Once you connect your spanking new Linux workstation to your ISP, you may be in for a bit of a shock as to how easy it might be for someone to log onto your workstation, gain root access, and change your system around, then disappear without a trace (if they're good). These people have been called uebercrackers, but more than anything else, they're a pain in the butt. Still, protecting your system from their inroads is great training for you.
You must remember, now that you are a Linux system administrator, that when you connect your workstation to your ISP even through a dynamic IP address, all your Linux resources can possibly be accessed from the Internet just as though you were on a local network. If your machine is misconfigured, the wiley cracker can telnet in--or some similar method of access--and even gain ``root,'' which is complete system access.
I recently read a post to a mailing list of a new Linux user who caught a hacker logged into his machine within 5 minutes of his being logged into his ISP. He saw unusual hard drive activity and ran a who command, which lists all users currently logged into your workstation. He discovered a root shell in use that was not his own. He initiated a ``talk'' session with the cracker, who confessed that he had gained root by exploiting a well-known bug in one of his programs. In the time it took to chat with this cracker, the new Linux user watched the cracker launch a script that would have altered his log files, erasing any trace of his presence. The new Linux user turned off his modem and issued a kill -9 command against the script's process. But the cracker had still deleted the /etc/passwd file, which contains all the passwords for all users on the system.
This sort of thing happens rarely, and the new Linux user's ISP was, it turned out, a popular hangout for cracker-types. He recovered his system after some trouble, but this is a very hard way to learn about system security. He is now a very sincere student of system security.
Fortunately, the Linux community is often both knowledgeable and helpful about plugging up security holes. Red Hat Linux, for instance, maintains an up-to-date ftp site for fixes against their recent distribution releases. If you keep up with installing these latest fixes as they become available, you eliminate most all of the common security weaknesses. Other Linux distributors have similar resources.
Security weaknesses happen through misconfiguring your system or through bugs in important system programs. If you don't have your permissions properly setup to important files, programs, or other resources, someone may log in and start a privileged process that can alter your system in a bad way. You must ensure that all system resources are locked down with proper permissions.
Most significant system weaknesses happen by bugs in important system software or processes. For example, sendmail is a mail transport agent that runs as a process on many Unix machines. Unfortunately, its code base has many flaws and new patches and fixes must be issued against it regularly. This one piece of software is so full of security holes that you can visit ``underground'' web pages that categorize exploits according to the version of sendmail.
Once a program has been shown to have a dangerous bug, a security alert is issued by someone, oftentimes CERT (The Computer Emergency Response Team). Unfortunately, crackers also read security alerts, and unless you upgrade your flawed software, you might possibly be the next statistic for the exploit covered in that alert.
The basic rule of thumb is to not run more daemons (background system processes) than necessary, and don't install non-essential services. For example, if when you install Linux, you install the telnetd daemon and the httpd daemon, then these programs can allow others to access your machine. In effect, your machine is a telnet and http server connected to the Internet. Once you get your system installed, prune non-essential processes and services.
I'm afraid there is no royal road to complete security in Linux or any Unix. If you'd like an introduction to some security concepts in Unix, check out underground web pages. You can also look at underground e-zines such as ``Phrack'' and ``2600.'' You can learn a lot about cracker tactics there.
The best way is to start with the basics geared to new users of your Linux distribution. Pay attention to all the security-related information. Graduate through the books and HOWTOs and FAQs in the Linux Documentation Project. Ask questions on the mailing lists and newsgroups. When you are comfortable with Linux and basic Unix concepts, you can dig into important security books like Practical Unix & Internet Security by Garkfinkel and Spafford. This is a must for Linux users concerned about security. But it goes into a lot of detail, and is intended for experienced system administrators. However, paying attention to system security and keeping your system lean and tight will give you that experience.
© David S. Jackson, 1997.
David S. Jackson