Don Marti

Sun 17 Apr 2005 08:33:52 PM PDT

Done installing, now what? (version 2.1)

Here is the start of a list of security precautions for setting up a new GNU/Linux system before putting it on the net.

(update 7 Feb 2005: physical security)

If it's the first install of a new distribution, make sure you are subscribed to the security mailing list for that distribution.

Forward root's mail to your real address.

Set up /etc/apt/sources.list — remove "non-free" and "contrib" entries, and CDROMs.

Get vim, sudo, and screen:

apt-get install vim sudo screen
apt-get --purge remove nano nvi

Remove unused software, especially daemons. Your firewall or external server doesn't need portmap!

Add yourself to groups adm and sudo.

Set up sudo. This line lets members of the sudo group run commands without a password:

%sudo ALL=NOPASSWD: ALL

Replace exim with postfix:

apt-get --purge install postfix

Set the default umask to 002 in /etc/profile and /etc/login.defs (Debian gives each user a private group, so umask 002 makes /home/project directories work.)

Unless this is a mail server, configure the mailer daemon to only listen on the loopback interface, or not to listen at all.

Remove X.

sudo apt-get --purge remove x11-common

Remove extra services unless you need them.

sudo apt-get --purge remove cupsys lpr telnetd \
ftpd fingerd nfs-common nfs-server pidentd portmap

Set up debconf to use readline instead of a full-screen menu, and to ask the appropriate level of questions:

sudo dpkg-reconfigure debconf

Comment out unneeded services in /etc/inetd.conf.

Put every possible services on the loopback interface only. Example: if you need portmap locally, do this:

sudo dpkg-reconfigure portmap

and answer this question:

**Should portmap be bound to the loopback address?** y

Apply any security updates to the remaining software on your system.

Set up ntpd and ntpdate, so that times in the logs will be correct.

Copy your ssh public keys into .ssh/authorized_keys in your home directory on the new server, so that you never need to send your password over the net, even encrypted. Configure sshd to refuse passworded or root logins, and accept only protocol version 2.

Put your new server's ssh key in /etc/ssh/ssh_known_hosts on your other systems.

Unless this is a public shell box where anyone with a user account can log in, set up AllowUsers in /etc/ssh/sshd_config to allow ssh logins only from yourself and other authorized users.

If this host will be accepting tunneled connections, set up a tunnel-only account that's only allowed to run /bin/false. (Users should use -N or equivalent to tunnel in.)

Run netstat and nmap to make sure that no unnecessary services are running. If you have services that are supposed to run on one interface but not another, nmap from both to check your configuration,

If nmap reveals a service you don't want or didn't configure, go back and remove it. Be ruthless in removing software. Software is nothing but trouble.

In /etc/environment, put this:

LESS="-X"

Reboot and check that you didn't start anything you don't need, that you can still log in.

Put in local firewall rules. Yes, you have a locked-down system behind a firewall. Yes, you're adding local firewall rules as an extra third layer of security goodness between the first two.

Put rules on OUTPUT. One important thing local rules can do is to prevent and flag outgoing connections that shouldn't be happening, If a desktop machine or web server is talking on port 25 to anything other than your mail server, something is horribly wrong and you need to know about it.

Pure social engineering worms can't get root on a correctly configured system. But non-root users can make arbitrary outgoing connections, for example to other people's SMTP servers, so a social engineering worm could spread without ever getting root.

Install the server with the same level of physical security that you would apply to paper copies of the same information. Usually this means a locked server room or cabinet. Just disabling booting from CDROM and applying a BIOS password is not enough, since most computer cases are easy to get into.

(Additions welcome.)