Security Tools in Linux Distributions, Part I
Sun, 10/06/2002 - 02:00 — Bobby S. Wen
With so many security tools available, it can be hard to know what to use. Many users do not want to be bothered with downloading, learning and configuring security software when so many other things need to be done. The good news is tools that system administrators would manually install, and checks that they would write scripts to do as part of a security audit, are available out of the box in Linux distributions.
People rarely notice the security enhancements until they start receiving security reports or until they have been hacked. Most of the time, security features are the last bullets on the marketing material and glossed over in product reviews. Although many reviews of each distribution appear with each new release, none seem to focus much on the security tools.
This article, presented in two parts, is an overview of the security enhancements of two Linux distributions, Red Hat 7.3 and SuSE 8.0, and of how to maximize security simply by selecting and using the software provided in the distribution. It should be noted at the start that security is an ongoing process, and no one program can keep a system completely secure. But you can get a head start by starting with a secure distribution and using good tools that are readily available.
The article discusses two Linux distributions, Red Hat, the best known, and SuSE, the most technologically advanced. But many of the same tools are available in other distributions, such as Mandrake, Debian and Turbolinux. The article starts with selecting security tools during the installation, and then shows how to use the tools to harden the operating system and monitor for intrusions.
This is not an attempt to rate the security of the distributions, because many other issues come into play, such as total number of packages in the distribution, number of security alerts, timeliness of patches and number of releases. To limit the scope of the discussion, this article focuses on hardening and monitoring tools that come on the distribution media. The article also does not address the issues of on-line updates, securing and maintaining applications or firewalls, due to space limitations.
The security software in Red Hat 7.3 is distributed in different software package groups of the installation. Starting with the default workstation installation as a reference point, Red Hat's installation menu shows that the security applications are located in various software packages groups, some in applications/systems, some in applications/internet and others in system environment/dæmons group, depending on their usage. This is not surprising because many utilities can be used as security tools, including top, ps and tcpdump. Rather than search through all the software groups individually, we can select the security applications from the flat file view listing of all programs.
Some notable security applications selected by default include Logwatch, Nmap, tcp_wrappers and Xinetd. Programs that were available, but not selected, are Arpwatch, Ethereal, Ethereal Gnome (Ethereal's GUI), Iptraf and Tripwire. Using the default workstation installation, we added Tripwire, Iptraf, Arpwatch, Ethereal and Ethereal Gnome as optional tools to the installation.
Comments
How can people write articles about Linux when they don't even know the difference between a "Hacker" and a "Cracker"?
Does anybody proofread these articles?
Get with the program people!
Main Entry: hack
idiot, so you trust "Merrian-Webster" for definitions like these???
look up the definition of "loser" and "lamer" and "idiot" then.
especially dubious is the 4th definition of "hacker" - that belongs under "cracker".
Look dude, I know where you are coming from, but your 'criticism' has more to do with folklore than what can be considered to be clairvoyant for the general public.
http://www-106.ibm.com/developerworks/security/library/s-netip/
Regarding Red Hat 7.x and xinetd: in Red Hat 7.2 xinetd is compiled with the "libwrap" library. So xinetd in RH 7.2 is using tcp_wrappers although it is not as obvious as with inetd. It was much more obvious with inetd where the tcpd was explicitly invoked in the /etc/inetd.conf file.
In addition to tcp_wrappers, the service specific control files found in /etc/xinetd.d have "only_from" and "no_access" options to allow you to control access to that application. I don't know, without going back to look, whether these comments are true for RH 7.0 and RH 7.1, but I have used tcp_wrappers in xinetd on 7.2.
--- Kelwin Wylie
Thanks for clarifying that. You're right, the Red Hat 7.2 guide does allude to using libwrap with xinetd. It's not clear in the earlier documentation. Xinetd can be compiled with the libwrap, or configured to use tcpd in the service configuration file. Red hat 7.2, and presumably 7.3, has TCP wrapper functions compiled into xinetd.
- Bobby Wen
I would recommend the author to come up with a third part of this article after d/l MDK Linux 9 and going over its security features. MDK Linux is oriented toward new/desktop users who are less inclined to play with Nessus, Nmap, Tripwire and the like but need help in this area. I feel Mandrake has done a decent job in this respect and your readership, particularly the less experts would benefit from your comments.
Thanks. The originally article I submitted was a little long. The LJ editors broke it into two parts to make it more readable. I have Mandrake 8 loaded, and will consider including Mandrake in future articles.
-Bobby Wen.