This is a small assignment we had to do in my ethical hacking class. We were asked to describe steps we could take to harden the security on our own current Operating system.
These are the steps I took:
Ensure your operating system is updated and current.
Disable everything you don't currently need.
Configuring Firewalls and access policies.
IDS & IPS
Physical access & other
1.Ensure your operating system is updated and current.
The first step I took was to make sure I was subscribed to the debian security announce mailing list at http://lists.debian.org/debian-security-announce/ . To receive the latest security updates it was required to add deb http://security.debian.org/ squeeze/updates main contrib non-free to my /etc/apt/sources.list file. I then executed an apt-get update & apt-get upgrade to download and apply the pending updates.
2. Disable everything you don't currently need.
It is important to be able to check what services you are currently running as any one of them may lead to your pc being compromised. To do this I used the command sudo netstat -tap |grep LISTEN� What this does is provide a list of all currently running servers/services on your computer. When I ran it I got this.
tcp 0 0 *:www *:* LISTEN 2267/apache2
tcp 0 0 *:9876 *:* LISTEN 2267/apache2
tcp 0 0 localhost.localdoma:ipp *:* LISTEN 1010/cupsd
tcp 0 0 localhost.localdom:smtp *:* LISTEN 2119/master
tcp 0 0 localhost.localdom:9050 *:* LISTEN 2133/tor
tcp 0 0 localhost.localdom:8123 *:* LISTEN 2021/polipo
I then used sudo pkill [pid]� or sudo pkill -x [program-name� to kill any unnecessary services. These could also be configured to not run on boot. To check what services run on boot use ls -l /etc/init.d/ | less
Using a program called sysv-rc-conf I was able to configure what services run and at what run levels. It has a nice gui and is easy to use. Another way of checking the run levels and what was configured to run was using chkconfig --list �. It is important to make sure you know what the service does before removing it! Neither of these programs/tools are installed on a default ubuntu installation so it may be necessary to install them. To stop a service running on boot. Use chkconfig [service-name] off � or ,b>update-rc.d -f [service-name] remove .
Do not allow remote root logins. This may be controlled by a configuration file such as /etc/securetty. Remove any lines that begin "pts". This is one big security hole.
Important things to ensure aren't running on your computer are any Network File Systems, remote procedure calls (rpc.* services), Printer services, Remote shell services, telnet servers, ftp servers, BIND(named), DNS server package or Mail transport agent (sendmail,exim,postfix). It is important to not have these running unless you intend on actively monitoring or handling them directly. If a service or port is unfamiliar to you, investigate it further. It is possible to maybe get a brief explanation in your etc/services� file of what the service/port is used for.
3. Configuring Firewalls and Access policies.
The plan here is to restrict connections to only allow the minimum necessary for whatever your current situation is. In some cases we want to block all new connection attempts. For example, say we want to ssh into our system from outside, but we only ever do this from our college. So we'll limit connections to the college address range. To do this, we will use a packet filter such as iptables. The whole Idea here is the more you restrict the better. Iptables has connection tracking or stateful inspection, this means it can analyse a packet very well and check if it's related to an existing connection.
Tcpwrappers (libwrap) provides much the same desired results as iptables, though works quite differently. There are two files at /etc/hosts.allow and /etc/hosts.deny. Tcpwrappers first looks to see if access is permitted in /etc/hosts.allow, and if so, access is granted. If not in /etc/hosts.allow, the file/etc/hosts.deny is then checked to see if access is not allowed. If so, access is denied. Else, access is granted. For this reason, /etc/hosts.deny should contain only one uncommented line, and that is: ALL: ALL. Access should then be permitted through entries in /etc/hosts.allow, where specific services are listed.You can check your current tcpwrappers configuration with the command tcpdchk�.
Portsentry works quite differently than the other tools I discussed so far. Portsentry does what its name implies -- it guards ports. Portsentry is configured with the /etc/portsentry/portsentry.conf file. Unlike the other applications discussed above, it does this by actually becoming the listening server on those ports. Kind of like baiting a trap. Running ,b>netstat -taup� as root while portsentry is running, will show portsentry as the LISTENER on whatever ports it is configured for. If portsentry senses a connection attempt, it blocks it completely. And then goes a step further and blocks the route to that host to stop all further traffic. Alternately iptables can be used to block the host completely. So it makes an excellent tool to stop port scanning of a range of ports.
The best bet here is to not rely on any single mechanism to provide a security blanket. Layers of protection always seems the best option.
4. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
Intrusion Detection Systems are designed to catch what might have gotten past the firewall. They can either be designed to catch an active break-in attempt in progress, or to detect a successful break-in after the fact. In the latter case, it is too late to prevent any damage, but at least we have early awareness of a problem. There are two basic types of IDS: those protecting networks, and those protecting individual hosts.
Using debsums -s > /root/system.checked It is possible to check if there have been any changes to your filesystem recently. not all Debian packages provide md5sums for the files installed since it is not (currently) mandated policy. Notice, however, that you can generate the md5sums for all packages using debsums after you've finished the system installation: debsums --generate=missing,keep
There are plenty of software options for this. Such as Linux intrusion detection system (LIDS). http://www.lids.org/ I also found a guide at http://www.lids.org/lids-howto/lids-hacking-howto.html. The target of LIDS is to enhance the current linux kernel to make it more solidate and secure. Installing network and host intrusion measures like snort and logcheck would also be very useful. Snort can also monitor and detect supicious ARP traffic.
5. Physical access and other.
It was possible to execute a root shell via editing my GRUB boot options. So it is essential to set a GRUB password /boot/grub/menu.lst also check that the GRUB configuration file is read-protected.
I also didn't have a password set in my BIOS so someone could have selected boot from cd� and directly mounted my drive with a live cd having access to all of my files.
I also tightened up my log file permissions.
I didn't go through with it but it's possible to create encrypted file partitions that you could use to store sensitive data. https://help.ubuntu.com/community/EncryptedFilesystemHowto
Many features of the kernel can be modified while running by echoing something into the /proc file system or by using sysctl. By entering sysctl -A �you can see what you can configure and what the options are, and it can be modified running sysctl -w variable=value If you want to prevent your system from answering ICMP echo requests, just enable this configuration option: net/ipv4/icmp_echo_ignore_all = 1. To log packets with impossible addresses (due to wrong routes) on your network use: /proc/sys/net/ipv4/conf/all/log_martians = 1. All the options are described thoroughly in http://www.mjmwired.net/kernel/Documentation/networking/ip-sysctl.txt.
As you can see there are many methods at many different levels to ensure a hardened OS. I hope you enjoyed reading this short quick guide. There is hundreds of documentation on hardening your ubuntu OS. Here are a few useful links:
http://www.debian.org/doc/manuals/securing-debian-howto/.
There is more information on some of the security features ubuntu already implements at https://wiki.ubuntu.com/Security/Features.