Skip to content »
ITS and UVa logos for printed output

ITS UNIX Systems

UNIX/Linux Security Best Practices

You can take steps to protect yourself from intruders who attempt to break into your UNIX or Linux system. Here are some things to do to make intrusion more difficult.

Turn off unused services

Services which you don't enable can't be attacked from the outside. If you don't provide access to a service, it doesn't matter if there are any vulnerabilities in the daemon which would provide that service. So disable anything you don't need to use.

Some daemons are started when the system boots, and remain active as long as the system remains up. For these persistent daemons, you need to look at the initialization scripts or programs used to start services when the system boots. Other services are not started at boot time, but instead are managed by either inetd or xinetd.

If your system is configured with inetd, look at /etc/inetd.conf, and remove, or simply prefix with a "#" character to make it a comment, any entry providing a service you don't need. For example, if you aren't delivering mail on your Linux workstation, you don't need to have pop and imap daemons accepting connections—disable them with the "#" prefix:

#pop  stream  tcp  nowait  root  /etc/uva/tcp_wrapper/tcpd /usr/local/etc/popper popper
#imap  stream  tcp  nowait  root  /etc/uva/tcp_wrapper/tcpd /usr/local/etc/imapd4 imapd

If you are using xinetd, its configuration will be in the directory /etc/xinetd.d. Each file in the directory defines a service, and you should add disable = yes to any that you want to disable. For example, to turn off the finger service, the configuration would look like this:

service finger
{
  socket_type     = stream
  wait            = no
  user            = nobody
  server          = /usr/sbin/in.fingerd
  disable         = yes
}

After editing either inetd.conf or the files in /etc/xinetd.d, be sure to send a HUP signal to the inetd or xinetd process.

Also look at the persistent daemons which are running outside of inetd's control, and consider whether your server really needs to run these. For instance, if you have an nfsd process running, consider whether you need to share your filesystems with other hosts. If not, remove the /etc/exports file and disable the start of the NFS daemons.

UNIX servers use one of two methods to start persistent daemons at boot time. If your system uses /etc/inittab to control what scripts are being run, you'll have to modify those scripts to take out any daemons you don't want started. If your system uses the scripts in /etc/init.d, with links to them in directories named for the run level, such as /etc/rc3.d, you disable a service by removing or renaming the link(s) in the /etc/rc[0-6].d directories with a lowercase letter (e.g., mv S76snmpdx s76snmpdx).

Where available, install IP filter or firewall rules

Note that while restricting network access helps, it is no guarantee that you won't be attacked. If you allow virginia.edu, you can be attacked from another virginia.edu system. But restricting access to a smaller group of systems will reduce the number of attempts you see made against you.

Linux

Configure IPtables or IPchains. You can use one of these to define whose IP addresses you will accept or reject. The rules can be different for incoming and outgoing packets. We have a model configurations or scripts which can be installed on a Linux system to define the rules such that only packets originating inside the virginia.edu domain are accepted.

AIX

Add filter rules for IP Security. AIX 4.3.x and AIX 5.x include the ability to filter packets as part of IBM's IP Security implementation. Setting up the rules can be a little tricky, and it's best to get advice from someone who's done it before. ITS can help.

View an example »

Install ssh and tcpd

SSH (Secure SHell)

SSH is a protocol which supports logging into a remote system or executing commands on a remote system, using an encrypted communication between the two systems. Session encryption protects you from unscrupulous packet sniffers who may have access to one of the networks through which the packets between the two hosts may have to travel.

The tcp wrapper daemon, tcpd, comes as a part of recent Linux installations, but you still have to add it for AIX installations.

SSH on Linux

Visit our page on installing SSH Clients for Red Hat Linux.

Configure hosts.allow and hosts.deny files for tcpd and sshd

Both ssh and the tcp wrapper tcpd use a pair of configuration files to define what hosts are allowed to make connections to specific TCP services on your machine. Use these to limit access to those services and prevent unwanted intrusion attempts. Learn more »

Configure inetd to use the tcp wrapper

The tcpd installation for AIX and Irix doesn't modify your inetd.conf or syslog.conf files; you have to do that yourself. Learn more »

Install the latest patches from your vendor

UNIX and Linux exploits are discovered from time to time, and if you don't keep your configuration updated, you'll potentially leave yourself exposed to attacks that try newly discovered vulnerabilities. Get the latest patches for your version of the OS.

Linux Systems

ITS has updates on linuxload.itc.virginia.edu for Fedora Linux; contact us to find out how to get the updates. If you run something other than Fedora Linux, be sure to check the advisories for your version of Linux periodically to see if you need to apply any recent updates.

AIX

ITS can give you advice on updating AIX. Contact us for more information.

UNIX File Sharing

Permissions

You may want to give others access to your directory or files in one of your directories. As an individual user, you can control who has access to the files which you own, by setting UNIX file permissions. Ample information about UNIX filesystem permissions can be found by searching the Web.

Network File System (NFS)

NFS is the most frequently used method of sharing access to a filesystem (or a directory in a filesystem) between UNIX systems. System administrators need to be careful how they implement NFS, and be aware of the vulnerabilities associated with the various daemons which collectively make up the NFS service, including nfsd, mountd, statd, lockd. Before you configure your machine to provide NFS server, be sure to update these daemons with the latest patched versions to close any known vulnerabilities.

If you are supporting an NFS service, pay close attention to how you set up /etc/exports . The syntax of the entry can lead to some confusion, and if you get it wrong, you might end up giving away access to systems that you really didn't intend to allow access to your files. You also need to pay attention to the user ids assigned to accounts on both the client and server systems. If you don't understand these, read an explanation of /etc/exports syntax and UID assignment.

Desktop Screensaver

If you use a Unix or Linux computer, you should never walk away from your keyboard and leave your desktop windows open for anyone to use. The safest thing to do when you leave your workstation is to log out. In your office or research lab, however, you may choose instead to lock your desktop using a password-protected screensaver. Doing so requires you to use your login password to get the desktop display back.

A variety of screensavers are available to lock your screen. In the MIT X11 environment, you may use xlock. In the Common Desktop Environment (CDE), you may use dtscreen. For Linux X11, Gnome or KDE environments, you may use xscreensaver. Man pages are available to describe the options for each of these.

  Page Updated: Tuesday 2013-01-08 16:04:18 EST