Secure Computing: Best Practices for Unix
Securing a UNIX desktop
There are a variety of UNIX operating systems running on the Stanford network. Sun Solaris is the predominant commercial version. SULinux is RedHat Linux customized for the Stanford environment, hardened and integrated into our Kerberos and AFS infrastructure.
This document provides generic instructions for building a secure UNIX host for the Stanford environment. It's focused on Solaris and SULinux (with notes on its RedHat lineage).
No matter what operating system you're using, the basic steps for securing an operating system are the same:
- Install all operating system patches.
- Verify user account security.
- Eliminate unnecessary applications and network services.
- Install and configure necessary applications and network services.
- Configure system logging to record significant events.
- Keep applications and operating system patches up to date.
Install the latest patches
It's imperative that you connect to the network and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Unpatched machines are frequently exploited within minutes of being attached to an open network like Stanford's.
- For SULinux 7.2 and above, administrators can
&& apt-get dist-upgrade
to get the latest updates and operating systems patches. For the most part, these are based on RedHat security patches and bug fixes.
- Sun offers easy "bundle"
patch kits. Go to: http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access
and choose the patch cluster for your system type. After installing the
patches, you should reboot your system to make sure all changes have
More Information and Help on Patching Solaris
Verify user account security
- Enforce the use of strong passwords on all accounts. There are a variety of dictionary-based password cracking programs out there -- crack is one -- which can be used to identify poorly-chosen passwords on your UNIX system.
- Eliminate inactive and unused accounts.
- Minimize the number of people with root
access. Use sudo if possible to manage access to
administrative privileges. Verify that only the root
user has UID 0 (a hacked system will frequently have UID 0 accounts
with other names, especially names that look like system accounts, like
http or cgi).
More information on UNIX account security
Eliminate unnecessary services from /etc/inetd.conf
inetd is the master controller daemon for network-based applications on a UNIX system. This sample inetd.conf file limits connections to those required for Kerberos integration, and for Kerberized telnet from PC-Leland and Mac-Leland clients, so it's appropriate for a server being used for local computation:
# Kerberos services
eklogin stream tcp nowait root /etc/leland/tcpd /etc/leland/klogind -ke
kshell stream tcp nowait root /etc/leland/tcpd /etc/leland/kshd -k
kftgt stream tcp nowait root /etc/leland/tcpd /etc/leland/kftgtd
telnet stream tcp nowait root /etc/leland/tcpd /etc/leland/telnetd -a user
ident stream tcp nowait root /etc/leland/tcpd /etc/leland/sidentd
Remember: If you modify /etc/inetd.conf, you must send the inetd process a HUP signal so it re-reads the file and takes effect:
# kill -HUP (inetd pid)
Install required applications: AFS
Although AFS isn't essential for secure computing at Stanford, it provides an easy mechanism for integrating users across the various machines at Stanford. It's used to distribute trusted binaries and precompiled versions of various security packages. Lastly, it provides a strongly-authenticated mechanism for transferring files between Leland Systems hosts.
- SULinux includes support for AFS.
- A Solaris version of AFS is available via WebAuth at: http://www.stanford.edu/services/afs/sysadmin/install/. After downloading, follow these instructions to install the client: http://www.stanford.edu/services/afs/sysadmin/install/.
Install required services: have a good time
Many of Stanford's infrastructure systems are dependent on time synchronization between clients and servers. To verify that your machine has the correct time, run the command
If your system's clock tends to drift, run this command periodically -- the Leland Systems group recommends running it once a day from cron.
Install required services: Kerberos
- SULinux includes support for Kerberos.
- On Solaris, once
AFS is installed, all you have to do to install Kerberos is to run:
- Mail email@example.com for a srvtab, an identifier for your host. Instructions on how to run leland_srvtab, which installs your srvtab, will be sent back in response to the mail to srvtab-request.
Note: This is still a manual process, so it may take a few days to receive your srvtab.
Note: If you want to run the Kerberos popper server, you will need another srvtab specifically for that service in order for certain mail readers to work. Please contact firstname.lastname@example.org the srvtab.pop srvtab.
If you have decided not to install AFS, please see Kerberos without AFS.
Install required services: host-based firewalls
For SULinux: The SULinux configuration program automatically asks users to enable a default ruleset for use on campus that allows network connections from stanford.edu machines to any service on your network, but blocks all inbound traffic to your system except for SSH (a secure remote access protocol) from outside Stanford's network.
For Solaris: TCPwrappers is a UNIX application that allows you to control and record all network connections to a computer--a host-based firewall application. We recommend only allowing connections from Stanford computer systems, and blocking all others. To do this, copy tcpd from pubsw/sbin to the appropriate directory on your new machine. Add ".stanford.edu" to your /etc/hosts.allow file. It should look like:
ALL: LOCAL, .stanford.edu
Your /etc/hosts.deny file should disallow anything not explicitly included in /etc/hosts.allow, i.e.:
Configure Logging Appropriately
- The SULinux/RedHat logging configuration is pretty reasonable for most users
- For Solaris, this /etc/syslog.conf file is a more useful configuration:
Remember that it's tabs between the left hand and right hand columns in the syslog.conf file; if you use blank spaces syslog will die a silent and horrible death. If the destination files mentioned in syslog.conf don't exist, use the touch command to create them:
to keep track of all failed login attempts.
Easy Installation: Download this Solaris syslog.conf file and copy it to /etc.
Solaris only: Run the "fixperms" script
The fixperms script, available at /usr/pubsw/sbin/fixperms, will fix the file permissions on your system with security in mind.
Solaris only: Install ifstatus
ifstatus will report when an ethernet card is in promiscuous mode. Since it only generates output when a card is in promiscuous mode it is ideal for running out of crontab, say every hour. Simply add this line to your crontab:
30 * * * * /usr/pubsw/sbin/ifstatus
to run ifstatus at half past every hour.
More information and download links for ifstatus are available at http://www.stanford.edu/services/pubsw/package/security/ifstatus.html
Note: This is the only way we have found to detect Ethernet cards in promiscuous mode on Solaris systems.
Extra Security Measures
If you run a mission critical host, or a host that stores highly sensitive information (like student records or medical information), there are several other measures you may want to take. See the section on additional security measures available for Solaris.
Additional Links for UNIX Security
- Sun Security Center
- RedHat Security Resource Center
- The Solaris Security FAQ
- A generic introduction to securing Solaris
tipsheet from the Unofficial Solaris Page.
This is a pretty good resource if you have to run NIS+/NIS/NFS type services
- Bastille Linux is an assessment and hardening tool for several Linux distibutions, HP-UX, and MacOS X.