GnuGroup India

GNU/Linux Security

People consider the GNU or free software and open source software to be unsafe and are supposed to easily compromised because their source code are readily available,which isn't correct.This article is specifically related for the security of the GNU Linux Operating system and will help the person for enabling the security parameters for added safety.

First step in this is to have a Security as a Policy - A Security Policy. With out this you are not having clear definition to what you want to protect and what to do when you find any violations.I would suggest to have a look at Site "Security Handbook" an RFC 2196.

A GNU/Linux distributions has lots of softwares coming along with it as its installation part,so a GNU/Linux user needs to be aware of what packages he should install on the server systems which he is going to use in production environment.

Choosing a right password for an account. Always this is the point which gets stressed by the Security experts,and this is where maximum people override choosing the right password for there account and some or the other day compromise occurs. Passwords chosen for the systems should be of alphanumeric kind and every 3 months they should be changed and as far as possible use impersonal passwords i.e passwords should not be based on date of birth, children names etc. Length of the passwords are to be of minimum six characters.And should be revoked after some number of failed attempts.

The Account which makes you Powerful - "root". Knowing the root password is privilege and at the same time is of great responsibility. you become the GOD of the systems you can do whatever you want with the system - its under your control. The "root" account has no security restrictions imposed upon it.

For security reasons, never login on your server as "root" unless it is absolutely necessary an instance that necessitates root access. Disable the remote logins directly for the root account,to become root login with normal user account and then "su" to become root.

Set the login time out for the root account. Add to your /etc/profile TMOUT=1800. This means if a user leaves a console/terminal without logging out then shell after time specified by above parameter will logout the user. Enable the command history in /etc/profile by adding to your /etc/profile HISTSIZE=10 or some figure you would like to keep. Zeroing the .bash_history file so that when user logout the history file get deleted. HISTFILESIZE=0.

Single user login mode of GNU/Linux Passing these parameters to the Linux kernel will make land you up in a single user mode where usually administrators are supposed to do system maintenance activities after a crash. By default it does not ask for user password. so edit the /etc/inittab file and the following contents

  id:3:initdefault:
~~:S:wait:/sbin/sulogin

Be sure to backup the inittab file in case you make mistake. after adding the contents execute

#/sbin/init q

which rereads the inittab contents and loads the new configuration.

Editing the /etc/lilo.conf file

timeout=00

This gives lilo wait for 0 seconds and interval for user to put in parameters on lilo boot prompt. You should do this unless your are dual booting some other Operating system like windows. You should also provide a password for lilo. Basically this option specifies that for any parameters passed to boot prompt of lilo will be asking you to supply a password enabled by password parameter option.

password=

This option basically protect the Linux image from booting without specifying a password. But this can be problem if you reboot the systems remotely,it will always wait for the user to type in the required password.

So after adding these changes /etc/lilo.conf file should look like this.

timeout=50 Change this line to 00

Remove the line if your are not passing any command line parameters.

Add this line to enable linux image protection

restricted

Add this line to enable password and put your password.

password=

boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message Remove the above line line if you do not want to get welcome message

lba32

image=/boot/vmlinuz-2.4.18-3bigmem
label=linux
initrd=/boot/initrd-2.4.18-3bigmem.img
read-only
root=/dev/hda7

image=/boot/vmlinuz-2.4.18-3smp
label=linux-smp
initrd=/boot/initrd-2.4.18-3smp.img
read-only
root=/dev/hda7

image=/boot/vmlinuz-2.4.18-3
label=linux-up
initrd=/boot/initrd-2.4.18-3.img
read-only
root=/dev/hda7