Welcome!

Linux Containers Authors: Zakia Bouachraoui, Elizabeth White, Liz McMillan, Pat Romanski, Stefana Muller

Related Topics: Linux Containers

Linux Containers: Article

Linux security basics

How to achieve the goal of every system admin: boring, predictable computers

There seem to be two kinds of people in the world: those who think computer security is fun and exciting, and those who think it is arcane and scary. Professional system administrators who read their logs will tell you computer security is actually long periods of boredom punctuated by intervals of sleeplessness, panic, and frantic activity.

For months, you read logs that basically consist of the same sequence of messages. Then one morning, you see a different message. Your first thought tends to be "I've been hit!" You want to determine whether the attack was successful. You comb through logs and examine files on your systems, looking for signs of abnormal behavior. There are none; maybe the attack has failed. But perhaps the attacker was smarter than you. For days or weeks you remain unsure if your system's defenses were penetrated. Eventually, you forget about it and move on to a new crisis.

I think driving is an excellent metaphor for computer security, on a number of levels: Some people think driving is enjoyable and exciting, but some think it is dangerous and scary. I insure my vehicle, follow the rules of the road, wear my seatbelt, stay out of harm's way, keep my eyes on the road, and perform regular maintenance. Let's take a look at how each of those steps applies to computer security.

First, a warning: most of computer security is nontechnical, just as most driving doesn't require a detailed understanding of internal combustion engines. Good driving also means boring and predictable driving, which may not be much fun. Computer security requires lots of plodding, methodical examination of details that will hopefully result in boring and predictable computers. Neither safe driving nor safe computing tax your technical abilities; their goal is to keep you out of harm's way in the first place. Think of this article as a defensive driving course for the information superhighway.

Insurance

Most states won't even let you get on the road without insurance, which is a very old method of distributing and managing risk. By climbing into an automobile, you increase your risk of death or serious injury, but most people still drive to work. Likewise, connecting a computer to a network puts you at risk for theft or loss of data, but most people are loath to permanently disconnect their systems from the Internet. As a Linux system administrator, I work not to eliminate risk, but to manage it.

I need to know the nature of a risk before I can manage it. Car insurance typically covers medical bills, damage to your car, accident-related lawsuits, and theft. When you put a computer on the Internet, what do you put at risk?

Computer security professionals say users and administrators should develop a threat model, which states what you're trying to protect from whom. Do you want to protect your ability to access the network, to print, or to store files? Are you worried about the confidentiality of certain files on your system? Are you worried that people might alter or destroy data? Do you want to keep hackers from defacing your Website and damaging your corporate image?

Implementing security measures requires at least an implicit understanding of your threat model, but simply understanding the risks is not the same as insurance.

A more direct form of insurance is backups. Depending on your threat model and system configuration, you may want to emphasize different portions of the backup procedure. If your system is a standard off-the-CD Linux install with little customization of your configuration files, you may only need a zip disk to back up the files in your home directory. If you've customized your system extensively, you might wish to back up your /etc and /usr/local directories as well. If you don't think restoring those files with a fresh install will accurately reflect your current system, you may want to regularly perform full backups of your system.

Rules of the road

Almost every local government in the world requires you to possess a license in order to drive. Before getting even a learner's permit, you must pass a test that proves you understand the rules of the road. (I've often wished for an Internet Driver's License that indicates an understanding of netiquette, but that's a different article altogether.) As a network user, your driver's handbook is your ISP's Terms of Service agreement; if you use computers at work, you must also abide by corporate guidelines or policies.

Terms of service may include limitations on network monitoring and running services, along with strong language about respecting intellectual property. Corporate policies also typically cover strong passwords, the use of systems for non-work-related activities, confidentiality agreements, and so on.

As a system administrator, I've defined a number of policies, including our organization's password policy and several policies that authorize me to decode network traffic and scan our computer systems for security holes. If you think that doesn't matter, read about the Randal Schwartz case and about the CIA agents recently disciplined for running an unauthorized chat server. (See Resources for links.) If you don't have policies, you should develop them.

Wear your seatbelt

The best advice is also the most pedestrian (no pun intended). Most security violations are not perpetrated by hackers, competitors after your corporate secrets, or nefarious government agencies -- they are caused by (often well-meaning) employees who simply don't follow the rules. They pick bad passwords, take secure laptops and put them on insecure networks at home and at conferences, and so on. Make sure that all staff members understand your policies and the risks associated with violating them. Even when no harm directly results from a violation, it still increases risk, which is the exact opposite of what we're trying to do.

