index.html - tcp_wrapper and other security tools
- Make use of IPtables (in lieu of PortSentry and in addition to TCP Wrappers) to more precisely and thoroughly disable inappropriate incoming and outgoing network traffic. http://www.cites.uiuc.edu/wsg/talks/iptables/
Subscribe to vendor security lists
- Subscribe to security announcement lists from the vendor of your operating system. Subscribe to well known security lists such as Bugtraq. This will help you to keep up with current vulnerabilities and issues that your UNIX system could be susceptible to.
- http://www.securityfocus.com/ - Home of Bugtraq and its archives.
Use the force and read the source
- When possible, install applications from source code releases. Read over the source code to gain an understanding of how it does what it does.
Apply patches immediately when they become available
- For the operating system apply patches as soon as they become ready. When vulnerability is discovered, it isn't long before exploits of it start making their way around. When possible, first test them out on a non-production (backup) system to ensure compatibility. Ensure that applications on the box continue to function with the patches.
Additional services running on your system may require special attention. If you have questions or concerns about specific security issues, contact isam@missouri.edu for assistance.
|
