Security in Linux

File permissions
Make sure that your system files are not open for casual editing by users and groups who do not have the appropriate permissions. The Linux operating system distinguishes the access control based on three characteristics: owner, group and other. Access to a file will be determined by permission bits and these bits are ‘rwx’ – where ‘r’ identifies ‘read’, ‘w’ identifies ‘write’ and ‘x’ identifies ‘execute’. We can set or reset these three permission bits based on the kind of access that we are interested in giving to a user. This is considered as a basic level of preventing access to a file from unauthorised sources.

Integrity checking
There is a very good mechanism to detect local attacks on your system. This is referred to as ‘integrity checking’. Tripwire, Aide and Osiris are some of the popular integrity checkers. These integrity checkers will run a number of checksums on all important binaries and configuration files and compare them against a database of former, known values as a reference. Thus any changes in files can be easily flagged. Based on these signals, a system administrator can make appropriate changes so that integrity of important files is maintained.

Password security
Most Linux distributions come with ‘passwd’ programs that do not allow you to set a password that can be easily guessed. Thus, it is necessary to make sure that your passwd program is up to date. Linux uses a one-way encryption algorithm known as DES (Data Encryption Standard), which is used to encrypt your passwords. The encrypted password is stored in /etc/passwd. When you try to log in, the password you type again gets encrypted and is compared with the entry in the file that stores your password. A match means you have entered the same password and you are given access to the system.
Shadow passwords are a means of keeping your encrypted password information secret from the normal users. Recent versions of both Red Hat and Debian Linux use shadow passwords by default. Shadow passwords are saved in /etc/shadow and they can be read only by privileged users.

Kernel security
As the kernel controls your machine’s networking, it is essential to keep it secure. Let’s look at some popular kernel configuration options that relate to security.
IP forwarding: If you enable IP forwarding, your Linux box becomes a router. You can enable or disable IP forwarding by using these commands:
root# echo 1 > /proc/sys/net/ipv4/ip_forward /* for enabling */
root# echo 0 > /proc/sys/net/ipv4/ip_forward /* for disabling */
IP firewalling: This option is very useful if you want to protect your dial-up workstation from someone entering via your PPP dial-up interface.
IP firewall packet logging: This option displays the information about the packets your firewall receives.

Other security implementations
The one to consider here is the implementation of IPSEC for Linux. IPSEC is a mechanism to create cryptographically secure communications at the IP network level. The main idea here is to provide authentication, integrity, access control and confidentiality for your information.

Security guidelines
Among all the concerns surrounding the writing of good code, security necessarily comes at the top. Security problems can come from people actively trying to penetrate your security or from simple issues such as someone providing unexpected inputs to a program or running some wrong commands. Too much access to systems can mean that users – even with legitimate access – can cause trouble, either accidentally or on purpose.

Security best practices
Let us say that you have tested your system and found that it is most secure. And thus it is ready to go online.
It is important to follow the following guidelines so that
you can minimize the impact if an intruder tries to attack your system:
•    Make sure that your entire system is backed up.
•    Choose a good back-up schedule.
•    Make sure you test your backups to ensure they’re working as you expect.
•    Apply all new system updates quickly so that everything is up to date.
•    Track the system accounting data. Make sure that files in /var/log have read and write access only to a limited number of users.

Why should I use security event logs?
Hopefully you keep your computers patched and updated and your network is secure. However, it is fairly inevitable that you will at some point be hit by malicious activity: a virus, worm, Trojan horse, hack attack or otherwise. When that happens, if you have done the right things before the attack, you will make the job of determining when and how the attack succeeded that much easier.
Some systems have various auditing and logging functions built in. You can also install additional software to monitor and log various actions on the computer (see ‘Security monitoring’ box below). If it’s possible to use a dedicated hard drive and/or hard drive controller, you will have less performance impact because the log files can be written to the disk without having to fight with the applications you’re trying to run for access to the drive. If you can direct the log files to a separate computer – possibly dedicated to storing log files and with completely different security settings – you might be able to block an intruder’s ability to alter or delete the log files as well.
A final note is that you should not wait until it’s too late, and your system has already crashed or is compromised, before viewing the logs. It is best to review the logs periodically so you can know what is normal and establish a baseline. That way, when you do come across erroneous entries, you can recognise them as such and take proactive steps to harden your system rather than doing the forensic investigation after it’s too late.

This article originally appeared in issue 80 of Linux User & Developer and was written by Swayam Prakasha