Welcome!

Linux Containers Authors: Liz McMillan, Elizabeth White, Zakia Bouachraoui, Pat Romanski, Stefana Muller

Related Topics: Linux Containers

Linux Containers: Article

Linux security basics

How to achieve the goal of every system admin: boring, predictable computers

There seem to be two kinds of people in the world: those who think computer security is fun and exciting, and those who think it is arcane and scary. Professional system administrators who read their logs will tell you computer security is actually long periods of boredom punctuated by intervals of sleeplessness, panic, and frantic activity.

For months, you read logs that basically consist of the same sequence of messages. Then one morning, you see a different message. Your first thought tends to be "I've been hit!" You want to determine whether the attack was successful. You comb through logs and examine files on your systems, looking for signs of abnormal behavior. There are none; maybe the attack has failed. But perhaps the attacker was smarter than you. For days or weeks you remain unsure if your system's defenses were penetrated. Eventually, you forget about it and move on to a new crisis.

I think driving is an excellent metaphor for computer security, on a number of levels: Some people think driving is enjoyable and exciting, but some think it is dangerous and scary. I insure my vehicle, follow the rules of the road, wear my seatbelt, stay out of harm's way, keep my eyes on the road, and perform regular maintenance. Let's take a look at how each of those steps applies to computer security.

First, a warning: most of computer security is nontechnical, just as most driving doesn't require a detailed understanding of internal combustion engines. Good driving also means boring and predictable driving, which may not be much fun. Computer security requires lots of plodding, methodical examination of details that will hopefully result in boring and predictable computers. Neither safe driving nor safe computing tax your technical abilities; their goal is to keep you out of harm's way in the first place. Think of this article as a defensive driving course for the information superhighway.

Insurance

Most states won't even let you get on the road without insurance, which is a very old method of distributing and managing risk. By climbing into an automobile, you increase your risk of death or serious injury, but most people still drive to work. Likewise, connecting a computer to a network puts you at risk for theft or loss of data, but most people are loath to permanently disconnect their systems from the Internet. As a Linux system administrator, I work not to eliminate risk, but to manage it.

I need to know the nature of a risk before I can manage it. Car insurance typically covers medical bills, damage to your car, accident-related lawsuits, and theft. When you put a computer on the Internet, what do you put at risk?

Computer security professionals say users and administrators should develop a threat model, which states what you're trying to protect from whom. Do you want to protect your ability to access the network, to print, or to store files? Are you worried about the confidentiality of certain files on your system? Are you worried that people might alter or destroy data? Do you want to keep hackers from defacing your Website and damaging your corporate image?

Implementing security measures requires at least an implicit understanding of your threat model, but simply understanding the risks is not the same as insurance.

A more direct form of insurance is backups. Depending on your threat model and system configuration, you may want to emphasize different portions of the backup procedure. If your system is a standard off-the-CD Linux install with little customization of your configuration files, you may only need a zip disk to back up the files in your home directory. If you've customized your system extensively, you might wish to back up your /etc and /usr/local directories as well. If you don't think restoring those files with a fresh install will accurately reflect your current system, you may want to regularly perform full backups of your system.

Rules of the road

Almost every local government in the world requires you to possess a license in order to drive. Before getting even a learner's permit, you must pass a test that proves you understand the rules of the road. (I've often wished for an Internet Driver's License that indicates an understanding of netiquette, but that's a different article altogether.) As a network user, your driver's handbook is your ISP's Terms of Service agreement; if you use computers at work, you must also abide by corporate guidelines or policies.

Terms of service may include limitations on network monitoring and running services, along with strong language about respecting intellectual property. Corporate policies also typically cover strong passwords, the use of systems for non-work-related activities, confidentiality agreements, and so on.

As a system administrator, I've defined a number of policies, including our organization's password policy and several policies that authorize me to decode network traffic and scan our computer systems for security holes. If you think that doesn't matter, read about the Randal Schwartz case and about the CIA agents recently disciplined for running an unauthorized chat server. (See Resources for links.) If you don't have policies, you should develop them.

