[an error occurred while processing this directive]

  Linux Letter 20

The Linux Letter for June 19, 2000

How secure is your system? Not just your Linux system, but any computer that you use? Do you use unique, cryptic passwords when you log into your home network? Do you share your hard drives on your computer that's connected to a cable modem? Are you running the latest version of your network-enabled operating system?

Probably not. All of that stuff is hard to do. And it's not that you don't care about security, right? Anyway, who's interested in breaking into your computer?

You'd be surprised.

Here at the NOSPIN NOC, (Network Operations Center), we use Linux on all but one computer (there's a lone system running Windows 2000). Even though all of the systems are freely accessible from the Internet, I know that Linux is a very secure operating system. Secure, that is, as long as I, as a system administrator install the latest versions of critical programs and keep abreast of security issues.

Well, the systems were not as secure as I thought. How did I know? Because one day, I noticed that Internet bandwidth in the NOC was very low. And it had been low for a few days. So I did some investigating and discovered that people were using one of the computers…on accounts that I didn't create.

My first reaction was to pull the system off the network. Then I looked closely at the computer. I discovered that my "secure" Linux system had been so thoroughly penetrated that over a dozen people had gained access to it…as root!

How did it happen? I wasn't security conscious. The system that was cracked was running an old version of RedHat Linux that hadn't been updated with any security patches. So, somebody discovered that the copy of amd that was running had a vulnerability and exploited it. After gaining root access, the cracker created new accounts and used the system to run scripts that probed even more computers for vulnerabilities.

I also discovered that certain critical programs had been modified. The ps command had been replaced by a script that simply generated a bogus list of processes so that I, as root, could not see what programs the intruder was running. And the shutdown command did nothing but erase all of the log files.

Fortunately, I was able to examine and backup the logs before the data was lost. Unfortunately, the intruder was doing his work from domains outside the US, notably Malaysia and Singapore. Only one ISP was in the US, but that account had been stolen.

So I started doing my homework. I discovered that the default installation of RedHat runs processes and opens ports that just aren't necessary for the normal, day-to-day operation of a computer. The program that caused all the trouble, AMD, is used for automounting NFS shares…but none of the systems in the NOC use NFS. I found that several ports were open that didn't need to be. The computer didn't provide ftp or web services, yet ports 21 and 80 were wide open.

So I took a conservative approach to securing the system. I closed every port that wasn't absolutely necessary. I shut down any service that wasn't in use. And I upgraded the operating system to the latest version of RedHat Linux and applied the security patches. I changed passwords to random alphanumeric strings.

Then I did the same thing to every other computer on the network. Does that make the network secure? Well, the best assumption is that no network is completely secure. So, I make backups of all critical data and look at the system logs every day. So far, the network is secure.

Do you need to do the same thing? Maybe not. If your system connects to the Internet with a dialup modem, then you have the safety of a fairly random IP, making it harder for a cracker to break into your system. But if your Internet access is provided by cable or DSL and you have a static IP, then you should consider isolating your computer with a firewall. You can do it with the built-in firewall tools that come with Linux, with a third party firewall application for Windows, such as WinGate, or for Linux, like NetMax.

If you don't want to use a firewall, then protect your machine by turning off every networking service that you don't absolutely need. Keep your software current. Be aware of what's happening with your computer. If it's running slowly, doing things differently than before, or something doesn't feel right, then look for evidence of tampering. A program like Tripwire is just the thing to help you keep track of any changes to your operating system's files.

You can learn plenty about securing your Linux system at the Linux Security web site at http://www.linuxsecurity.com

Remember, if you don't pay attention to security issues, you'll increase your exposure to damage. And, like everything else, cleaning up is harder than being prepared.

WinGate: http://www.wingate.com

NetMax: http://www.netmax.com

Tripwire: http://www.tripwire.com


Hot Tip of the Week

No tips this month...

Happy computing!

Drew Dunn


Get your free email account...  TODAY!!!


The Power


[an error occurred while processing this directive]