Saturday, July 11, 2015

Five Security Tips for New Linux Admins

It’s generally fairly easy for new Linux administrators to get up and running with the basics of installing, configuring and managing Linux systems at a basic level. Truthfully, though, it takes years to get the in-depth knowledge required in many server environments today. One thing I really recommend learning early on — i.e. from the beginning — is security.
Monitor padlockI participate in a group of professional penetration testers (the nice folks who help you test your security as if they were the bad guys) called Charlotte Hackers Anonymous. I asked the group what they thought were the most important tips for new system administrators, and below are their tips, along with my thoughts on each.
Remember, these are the basics. But you should sear them into your brain. Pray and meditate on them, if that helps. Or, if you’re an old Marine like myself, drop and do 50 for Chesty Puller (a great hero among Marines) when you forget one of these. Whatever you do, learn these rules.
  1. Don’t run as root. There are some tasks you must do as the root user. However, make sure you always type “exit” when you are done — or take advantage of sudo, which will automatically require you to re-authenticate as root after a timeout period. Do any and all of your normal tasks as a normal, nonadministrative user. If you don’t already have a regular user account (which should be nearly impossible with most distributions), stop whatever you are doing — RIGHT NOW — and create a regular user account, and then login to that account to do your work.
  2. Keep your system patched. The only program that never needs patched is the one that hasn’t been written yet. Pretty much every piece of software ever written has bugs, aka vulnerabilities, in it somewhere. I have seen with my own eyes how easy it is to “pwn” unpatched operating systems. The bottom line here is — keep your system patched! openSUSE’s package management utility, Zypper, let’s you check for patches. Usually, just running the updates does what you need, but sometimes you may feel better going to the patch level.
  3. Review services and disable any unnecessary ones. I can’t tell you how many times I have seen this advice. It’s good, rock solid advice. Go through your packages and see what is installed on the system. Run netstat. Do you see any services you don’t need? Is Telnet running? You don’t need that (except for rare test cases). Shut it down. Shut it down NOW. That goes for any service you don’t need. If you really need the service, great — run it. You can find out how to secure that service. But anything else, shut it down. Uninstall it, even. Seriously, if you don’t need it, get rid of it.
  4. Test Open Ports. Learn Nmap and related tools. Learn some other port and vulnerability scanners. Use them. Also learn your distribution’s commands and utilities for managing ports. Shut down any open, unused ports. One company I know has only two, at most three, ports open on the external network. That makes them a very hard target indeed. The bad guys may find and attack those ports. Then again, they may just go looking for easier targets.
  5. Learn to use SELinux — don’t disable it. SELinux is a policy-based Mandatory Access Control utility. Basically, it gives you fine-grained control over users and how they interact with files and programs. Some distributions (notably, Red Hat & Fedora) come with SELinux installed by default. Others use it as an add-on option. At the recent SELF conference, one guy said he took a class on SELinux, and found out how to use permissive mode as something of a way to test policy changes. You can learn more about SELinux on the SELinux Project Wiki.
  6. Bonus Tip: Backups! Make regular backups and keep them secure. With advances in ransomware (in one case, a company’s backups were held ransom), I recommend finding a way to get those backups off your network as soon as they run. Okay, if you haven’t made a backup lately — you know the drill — stop right now and do so. Then drop and do 100 pushups for Chesty. What’s that? You thought I said 50 pushups earlier? You’re the one who should have been making backups all along. So now you owe double.
Maybe you think the Marine routine is a bit harsh. It probably is. But as my senior drill instructor used to say, “you can be smart, or you can be strong.” Smart admins prefer to learn the security ropes. The strong admins will later realize — typically under not-so-pleasant circumstances — why they should have been smart to begin with.

No comments:

Post a Comment