Wearing a seatbelt also implies a certain balancing of risks: friends constantly tell me about some person who would certainly have been killed if he or she had been wearing a seatbelt, but was instead thrown to safety. While at least some of those stories are undoubtedly true, they are the exception, not the rule; the prudent driver or passenger knows that, at the end of the day, seatbelts save lives. Similarly, implementing some computer security may make you a more challenging or juicier target for hackers in some other respect. The question is always, "Overall, does this measure increase or decrease my security?"

Stay out of harm's way

A good automobile is designed to eliminate as much wind resistance as possible. The equivalent of wind resistance on the Internet is the constant stream of low-level scans and probes that hackers use to find systems to break into. The best way to avoid harm is to keep a low profile. Most Linux distributions turn on many more services than are necessary on the average workstation. I've seen dozens of machines hacked through outdated copies of BIND installed on systems where local name service wasn't even being used. If named hadn't been running, the systems would have been safe. Turn off any services you don't need, and remove the software entirely if possible.

Many risky programs run from inetd; you can turn them off by commenting out the relevant lines in /etc/inetd.conf. Some systems, such as Red Hat 7.0, use xinetd as a replacement. xinetd configuration files are fairly easy to use, and it should be easy to turn off services there. Other risky services run from startup scripts in (depending on your distribution) /etc/rc[1-5].d, /etc/init.d/rc[1-5].d, or /sbin/rc[1-5].d. (See Resources for a link), but it's best to limit what they can run to the bare minimum.

Finally, protect your data as it travels over the network. Programs like Telnet and FTP transmit all passwords and data over the network in cleartext, which can be read by anyone with a network sniffer. Try replacing those packages with OpenSSH (see Resources for a link) and other software that protects your data using cryptography.

Keep your eyes on the road

Drivers do a better job when they keep an eye out for obstacles, and know what threats to expect and how to respond to them. Mailing lists are essential to doing this. CIAC and CERT run low-volume mailing lists with information about security threats, as do many Linux vendors such as Red Hat, SuSE, Debian, and Mandrake. (See Resources for those vendors' security sites, which have links to their security mailing lists.) If you want a closer look at day-to-day happenings, BugTraq is the mailing list where many security issues first surface.

To keep an eye on where you're going, read your log files. That is the first thing I do at work every morning, after reading my email. If you run an intrusion detection system such as Snort, you should read those logs too. The SANS Institute's GIAC (Global Incident Analysis Center) program lets you find out what other people's intrusion detection systems are uncovering; reading other admins' logs is an excellent way to learn the lay of the land.

Perform regular maintenance

Even the safest automobile must undergo regular inspections and maintenance to remain in good working order. Computers also need to be maintained. For Linux systems, that means regular updates to software. Red Hat Linux, for example, updates security frequently: one or more updates in a week is fairly common.

While it can be challenging to keep all your systems' software up-to-date, it is necessary. Almost all systems are broken into by script kiddies who exploit well-known holes in out-of-date software. You can think of it as a race: will they find the holes in your system before you patch them? Many Linux distributions now have tools that update your software almost automatically. Debian and its derivatives support the apt-get update command, Mandrake has MandrakeUpdate, and Red Hat has up2date. Using those tools, or otherwise keeping all software on your system current, is essential to winning the race against the script kiddies.

Like driving, computer security can be awfully boring. To stay safe, you must abide by these simple principles:

  • Back up your system as an insurance policy
  • Know what you're trying to protect
  • Follow all relevant policies -- write your own if necessary
  • Know how to measure your exposure, then limit it
  • Keep an eye out for likely threats
  • Keep your software up to date

Keeping secure systems requires perseverance, consistency, and eternal vigilance.

More Stories By Jon Lasser

Jon Lasser is senior system administrator at SkyNetWEB, a columnist for 'Web Hosting Magazine', lead coordinator for the Bastille Linux project, and the author of 'Think Unix', an introduction to Unix and Linux for power users.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection. The company has detected more than 300 million application eavesdropping incidents and currently secu...
Rafay enables developers to automate the distribution, operations, cross-region scaling and lifecycle management of containerized microservices across public and private clouds, and service provider networks. Rafay's platform is built around foundational elements that together deliver an optimal abstraction layer across disparate infrastructure, making it easy for developers to scale and operate applications across any number of locations or regions. Consumed as a service, Rafay's platform elimi...
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Ca...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...