// Basic Slackware Security // // by dual_parallel and bland_inquisitor // // http://www.oldskoolphreak.com Welcome to Slackware -------------------- Slackware Linux began in April, 1993. For over ten years, Slackware Linux has focused on "simplicity and stability." Everything just works in Slackware. Slackware is also considered one of the most secure GNU/Linux distributions. That being said, it does not mean that security can be ignored after a friendly Slackware installation. This article is meant to be a crash course in Slackware security. It will detail some basic steps that should be taken before you consider Slackware to be fully installed. Again, these are basic steps - more services will require more configuration. And note that you'll have to be root to perform the configuration tasks in this article. On to the install. Preparing Your Hard Drive ------------------------- The methods and reasons for creating multiple partitions are many and hotly debated. We will offer a secure partitioning scheme, while not sacrificing usability or making things overly complicated. In the end, having these four partitions will go a long way towards creating a more secure working environment. /swap Typically your swap partition is twice the amount of your computer's RAM. /boot Your boot partition is where your kernel(s), and your boot loader will reside. The security advantage of having a small dedicated boot partition is that in the event your box is "0wned," it affords the intruder a smaller space for backdoors. Also, it makes things like the size of System.map and vmlinuz easier to keep an eye on for size changes. Twenty to 50 MB is sufficient for a boot partition. /var The var directory is where system logs are stored. It is possible to deny service to a computer by filling its hard drive via log flooding. If /var is on a separate partition and someone log floods you, they will not be able to deny service to your entire computer. A few gigs will be more than enough for a typical /var partition. / This is the root partition. This is where you will be installing Slackware and all of the other programs you decide to add to your computer. All of the remaining space of your hard drive should be the size of your / partition. Some people advise to have separate partition for /home as well. If you feel comfortable doing this, then it is certainly more secure and organized. It is not necessary to have a dedicated /home partition. The main attraction for having a partition for /home is mainly for multi-user boxes. That way if an attacker is able to log in as a legitimate user, and they attempt to deny service to the entire computer by filling the hard drive, all they will be able to do is fill the /home partition. Unless you are using your Slackware computer to host several users, a /home partition is probably unnecessary. Choosing Your Slackware Installation ------------------------------------ Choosing all packages during installation sure is convenient. It doesn't add to security though. So your first step is to hand-pick packages that you know you'll need or want. Also, and you probably know this, when given the choice to start services at boot, deselect as many as you can. The fewer packages and services available for an attacker to exploit, the better. If you must choose a full install, because you have better things to do with your time than sit there in front of your computer selecting packages, or perhaps you want to make sure all dependencies are met, then do what you must. Take heart in that Slackware has a good package system and that you can always remove extraneous packages later. Passwords --------- Passwords are your first line of defense against attackers, local and remote. We cannot stress enough the importance of having strong passwords. Look at it this way, if something is important enough to protect, it is important enough to protect as strongly as possible. We recommend Sl1pm0de-like passwords, i.e. minimum 10 mixed-case alpha, numeric and special characters. You may think that these passwords would be unwieldy, but you'll be surprised at how fast you can memorize them, even for multiple boxes. A good way to choose a secure password like this is to type it out on your keyboard, without pressing the keys, utilizing motor memory. We don't recommend using password creation utilities due to healthy paranoia. Post-Install Security --------------------- You're booted up. The first thing to do is to configure tcpwrappers by editing /etc/hosts.deny and hosts.allow. Add the following line to hosts.deny to disallow access by any host to your box. ALL: ALL Once this is in place, you can reinforce host denial in hosts.allow with ALL: ALL: DENY or you can poke holes to allow access by certain hosts, or ranges of hosts, to certain services. A common entry would be to allow ssh connections: # ALL: ALL: DENY sshd: ALL: ALLOW Firewalls are not a panacea for security. But they are an imperative beginning step. iptables provides the packet filtering, or firewalling, for the 2.4.x and 2.6.x kernels. And if setting up an iptables firewall is not your first step in securing your Slack box, it better be your second. Below is an example of a basic iptables script. The comments included explain what the rules are doing. Name the script rc.firewall, chmod 755 rc.firewall and mv rc.firewall /etc/rc.d. #!/bin/bash # rc.firewall for # Basic Slackware Security # These two rules set the default policies, i.e. what to do if a # packet doesn't match any other rule, to drop any packet coming # into (INPUT) or routing through (FORWARD) the box. iptables -P INPUT DROP iptables -P FORWARD DROP # These rules are added (-A) to the INPUT chain. They allow packets # from any previously established connections and accept anything # from the loopback interface. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT # This rule added to the INPUT chain accepts any ssh connections. iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT With a basic firewall in place, it's time to edit /etc/inetd.conf to remove unneeded services. Now unless you absolutely know you need a service mentioned in inetd.conf, comment it out with #. You will probably find that, at least initially, you'll comment out the entire file. Here's a Perl script that will do it for you. #!