Five minutes to a secure Linux system

by on October 18, 2005 · 4 comments· LAST UPDATED September 3, 2008

in

You must be thinking that I'm kidding. Nope I'm not. Let me explain. After installing Linux the first thing you should do is turn off all services and deny all incoming traffic till you configured the box securely.

But why...?
A default installation could run many nonessential services. These services can turn into security risks. Do not create a sense of embarrassment for yourself. It would be a shame if cracker use your server before you or your customer/client :P The best defense is to turn off all unwanted service, till you apply all patches and setup firewall rules :).

Rule # 1, Stop unwanted services as soon as you boots server
For example STOP the inetd or xinetd service:

# /etc/init.d/inetd stop
# /etc/init.d/xinetd stop

OR Red Hat Linux user can try service command

# service xinetd stop

Rule # 2, Stop ALL unwanted runlevel services which starts automatically when Linux comes up (boots up)
Use tool such as chkconfig under Red Hat / Fedora Linux:

a) List all services

# chkconfig --list | less

b) Remove/Delete service:

# chkconfig --del {service-name}

To disable/remove xinetd at startup use command as follows:

# chkconfig --del xinetd

Tip: You can also use ntsysv menu based utility.

Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:

# update-rc.d -f xinetd remove

You can also manage the removal of unwanted services via /etc/rc?.d symlinks. If you are new use above tools. Also look at the several easy to use utilities that faciliate the managment of system v initialization script in our article Removing Unwanted Startup Debian Files or Services

Step #3, Enable firewall
Setup iptables and deny all incoming traffic but allow outgoing traffic (so that you can download all the patches). Here is sample iptables script:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="202.54.1.25"
# Flush all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow input to only outgoing connection like DNS queries
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# make sure nothing comes in
iptables -A INPUT -j DROP

Save the script and execute it.

Step #4, You are done. What next?
All the above 3 steps will take less than 5 minutes to create a more secure box. Following are general steps you should perform. Now even if it is going to take 4 hours, you don't have to worry about crackers :D

  • Add all security related patches (use up2date i.e. RHN or apt-get update command)
  • Remove unwanted software (rpm -e or apt-get remove command)
  • Configure server software such as Apache, Ftp, Mail services
  • Create firewall rules according to your companies security policy
  • Create users and groups
  • Setup all permission
  • Document what has been done and what is running inside the box
  • Finally send an email notification to your IT team or customer/client that he/she can use the server.

Please note that OpenBSD and some other Linux distros follows secure by default design. Especially OpenBSD does not runs out of box unneeded services. Linux by default tries to be little bit user friendly and hence many distribution provides maximize out of box services.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 4 comments… read them below or add one }

1 Joe October 18, 2005 at 9:40 pm

“Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:
# update-rc.d -f sshd remove”

I think that should be

update-rc.d -f xinetd remove

Reply

2 cyberciti October 18, 2005 at 10:26 pm

Thanks Joe :), it is corrected.

Reply

3 Anonymous October 19, 2005 at 2:34 am

Sure both Suse/Redhat linux runs lots of unneeded stuff and removing then is more than hours of work. You little guide and script makes it more sense and it is quite usefultooo..good work

Reply

4 marco September 3, 2008 at 3:41 am

you have a little typo: apahce

Reply

Leave a Comment

Previous post:

Next post: