I had to put a Linux server out all alone in the big, bad world today. Before I turned it loose, I did a few things to give it a fighting chance out there.
The biggest thing I did was make the machine volunteer as little information as possible. Here’s how.
Most Linux distros out of the box proudly wave the penguin banner. When security’s your main priority though, you don’t want to do that. So the first thing to do is load up /etc/issue into a text editor. You’ll undoubtedly see something referring to Linux, and some control characters that tell you what version of the kernel you’re running and maybe some other stuff. That’s too much information. I thought about lying, maybe making the banner say Digital UNIX, but I’m an honest guy, and so’s our main Unix admin, and he was uneasy about it too. So instead I gave it a nice, warm, fuzzy, friendly greeting: Unauthorized use is prohibited.
Not bad, eh? It volunteers no information and tells the l337 h4xx0r to get lost. None of this welcome stuff. Never print that at logon. I’ve read cases where lawyers argued that since the system said welcome after someone hacked in, they were authorized.
Next, do the same thing to /etc/issue.net, since that’s the message the intruder is actually going to see, unless he’s physically standing at the keyboard.
Linux also has a Message of the Day it prints at login. Sometimes this just prints weird quotes, sometimes it prints system information. This is a utilitarian server that no one has any business logging into, so I edited /etc/motd to give a nice, warm welcome: Unauthorized use is prohibited. You know, just in case the kid forgot. You know kids today and their short attention spans.
And then, to suppress all other login messages, I created a file called .hmslogin in both users’ home directories.
Of course, those messages don’t give any information that anyone who knows any Unix at all couldn’t get and more at that point, but I’m assuming that not everyone who would break into a system knows anything.
Of course I did a few other things. Telnet went bye-bye in favor of OpenSSH. I broke Exim so I couldn’t accidentally be running an open relay. (Just look in /etc/exim.conf; you’ll find a line to uncomment so it only listens on 127.0.0.1. Do that and no one can use the box to send mail.) Any other programs that aren’t essential to operation get jettisoned.
This machine’s behind a firewall and can’t get in to a production network, so extreme measures aren’t necessary. For something that absolutely had to be secure, I’d remove all package management software and I’d be tempted to remove the bash shell and replace it with something minimalist like ash to reduce one’s ability to do the shell script thang. I’d also be highly tempted to compile my own distribution from scratch rather than using an off-the-shelf one. (And I wouldn’t necessarily use standard packages–security through obscurity, y’know.) Of course bosses frown on things like that, wondering who’ll stand behind it.
I tried the machine out when I got home. It was still out there. Fast and dutiful.
Of course I did the same thing to my boxes at home when I got here too. Just to keep Steve wondering if I haven’t maybe been sampling some of the neighborhood’s other wares when I walk down Jefferson and Cherokee on my way to the corner of Lemp and Arsenal for pretzels.
Anyone else have any tips for hardening a Linux box, or reducing the amount of information it reveals about itself?
Good stuff. I was wondering where those files where that held the greeting message and system type. Now I’m magically running Digital UNIX…