/usr/bin/perl $conf = "/etc/inetd.conf"; system("cp $conf $conf.bak"); open FILE, "$conf" or die "Can't open $conf: $!"; open TEMP, ">temp" or die "Can't create temp file: $!"; while () { s/^/#/ if ($_ !~ /^#/); print TEMP; } close FILE; close TEMP; unlink "$conf"; system("mv temp $conf"); If there's a service that you want shut down that you didn't choose to during the install, stay in /etc and head to rc.d. You can edit rc.M (M for multi-user) and comment out the respective section that starts the daemon, and/or you can chmod 644 rc. to keep it from starting, as rc.M starts a service based on the file test, -x. It's safe to say that the major steps to securing your box are complete. There are many things left to do, including advancing the above topics, that can tighten up security. Configuring individual services should weigh heavily in this advancement. Staying in line with the above examples, we will go through some important settings for sshd. The configuration file for sshd is /etc/ssh/sshd_config. Edit the file and consider making the following changes. # Force the more secure Protocol 2 Protocol 2 # Do not let root login remotely PermitRootLogin no # Watch out for world writables StrictModes yes # Require passwords PasswordAuthentication yes # Don't allow null passwords PermitEmptyPasswords no # What do you need X for anyway? X11Forwarding no # No extraneous info PrintMotd no Now run kill -s 1 `cat /var/run/sshd.pid` to force sshd to reload its configuration. To be sure, there is no security through obscurity. Then again, there's no reason to give an attacker any more information than you have to. Turn off or change any banner or motd, and edit /etc/issue and issue.net to your liking. (bland's is set to "Welcome to Windows Server 2003.") suid, or Set User ID, programs are usually plentiful in any distro and their root interaciton with regular users should be controlled. Going through your suid programs and removing the s bit can significantly reduce vulnerability. A Perl script has been provided that can simplify this process. Save the below Perl script as sup.pl and run it. Then go through the resulting suid.txt text file and comment out, with #, the programs that do not need suid permission. Save it and then run sup.pl with the -u switch. Commented programs will no longer be suid, and you'll have a record of what was done. #!/usr/bin/perl if ($#ARGV < 0) { system("find / -perm +4000 2>/dev/null > suid.txt"); exit; } if ($ARGV[0] =~ /-u/) { open(UPDATE, ") { if (/^#/) { s/#//; system("chmod -s $_"); } } close(UPDATE); } else { print "Usage: perl sup.pl <-u>\n"; exit; } There are a couple of final touches before moving on to third party applications. Edit /etc/securetty, which controls which devices root can login to, and comment out, well, everything for more security. And change your umask to a more restrictive 077. Third-Party Security Software ----------------------------- As you can imagine, there are many third party programs that can aid your efforts to secure your box. Whatever program you use, make sure you verify the MD5 hash of the download. md5sum One of the wonders of Linux is the automatic updating of packages. Automatic updates are a boon to security, as vulnerable (and buggy) packages are fixed with little user intervention. Slackware in particular has a wonderful package manager called swaret (pronounced soiree). Grab the swaret Slack package with wget http://www.swaret.org/files/stable/swaret-1.6.2-noarch-1.tgz and then installpkg swaret-1.6.2-noarch-1.tgz to install it. You can manually update your box with swaret --update && swaret --upgrade -a or better yet, set up a cron job to automate updates at regular intervals. One of the better sources for third party security applications is http://packetstormsecurity.nl. One useful program that you can acquire there is chkrootkit (http://www.chkrootkit.org). chkrootkit is a "shell script that checks system binaries for rootkit modification." It would behoove you to run this at regular intervals, or at least when you think there's been a breach. Instead of thinking that there's been a breach, know if there's been a breach by using an Intrusion Detection System (IDS). Dicussing Intrusion Detection Systems could take an entire article if not a book. One of the more popular IDSs, which you can get books for, is snort (http://www.snort.org). Installing and using snort with its default configuration is relatively simple. Unfortunately, you will get so many false positives with the default configuration that snort out of the box is of litte value. Further Consideration and Configuration --------------------------------------- As the title states, this is only a basic tutorial on how to secure your Slackware Linux installation. If you are so inclined, there are many more challenges in Linux security to conquer. Configuring snort and writing rules tailored to your network may be a good start. Writing a more elaborate iptables script may be in your future. Log watchers, file system integrity checkers, port knocking - the list goes on. If you have done everything detailed here, then you can securely pursue your studies in Linux security. And you will have done it with one the most versatile, stable, and now secure, GNU/Linux distributions available, Slackware. Appendix -------- Here's a script that can give you a little peace of mind. We call it quicksec, and after it's made executable and placed in root's path (echo $PATH), you can put the line "quicksec" in root's .bashrc. Then when you su -, you can get a small picture of what's going on on your box. #!/bin/bash echo echo "Last snort alert" echo "----------------" tail -n 8 /var/log/snort/alert echo echo "Login info" echo "----------" last -10 echo echo "Security log" echo "------------" tail /var/log/secure echo If you are using the Fluxbox window manager, which comes with a full Slackware install, there is a handy program you should try. root-tail (http://themes.freshmeat.net/projects/root-tail/) allows you to print information directly to your root window. The commands bland has in his ~/.fluxbox/apps file are: [startup] {last -3 > /home/bland/.last.txt} [startup] {root-tail -g 220x10+20+50 /var/log/secure,red,'ALERT' \ /home/bland/.last.txt,green,'LAST'} It's a very cool little app that will keep you well-informed. You can find a screenshot of bland's Slackware box running root-tail at http://www.oldskoolphreak.com/tfiles/figures/tail_screen.jpg.