Introduction:
Now that you have a working dhcp connection for your Linux box, it's
important that you take some simple security measures to protect both yourself
and the rest of the campus network. An insecured Linux box on a campus
network is a prime target for crackers. If it's currently live, someone
will probably port scan you in the time it takes you to read this document.
If your box is compromised, you can land yourself in a heap of trouble.
For instance, if a malicious cracker breaks into your machine and then
uses it to wreak havoc on someone else's network, *you* might end up with
a UNC security team at your door, and international authorities tracking
you down. So, save both us and yourself a whole lot of headaches,
and secure your box. Linux is a powerful operating system,
and you should be prepared to accept the responsibility that comes with
using it.
So, where do I start?
1. Learn as much about your system as you can. If you're new to Linux and Unix in general, this means you should read lots of books, lots of man pages, but more importantly, learn things from just using your new system. Figure out what all those config files in /etc do. Figure out what services are started when your system boots up. Determine which services you need, and those you can do without. Learn where your system logs are stored, and how to make sense out of the information therein. Your logs are an invaluable resource when you're trying to track down a cracker, and also just to see who's trying to crack your box.
2. Now that you know what your system is doing, disable *all* services that you do not absolutely need. Comment them out from your startup scripts, usually in /etc/rc.d. Edit your /etc/inetd.conf file, and comment out all network services that you can live without. That usually means everything but telnet, ftp, and auth. And, you probably should install ssh and sftp, and then comment out telnet and ftp as well. Recompile your kernel to the latest stable version, and only compile in code that you need and use (for example, if you don't use NFS, leave it off.) Use tcp_wrappers, and set up a hosts.allow and hosts.deny file to limit who can connect to your machine.
3. Get all the latest patches and bug fixes!! This cannot be stressed enough. When security holes are identified, they are published. This is a good thing, in that it allows a conscientious user to take appropriate measures as soon as possible. However, the bad guys hear about these security holes too, and will try their hardest to exploit them on systems with not-so-conscientious admins. If you use RedHat, check their erratta page regularly, and perhaps subscribe to their security-related mailing lists for all the latest updates. You can even read the BugTraq archives, and read up on all the latest CERT advisories. Doing these things is not only for paranoid admins. These should become normal parts of your Linux routine.
4. Run your programs at what's called Least Privelege Access. This means, don't make your games SUID root, and limit the number of SUID root programs on your system.
5. Stay one step ahead of the crackers. Read their websites, see if any nasty little scripts come out that might be able to compromise your system. Usually, if they have an exploit, they also have a fix.
And, for goodness sake, choose good passwords.
Umm....
Chances are if you're totally new to your role as a sysadmin, a lot
of the preceeding might sound a little strange. If there are things
mentioned above that you don't understand, do what real admins do--read,
read, read. You've got the whole Internet to explain it to you, right?
Ok, ok.. Here are some good websites to start from:
But this won't happen to *me*!
Ah.. I once thought the same thing. But within about a week of connecting my Linux box to ResNet back when Ehringhaus first went live, my box was cracked, and badly. Some kid was using my machine to launch a DoS attack against the Brazilian government, all without my knowledge, and for a number of days before it was noticed. It's amazing how many people will port scan your box in any old day. And if they find a hole, then... You're probably in for a lot of trouble and headache. So take these suggestions seriously. Most of them take very little time to implement--a lot less time than trying to pick up the pieces after a major attack.