Securing a Linux Installation
Installing Linux for securing your server depends upon how to install Linux on desktop or server. Installing Linux from untrusted source would not help in potentially securing your server and overcome on other security issues. You should install those packages only which you are in need because there is always a chance that someone could break into your server if security tasks would not be accomplished during installation and troubleshooting them.
Verify Packages and Files on Linux CDs
Sources of installation packages should be reliable and safer than others. While buying Linux CD from some vendors like Red Hat is safer than downloading Linux using ftp server. If you want to download Linux from Internet then you are advised to download it form reliable sources. While if you are installing Linux via ftp connection from remote server allow intruders or attackers to replace original packages with other packages which could create problems and may affect valuable data.
Public key is used by most of vendors to verify packages and you may verify signatures using public key. Public keys are available to download on Internet and these are also attached with CDs provided by vendors and you may find vendor key names, ID's and fingerprints on internet
You should download PGP or GnuPGkey from Red Hat just like. CS20 8686 2BD6 9DVC 55F6REGC4 2191 70CD DB42 A60E
Vendor keys can be downloaded from their official websites or it could be found on Linux CD provided be them. You can use sample scripts to automate tasks.
[user@server RPMS]# for a in *.rpm > do > rpm -K $a >> ~/sign-log > done sing-log files should contain the following. ElectricFence-2.2.2-5.i386.rpm: md5 gpg OK ImageMagick-5.2.2-5.i386.rpm: md5 gpg OK ImageMagick-devel-5.2.2-5.i386.rpm: md5 gpg OK Inti-0.5preview-1.i386.rpm: md5 gpg OK
Attackers or intruders compromise installation media sometimes before you have installed fresh copy of Linux operating system and if they have done so you can not manage to secure installation. To protect yourself from this you need to verify packages and installation files stored on installation media which could be achieved be verifying GnuPG signatures on RPM. Once you have verified the installation media the next step is to secure system by providing the files and paths between the system and installation machine on which you are installing Linux packages. If you are installing from CD ROM then it is very easy while doing FTP or NFS installation and verifying media would be complex.
Installing from CD's
It is relatively easy and secure to install Linux form CD's if you have purchased them from vendors and then you need to boot your system from CD ROM and install specific package or software. After installing you can update system easily by inserting CDs again without coming online.
Installing form Hard Drive
Installation using local hard drive is very much secure for installing Linux. You need to partition hard drive first. After partitioning hard drive copy files on specific partition and boot the system. External hard drives can be used in parallel it is comparatively easy to use these hard drives.
Installing From Network (FTP / NFS)
FTP and NFS methods are very much common and you need a floppy disk and server containing files. Make a directory structure for files like /pub/redhar/7.5/en/i386 and make it accessible through FTP or NFS. These files are required to be readable and there is no need to write them. The other installation methods on network can also be used like kickStart or you can install by customizing installation. While installing Linux via NFS/FTP there is not 100% guarantee that server will remain secure. So, you should protect your main network by use of protected subnet.
Automatic installation will prevent you frm problems if you are installing Linux on network and want to use same configuration on all machines. Manual installation can however has more chances that configuration on each device will not remain same.
Red Hat Kickstart:
By using Kickstart method Red Hat Linux provides this facility to automate your Linux installation which could be useful. You need to make a text file simply with some specifications which are required for installation and start installing Linux. This installation method is useful where multiple machines are used and required installation in quick time. More information about Kickstart could be found at http://www.redhat.com/mirrors/LDP/HOWTO/KickStart-HOWTO.html and kickstart installation is also possible by placing configuration file on tftp server and for automating installation you just need to know the MAC address of each client machine on network.
File system layout and structuring
Filesystem layout is very much important in making directory partition structure to protect computer from attacks like file up disk space from junk data. Something running as root could generate log files like goes nuts etc. Disk setup takes benefits and core dumps which are used to create links and file temporarily. Attackers normally link to /tmp/foo to /etc/passwd and create user account and so access the system.
Partitions can mount to read only using mount command which will not allow execution of programs and other tasks to perform. On the other hand, you can feel difficulty in upgrading system components if you have mounted a file read only.
Here is some guideline considering secure Linux installation:
- Different file system should be used for different partitions
- Critical system components and configuration should be placed on separate file systems
- Mount some partitions which are read only like /bin/, /sbin/ and /etc/ and test this before using it.
Noexec, while you have mounted /tmp noexec you need to copy binary files in it and you can use this using ld-linux command and it will show. [linux@stench /tmp]$ ./date bash: ./date: Permission denied [linux@stench /tmp]$ /lib/ld-linux.so.2 ./date Thu Aug 24 21:59:08 MDT 2000 [linux@stench /tmp]$