# RootPrompt.org   Nothing but Unix.[Home] [Features] [Programming] [Mac OS X] [Search]


 Feature: Securing Linux Mandrake

As Linux Mandrake works it's way away from it's Red Hat roots, they've added a number of features "out of the box" that make it easier to use as a server. However, there are still a number of things that I do before considering a new install "ready" to be configured for offering any services. I recently had to put together a list of things that I normally do after installation for my employer, and I figured I would pass this information along to RootPrompt in the hopes that it will help someone else. Despite the fact that this is geared towards Mandrake, most of this should apply with very few changes to almost any distribution.

 (Submitted by Ranger Rick Mon Aug 21, 2000 )

  One of the nicest things about the newest Mandrake releases is a better emphasis on security. One thing I really like that isn't present in RedHat is the 'secure' versions of the kernel, which includes some of the optional third-party patches for locking down Linux, the most notable being the 'OpenWall' patches, that help prevent buffer overflows and /tmp race-condition hacks, as well as restricting access to fifos and the /proc filesystem. For a complete rundown of what it does, see the README.

While it's not really security-related, another nice thing that Mandrake supports out of the box, is the new ReiserFS filesystem. It offers journaling, and a btree-based structure that promises to speed things up as well as use less space.

After Installation

The first thing you should do after installing is to download any official security patches and updates. The updates are available on most Mandrake mirrors, in the updates/[version]/RPMS/ directory (or updates/[version]/[arch]/RPMS/ for non-x86 distributions). For the most part, you can just grab anything that's on your system, and then do an 'rpm -U *.rpm' and you're all set. (as I understand it, Mandrake has a tool for downloading updates now, I've never used it, I rarely boot into X :) Keep in mind, however, that you should *NOT* do an 'rpm -U' on kernel updates. For the full scoop, read the documentation on performing kernel upgrades, but the short version is to do an 'rpm -i' (install instead of upgrade) so you can keep your old version around in case something goes wrong. You can set up LILO to have a menu option for both your old and new kernels. If you're using reiserfs, you may have to make an initial ramdisk image (initrd) as well. There's a very good writeup on how to upgrade your kernel at mandrakeuser.org to get you started.

Perform Some Basic Lockdown Procedures

It used to be that you had to do a lot of this manually, but now there is a great tool called 'Bastille'. Originally, it was going to be a full distribution based on Red Hat, but instead they ended up creating a script that would change the few things that would need to be done to a default Red Hat installation. The plus side of this is that as of version 1.1, Bastille supports other distributions besides Red Hat (including Mandrake). You can get it at SourceForge.

Bastille will ask you a series of questions, with full, verbose explanations of why the changes should be made. Even if you never plan on setting up a server, running through the questions is a good way of learning some of the basic things you have to look out for, security-wise.

To run Bastille, untar it in root's home directory (for some reason, it's currently hardcoded to run from there), then run the 'InteractiveBastille.pl' script. You can run this as often as you want without messing with your setup, it won't do anything until you run the 'BackEnd.pl' script to actually make the changes, so don't worry if you make a mistake.

Set Up Your Firewall Rules

Bastille can actually create a basic set of firewalling rules for you, but I personally find PMFirewall to be a bit easier to work with. To download PMFirewall, go to pointman.org.

Like Bastille, PMFirewall will walk you through some basic questions on what services (FTP, telnet, etc.) you will be running on your firewall. Keep in mind, the questions are regarding the services you want people on the net to have access to, it does not affect your ability to access these services from your local network. PMFirewall will also set up your server to do NAT Masquerading, if you so desire.

Install OpenSSH

OpenSSH is a secure alternative to telnet and FTP (more specifically, a secure alternative to the rsh/rcp/rexec/etc. suite of tools). If at all possible disable telnet on your server. Yes, it's convenient, yes it's everywhere, and yes, it's totally insecure. OpenSSH can do everything telnet can, and can do it over an encrypted connection. There are pre-compiled RPMs on the site, for both OpenSSH and OpenSSL (which OpenSSH depends on). I cannot stress enough how important this is if you are going to allow command-prompt access to your server from the net. If you want to be a bit more careful, you can even up the default number of bits in the /etc/ssh/sshd_config used for the server encryption key from the default of 768 to 1024, or even 2048 for the paranoid. :)

As a side note, if you are forced to access your systems from Windows, there are a number of SSH clients available, both free and commercial. On the commercial side, there is a very nice all-around terminal program that supports both the SSH 1 and 2 protocols, called SecureCRT. If you want to go the free route (and who doesn't, given a choice? :) there is a fairly good SSH 1 terminal program called PuTTY. So, accessing your servers from Windows is not an excuse for leaving telnet around. :)

Install 'stunnel' For Mail Hosts

If you are going to be allowing POP or IMAP connections to your host, install stunnel. stunnel is a program that can take any connection on a port and turn it into an encrypted SSL connection. Some e-mail clients (Outlook, Outlook Express, and Netscape Mail, for example) support connecting to an SSL POP or IMAP connection out of the box, and any mail program that doesn't support it directly can be configured to use stunnel on the client side as well to make it work. You can get stunnel at stunnel.org. There are numerous examples on their site for ways to wrap common services with SSL, but it is a necessity for POP and IMAP mail, both of which send passwords in cleartext.

Uninstall Any Unnecessary Packages

Instead of selecting packages individually at install, I find it easier to remove the stuff I don't need afterwards. What I will usually do is an 'rpm -qa' to list every package on my system, and then go through and remove anything I don't need. This way, if there's something I'm unsure of, it's easy to go to another window and do an 'rpm -qi [package]' and find out what it does. Even if you do selectively install things, it's not a bad idea to go through all of the packages on your system and find out what they do. It's hard to tell if something went wrong if you don't know how your system was supposed to be in the first place.

That's It!

These are some very simple things you can do to make your system more secure, no matter what you're going to be doing with it. Once you've done this a few times, excluding actual download time, you can get a nice basic server configured and ready to go in just a few hours. This is the first time I've written an article like this, so if you have any comments, I would greatly appreciate your feedback.


Our content can be syndicated: Main page Mac Page

Copyright 1999-2005 Noel Davis. Noel also runs web sites about sailing and kayaking.
All trademarks are the property of their owners.
All articles are owned by their author