Unix Network Security
Once you put a computer on a network, you allow many more people potential access to the machine. Without
networks, often a machine is not useful.
The key to network security is to allow only those functions that the users actually need. Make those services
as secure as possible. By disabling non-used functions, you have much less monitoring/securing.
Think of filtering as a way to prevent unwanted access. If on the internet or large network, you will want a
firewall machine or router with firewalling capabilities for maximum protection. Hosts themselves can limit the
services provided and what hosts can access them.
A firewall machine is a machine between the internet and your network. It provides a point of resistance. It
protects your inside systems from external users. A firewall machine can filter your packets and/or be a proxy
server. Firewalls can be either software or hardware. When using software, I recommend having a machine
dedicated to the purpose of being the firewall (unless you only have one machine). Remember that just because
you are using NAT-ed IPs, doesn't mean you have a firewall. I have seen small companies be compromised due to
By filtering out services you do not use, at the router level (or firewall machine), potential infiltraters
are stopped very early on. Unless you use NFS between networks, turn off all RPC ports on the router. Better
yet, only enable specific ports that you use, adding new ones as needed. The next steps are on the host
Create access control lists /var/adm/inetd.sec to say what hosts can connect to your machine. This limits
access even further. In addition, do not enable services you are not using by turning them off in
TCP wrappers for logging incoming requests allows for easier tracing and protection.
One can imitate another host on a network by using the same host name. To prevent this from happening
outside your network, you need to make modifications to your router and your hosts system files.
Turn off source routing on your router. Once this is turned off, apply a filter that guarantees that packets
coming in from the outside network do not have a source IP address that matches the inside network. This
prevents another machine from pretending it is a trusted host.
On your system side, only use qualified hostnames only in any system file (NFS, hosts.equiv, ...). If
possible, do not allow hosts.equiv or .rhosts. Having a cron job remove non-agreed upon ones is great. Verify
that all .rhost and .netrc files (if allowed) permissions are 600. Having the cron job automatically fix this
is great too.
Convince your users to use SSH (secure shell). SSH provides encrypted traffic to prevent snooping. If you
MUST use telnet, at least close down which IPs you accept telnet from and turn off root login (except console
-- see Account Security section).
As with other services, if you do not need this functionality, turn it off. You can turn off incoming FTP or
simply certain users. If you need full FTP functionality, be certain to enable logging and monitor syslog. If
possible, use secure ftp (comes with ssh). Standard FTP is known to be a security hazard as it sends passwords
in clear text.
Since you only want valid users using FTP, make sure you have /etc/ftpusers include all system accounts
(uucp, bin, daemon, sys, adm, lp, root, ...). If there are other users who do not need FTP, also place them in
this file. Only allow the users that actually need them. Give them the least amount of access possible. Do not
allow writable directories unless absolutely necessary. If writable directories are needed, sometimes write
only directories can be utilized.
Having modems hooked up to one central point makes security easier. All modems should have additional
dial-up password for additional security. To do this, setup /etc/d_passwd (see d_passwd man page). Once you are
finished, verify that passwords are not guessable by using CRACK. As usual, use one password per user. Be
certain to disable the account when the user no longer needs access. All dial-up modems should log users out
upon disconnect (hupcl in /etc/gettydefs)
Use SATAN to make sure you haven't missed any obvious holes. Add all your networking patches. Try to break
into your site.
- Monitor to see if you are being attacked
Snort is a nice free IDS (intrusion detection system). Decide what
attacks you care about (ie. code red doesn't affect Unix) and configure. If you haven't configured an IDS
before, it will be a bit of work -- but well worth the effort.