Simple security precautions for a Fedora GNU/Linux system

Last modified 28 Jun 2005.

A checklist of straightforward Linux security precautions.

1. Migrate to ssh from telnet/ftp
2. Disable remote root login
3. Install and configure a firewall

1. Migrate to ssh from telnet/ftp

   Abandon telnet and ftp. They are insecure because the traffic they carry is not encrypted, so passwords and other vital data can be read. Instead, use the secure shell ("ssh") family of commands. The relevant RPM files are part of the Fedora Linux distribution:
   • openssh: The basic package
   • openssh-clients: The outgoing ssh commands, ssh, sftp, scp
   • openssh-server: Allows incoming ssh connections to your machine
   The commands are easy to use. To log in to a remote machine:

   > ssh username@remote.machine.edu
   

   To make a secure ftp connection:

   > sftp username@remote.machine.edu
   

   To copy one file to/from the current directory:

   > scp username@remote.machine.edu:tex/paper.tex  papier.tex
   > scp papel.tex   username@remote.machine.edu:tex/paper.tex
   

   ssh is available for Windows machines as "PuTTY", and can be freely downloaded from this website. So you can connect securely from a remote Windows machine to your office Linux machine. No more telnet or ftp.

2. Disable remote root login

   Even with ssh, you don't want to risk the possibility that a hacker might find out your root password and use it to break in to your system. Edit /etc/ssh/sshd_config. Change the "PermitRootLogin" line:

    PermitRootLogin no
    

   You can still log in remotely as a user and then use "su -" to become root.

3. Install and configure a firewall

   If your computer is connected to the internet then it must be protected from break-in attempts.
   1. Install Firestarter, a user-friendly graphical interface to the Linux kernel's built-in packet filtering utility (iptables). You can download the RPM file from the firestarter website.
   2. Start the firewall. You can use the graphical interface, which you run by typing "firestarter" as root. Then just click on Firewall -> Run Wizard and follow the instructions. You probably don't need to change the defaults: basically, don't check any of the boxes.
   3. Configure the firewall. By default, all external connections are blocked. If you want to use this computer for everyday purposes, you will probably want to set the "Inbound traffic policy" to allow certain vital trusted connections from the outside. You can do this graphically via the "firestarter" command. If you prefer to edit the configuration files directly, that is easy too: they are in /etc/firestarter/inbound. Here is how mine look:
      
      File /etc/firestarter/inbound/allow-from:

      ----
      red.wustl.edu,
      imagen.wustl.edu,
      lw5.wustl.edu,
      acadinfo.wustl.edu,
      ----
      

      The first three lines are for printers: I had problems printing unless I allowed the printers to talk back to my computer. The last line is for the University database system.
      
      File /etc/firestarter/inbound/allow-service:

      ----
      SSH, 22, everyone,
      NTP, 123, navobs1.wustl.edu,
      Unknown, 113, wugate.wustl.edu,
      ----
      

      The first line allows incoming ssh so you can log in from home, for example. The second line is for the network time server: it allows a trusted external site to keep your system clock on time. (run "system-config-time" to set this up). The final line is for the mail gateway that I use for sending mail.
   4. Which services to allow? I proceeded by trial and error. I kept the firestarter window open with the "Events" tab selected, while I used my computer in the normal way. Sometimes, I found that something that used to work before installing the firewall had now stopped working. I could then see in the "Events" window what external connections had been blocked. If you right-click on a given event, you get the option to change the rules so as to allow that connection. This can either be done by allowing all connections from that external machine ("Allow connections from source"), which adds entries to the /etc/firestarter/inbound/allow-from file, or by only allowing connections from that machine that are directed to a specific port ("Allow inbound service for source"), which adds entries to the /etc/firestarter/inbound/allow-service file.
   5. Persistence of the firewall. If you installed firestarter from an RPM file then it is now a system service, and runs automatically at startup. Note that firestarter is just a friendly interface that makes it easy to configure the Linux kernel's built-in iptables packet filtering system. So after it has run it disappears from the list of running processes, but the packet filtering continues. Similarly, when you close the firestarter window you are not stopping the packet filtering.
      
      It is straightforward to check that packet filtering is occurring.
      1. Type

           > /etc/init.d/firestarter status

         If it says "Firestarter is running..." then this is a good sign.
      2. Look at the log file /var/log/messages:

           > tail -f /var/log/messages

         If you see lines like

           Jun 28 17:31:34 mybox kernel: Inbound IN=eth0 OUT= MAC=00:0d... SRC=207.33.111.35 DST=128.252.125.81 ...

         then the kernel filtered a packet at the specified time, so there is some firewalling going on.
      3. Get an external report from a port scan. There are sites that will do this for free. See the firestarter FAQ for links to sites that will do this for you.

Mark Alford's home page