Linux Security (random notes)
From TheBeard Science Project Wiki
tools:
shred - securely delete files
srm - securely delete files (part of package "secure-delete")
sfill - securely overwrite empty space. use tune2fs to free up reserved space. (part of package "secure-delete")
sswap - securely overwrite swap partition (part of package "secure-delete")
sdmem - securely overwrite free ram (part of package "secure-delete")
method of overwriting free space:
dd if=/dev/urandom of=random.small.file bs=1024 count=102400
dd if=/dev/urandom of=random.file bs=1024
sync ; sleep 60 ; sync
rm random.small.file
rm random.file
sometimes data is stored in reserved space on filesystem. To manage this:
sudo tune2fs -m 0 <device> - frees up reserved space
Edit /etc/sysctl.conf to reflect the following changes:
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Save changes to /etc/sysctl.conf and perform the following functions:
[root] # chown root:root /etc/sysctl.conf
[root] # chmod 0600 /etc/sysctl.conf
[root] # /etc/rc.d/init.d/network restart
Brief examples of the changes made are outlined below. The appendix contains URLs that can be used to gain a further understanding of these defined parameters.
net.ipv4.ip_forward = 0 – This parameter disables IP Forwarding. NOTE: IP Forwarding should be enabled (net.ipv4.ip_forward = 1) if the server will be acting as a gateway or router.
net.ipv4.conf.all.accept_source_route = 0 – This parameter disables IP Source Routing.
net.ipv4.tcp_max_syn_backlog = 4096 – This parameter enables SYN flood protection.
net.ipv4.conf.all.rp_filter = 1 – This parameter enables IP Spoofing protection.
net.ipv4.tcp_syncookies = 1 – This parameter enables TCP SYN Flood protection.
net.ipv4.conf.all.send_redirects = 0 – This parameter disables the ability to send ICMP Redirects.
net.ipv4.conf.all.accept_redirects = 0 – This parameter disables ICMP Redirect acceptance.
net.ipv4.conf.default.accept_redirects = 0 – This is another parameter that disables ICMP Redirect acceptance.
commands which may be security risks:
finger
w
intruders may try to use a buffer overrun to create binary files owned by root with SUID
use 'find / -type f -perm +4000' to search for files with SUID
compare the list to a normal system to find suspicious files
intruders might create a ~/.forward with an email address that forwards the user's mail to that address.
eliminate this by creating an empty ~/.forward file owned by root and no rw permissions.