Wear your seatbelt

The best advice is also the most pedestrian (no pun intended). Most security violations are not perpetrated by hackers, competitors after your corporate secrets, or nefarious government agencies -- they are caused by (often well-meaning) employees who simply don't follow the rules. They pick bad passwords, take secure laptops and put them on insecure networks at home and at conferences, and so on. Make sure that all staff members understand your policies and the risks associated with violating them. Even when no harm directly results from a violation, it still increases risk, which is the exact opposite of what we're trying to do.

Wearing a seatbelt also implies a certain balancing of risks: friends constantly tell me about some person who would certainly have been killed if he or she had been wearing a seatbelt, but was instead thrown to safety. While at least some of those stories are undoubtedly true, they are the exception, not the rule; the prudent driver or passenger knows that, at the end of the day, seatbelts save lives. Similarly, implementing some computer security may make you a more challenging or juicier target for hackers in some other respect. The question is always, "Overall, does this measure increase or decrease my security?"

Stay out of harm's way

A good automobile is designed to eliminate as much wind resistance as possible. The equivalent of wind resistance on the Internet is the constant stream of low-level scans and probes that hackers use to find systems to break into. The best way to avoid harm is to keep a low profile. Most Linux distributions turn on many more services than are necessary on the average workstation. I've seen dozens of machines hacked through outdated copies of BIND installed on systems where local name service wasn't even being used. If named hadn't been running, the systems would have been safe. Turn off any services you don't need, and remove the software entirely if possible.

Many risky programs run from inetd; you can turn them off by commenting out the relevant lines in /etc/inetd.conf. Some systems, such as Red Hat 7.0, use xinetd as a replacement. xinetd configuration files are fairly easy to use, and it should be easy to turn off services there. Other risky services run from startup scripts in (depending on your distribution) /etc/rc[1-5].d, /etc/init.d/rc[1-5].d, or /sbin/rc[1-5].d. (See Resources for a link), but it's best to limit what they can run to the bare minimum.

Finally, protect your data as it travels over the network. Programs like Telnet and FTP transmit all passwords and data over the network in cleartext, which can be read by anyone with a network sniffer. Try replacing those packages with OpenSSH (see Resources for a link) and other software that protects your data using cryptography.

Keep your eyes on the road

Drivers do a better job when they keep an eye out for obstacles, and know what threats to expect and how to respond to them. Mailing lists are essential to doing this. CIAC and CERT run low-volume mailing lists with information about security threats, as do many Linux vendors such as Red Hat, SuSE, Debian, and Mandrake. (See Resources for those vendors' security sites, which have links to their security mailing lists.) If you want a closer look at day-to-day happenings, BugTraq is the mailing list where many security issues first surface.

To keep an eye on where you're going, read your log files. That is the first thing I do at work every morning, after reading my email. If you run an intrusion detection system such as Snort, you should read those logs too. The SANS Institute's GIAC (Global Incident Analysis Center) program lets you find out what other people's intrusion detection systems are uncovering; reading other admins' logs is an excellent way to learn the lay of the land.

Perform regular maintenance

Even the safest automobile must undergo regular inspections and maintenance to remain in good working order. Computers also need to be maintained. For Linux systems, that means regular updates to software. Red Hat Linux, for example, updates security frequently: one or more updates in a week is fairly common.

While it can be challenging to keep all your systems' software up-to-date, it is necessary. Almost all systems are broken into by script kiddies who exploit well-known holes in out-of-date software. You can think of it as a race: will they find the holes in your system before you patch them? Many Linux distributions now have tools that update your software almost automatically. Debian and its derivatives support the apt-get update command, Mandrake has MandrakeUpdate, and Red Hat has up2date. Using those tools, or otherwise keeping all software on your system current, is essential to winning the race against the script kiddies.

Like driving, computer security can be awfully boring. To stay safe, you must abide by these simple principles:

  • Back up your system as an insurance policy
  • Know what you're trying to protect
  • Follow all relevant policies -- write your own if necessary
  • Know how to measure your exposure, then limit it
  • Keep an eye out for likely threats
  • Keep your software up to date

Keeping secure systems requires perseverance, consistency, and eternal vigilance.

More Stories By Jon Lasser

Jon Lasser is senior system administrator at SkyNetWEB, a columnist for 'Web Hosting Magazine', lead coordinator for the Bastille Linux project, and the author of 'Think Unix', an introduction to Unix and Linux for power users.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.