STANFORD UNIVERSITY

SECURE COMPUTING

Secure Computing: Best Practices for Unix

Securing a UNIX desktop

There are a variety of UNIX operating systems running on the Stanford network. Sun Solaris is the predominant commercial version. SULinux is RedHat Linux customized for the Stanford environment, hardened and integrated into our Kerberos and AFS infrastructure.

This document provides generic instructions for building a secure UNIX host for the Stanford environment. It's focused on Solaris and SULinux (with notes on its RedHat lineage).

No matter what operating system you're using, the basic steps for securing an operating system are the same:

  • Install all operating system patches.
  • Verify user account security.
  • Eliminate unnecessary applications and network services.
  • Install and configure necessary applications and network services.
  • Configure system logging to record significant events.
  • Keep applications and operating system patches up to date.

Install the latest patches

It's imperative that you connect to the network and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Unpatched machines are frequently exploited within minutes of being attached to an open network like Stanford's.

Verify user account security

  • Enforce the use of strong passwords on all accounts. There are a variety of dictionary-based password cracking programs out there -- crack is one -- which can be used to identify poorly-chosen passwords on your UNIX system.
  • Eliminate inactive and unused accounts.
  • Minimize the number of people with root access. Use sudo if possible to manage access to administrative privileges. Verify that only the root user has UID 0 (a hacked system will frequently have UID 0 accounts with other names, especially names that look like system accounts, like http or cgi).

    More information on UNIX account security

Eliminate unnecessary services from /etc/inetd.conf

inetd is the master controller daemon for network-based applications on a UNIX system. This sample inetd.conf file limits connections to those required for Kerberos integration, and for Kerberized telnet from PC-Leland and Mac-Leland clients, so it's appropriate for a server being used for local computation:

#
# Kerberos services
#
eklogin stream tcp nowait root /etc/leland/tcpd /etc/leland/klogind -ke
kshell stream tcp nowait root /etc/leland/tcpd /etc/leland/kshd -k
kftgt stream tcp nowait root /etc/leland/tcpd /etc/leland/kftgtd
telnet stream tcp nowait root /etc/leland/tcpd /etc/leland/telnetd -a user
ident stream tcp nowait root /etc/leland/tcpd /etc/leland/sidentd

Remember: If you modify /etc/inetd.conf, you must send the inetd process a HUP signal so it re-reads the file and takes effect:

# kill -HUP (inetd pid)

More Information and Help on inetd

Install required applications: AFS

Although AFS isn't essential for secure computing at Stanford, it provides an easy mechanism for integrating users across the various machines at Stanford. It's used to distribute trusted binaries and precompiled versions of various security packages. Lastly, it provides a strongly-authenticated mechanism for transferring files between Leland Systems hosts.

Install required services: have a good time

Many of Stanford's infrastructure systems are dependent on time synchronization between clients and servers. To verify that your machine has the correct time, run the command

/usr/pubsw/sbin/ntpdate time.stanford.edu

If your system's clock tends to drift, run this command periodically -- the Leland Systems group recommends running it once a day from cron.

Install required services: Kerberos

  • SULinux includes support for Kerberos.
  • On Solaris, once AFS is installed, all you have to do to install Kerberos is to run: 
    /usr/pubsw/bin/bundle kerberos
  • Mail srvtab-request@leland.stanford.edu for a srvtab, an identifier for your host. Instructions on how to run leland_srvtab, which installs your srvtab, will be sent back in response to the mail to srvtab-request.

Note: This is still a manual process, so it may take a few days to receive your srvtab.

Note: If you want to run the Kerberos popper server, you will need another srvtab specifically for that service in order for certain mail readers to work. Please contact srvtab-request@leland.stanford.edufor the srvtab.pop srvtab.

If you have decided not to install AFS, please see Kerberos without AFS.

More Information and Help on Kerberos

Install required services: host-based firewalls

For SULinux: The SULinux configuration program automatically asks users to enable a default ruleset for use on campus that allows network connections from stanford.edu machines to any service on your network, but blocks all inbound traffic to your system except for SSH (a secure remote access protocol) from outside Stanford's network.

For Solaris: TCPwrappers is a UNIX application that allows you to control and record all network connections to a computer--a host-based firewall application. We recommend only allowing connections from Stanford computer systems, and blocking all others. To do this, copy tcpd from pubsw/sbin to the appropriate directory on your new machine. Add ".stanford.edu" to your /etc/hosts.allow file. It should look like:

sendmail: ALL
ALL: LOCAL, .stanford.edu

Your /etc/hosts.deny file should disallow anything not explicitly included in /etc/hosts.allow, i.e.:

ALL: ALL

Or just download these hosts.allow and hosts.deny files and copy them to /etc.

More Information on TCP Wrappers

Configure Logging Appropriately

  • The SULinux/RedHat logging configuration is pretty reasonable for most users
  • For Solaris, this /etc/syslog.conf file is a more useful configuration:
mail.debug /var/adm/maillog
auth.notice /var/adm/authlog
lpr.debug /var/adm/lpd-errs
kern.debug /var/adm/messages
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages

Remember that it's tabs between the left hand and right hand columns in the syslog.conf file; if you use blank spaces syslog will die a silent and horrible death. If the destination files mentioned in syslog.conf don't exist, use the touch command to create them:

touch /var/adm/maillog

Then,

touch /var/adm/loginlog

to keep track of all failed login attempts.

Easy Installation: Download this Solaris syslog.conf file and copy it to /etc.

More Information and Help on Logging

Solaris only: Run the "fixperms" script

The fixperms script, available at /usr/pubsw/sbin/fixperms, will fix the file permissions on your system with security in mind.

More Information on Solaris Permissions

Solaris only: Install ifstatus

ifstatus will report when an ethernet card is in promiscuous mode. Since it only generates output when a card is in promiscuous mode it is ideal for running out of crontab, say every hour. Simply add this line to your crontab:

30 * * * * /usr/pubsw/sbin/ifstatus

to run ifstatus at half past every hour.

More information and download links for ifstatus are available at http://www.stanford.edu/services/pubsw/package/security/ifstatus.html

Note: This is the only way we have found to detect Ethernet cards in promiscuous mode on Solaris systems.

More Information on Promiscuous Mode

Extra Security Measures

If you run a mission critical host, or a host that stores highly sensitive information (like student records or medical information), there are several other measures you may want to take. See the section on additional security measures available for Solaris.

Additional Links for UNIX Security

Last modified Thursday, 12-Mar-2009 07:01:14 PM PK

Stanford University Home Page