Linux Security and Troubleshooting

Security

One should develop a security policy with the management team to protect the the company and yourself. Typically, the misbelief is that "security through obscurity" is acceptable.

File Protections and Trojan Horses (setuid or setgid programs)
find / -type f $ -perm -04000 -o -perm -02000 $: locate all the setuid and setgid programs which may be security holes.
find /doc -name "*.html" -exec grep Linux {} /dev/null \; locate
sum and strings: print checksum for a file and find printable strings in an object or binary file. Using sum command is a reliable way to ensure that two programs are identical.
md5sum: many software vendors published md5sum for a module to be downloaded from the net. To ensure the software is not tammpered, one should run md5sum to compare vendors' md5sum. For rpm package, run: rpm --checksig --nogpg SomeModule.rpm
cops, tiger, crack: security watchers for identifying security risks such as empty passwords in /etc/passwd, world-writable files, and cracking passwords.
tripwire: monitor system binary files changes
sudo: assigned super user's privilege based upon /etc/sudoers configuration file. So you don't have to give away super user password nor writing suid and sgid programs.
Host_Alias REMOTE=moon,sun
User_Alias SUPER=you,me
Cmnd_Alias SHUTDOWN=/sbin/halt,/sbin/shutdown

# User privilege specification
root ALL=(ALL) ALL
#
SUPER REMOTE=SHUTDOWN
Services
Disable services you don't need or use. (such as tftp and finger)
Never service as root if possible such as Apache which also provides .htaccess for access control
Open SSL is tool kit that implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide; which can be download from the net.
ssh (secure shell - RSA/DSA) and stelnet (secure telnet - SSL)
SATAN: collect network information as well as potential security flaws.
tcp wrapper: control access to various network services (such as telnet) through the use of access control list.
Firewall: for protecting a network from unwanted networking activities. TIS is a free IP-based filters type of firewall tool kit. Phoenix Adaptive Firewall is also free for personal usage. You may also configure your Linux using filtering setup tool: ipchains.
/sbin/ipchains -A my-chains -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT Refer to this compressed configuration files for a complete example setting up a firewall with two interface cards: eth0 and eth1.
IP Security Protocol (IPSEC) - network layer security. Mandatory for IPV6
Authentication
Encryption: Triple DES
Network scanners: strobe
Intrusion scanners: netssus
Network based attack dectection: NFR
Packet sniffers: tcpdump, snifft

Important configuration files:
hosts.equiv & $HOME/.rhosts - specify hosts allowed by BSD r commands
hosts.deny, hosts.allow - specify services allowed and deny by domaiISn
telnetd, ftpd: ALL # deny all
telnetd, ftpd: LOCAL, .origin.com # allow local and all the hosts in tacpa.org

ftpusers - specify users not allowed to login via ftp
securetty - specify which tty devices root is allowed to login on.

Troubleshooting
One cannot become an excellent troubleshooter overnight, but with persistence and good motivation along with good backup procedures, one can be indispensable in an organization. Most of all, Unix guys/gulls ought to share resources (such as IPO stocks :-) and knowledge with others.
There are many handy Linux documentations, as well as a good search engine on the web. To find out which commands to use based upon a keyWord, one can enter "man -k keyWord". In addition, many Unix commands provide on-line help. To get a brief description of command usage and available options, enter "command anyInvalidString".

System

Bootable Floppy or Rescue Kit and Win95 Emergency Disk: make a bootable floppy as soon as possible. Refers to Upgrade Kernel in session one. When systems hang during boot time, you may boot Linux in single user mode (see session4.html) and find out which daemon (started by a script under /etc/rc.d/init.d) is causing problem. Under single user mode, you may mount all the file sytems for troubleshoot. For redHat Linux, you may press I to enter interactive startup and answer no to those daemons that failed to start up. You should also create an older version of "Bootable Installation Floppy" such as Opelinux 1.3. It also allows you to boot from the floppy and mount the file system on of hard drive to recover damaged files or modify root password. e.g.:

To mount root file system as /mnt: (use umount to un-mount a file system)

mount /dev/hda2 /mnt

cp /mnt/etc/old/passwd /mnt/etc # be sure you know the old passwords

< ctl > < alt > < del >

chkconfig # display, activate, or de-activate init processes (redHat)
hdparm -d1 /dev/hda
printer
parPort device: e.g. printer is a parPort device.
cat /proc/dma
cat /proc/interrupts
cat /proc/tty/driver/serial
cat /proc/ioports

Network
Besides the Ethernet interface card, your kernel should contain a network driver that matches with your adaptor. Without recompiling a new kernel, you have to load the driver modules with "insmod". (see sessioin1.html for more info.) Multi-card also work on Linux. Pcmcia driver is required for laptops.
Available tools:
dmesg | grep eth0
nslookup and dig # for DNS table lookup
tcpdchk and tcpdmatch # chek TCP setup
ping # send ICMP ECHO_REQUEST packets to network hosts
ifconifg -a # checking interface configuration
arp localhost # address resolution
rpcinfo -p hostname # remote procedure call information such as nfsd
telnet $HOST $PORT # testing a particular service availability
traceroute # trace remote host routing path
netstat -nr # checking routing table
Kernel IP routing table : U - up; H - host; G - gateway. Destination Gateway Genmask Flags MSS Window irtt Iface 204.146.56.17 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 204.146.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 204.146.56.254 0.0.0.0 UG 0 0 0 eth0

miscellaneous Network monitoring tools

X

XF86Config
startx >& /tmp/x.out
DISPLAY environment variable
/usr/X11R6/lib/X11/doc/VideoModes.doc
xauth and xhost
xauth extract - $DISPLAY | rsh herHost xauth merge -
xhost +

$HOME/.Xsecurity
/usr/X11R6/lib/X11/xdm/{xdm-config,xdm-error.log}
Note: the location of xdm-error.log is specified in xdm-config

References:
Linux Administrators Security Guide
Basic Linux Network Security
Linux Search
CERT
Security Software
Intrusion Detection Tools
Spoofing
Intrusion Detection
IPSec
Beyond Security
Linux's Tell-Tale Heart
Router Appliance
Linux in VPN
Firewall
FAQ
SecurityPortal
LogCheck
Firewall in Kernel 2.4
IPTables
OpenWall
Networking Security
SecurityArea
Security
Intrusion Detection
LinuxSecurity.com
IPtables Tutorial
NetFilter
ISP
Virus Writing