Linux Security 1

Network Security


# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Disable response to broadcasts.
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1




NFS Security

Only run NFS as needed, apply latest patches.
When creating your /etc/exports file, be certain to use limited access flags when possible such as readonly or
nosuid. By using fully qualified hostnames, you are guaranteed that only the host you want to be able to
access the filesystem can access it.

If you are exporting file-systems using NFS, be sure to configure /etc/exports with the most restrictive access
possible. This means not using wild cards, not allowing root write access, and exporting read-only wherever
possible.




Device Security

Device files /dev/null, /dev/tty & /dev/console should be world writeable but NEVER executable. Most other
device files should be unreadable and unwriteable by regular users.


Script Security

Never write setuid/setgid shell scripts (can break out). Instead, write a compiled program in a language
like "C". Scripts should ALWAYS have full pathnames.


Program Security

Always get your programs from a known source. Verify that it hasn't been hampered with via checksum. If
you are compiling your own program, make sure you know that the compiler hasn't been tampered with as well.


General Security Measures

Create minimal writable filesystems (esp. system files/directories!). Generally, users should only be able
to write in their own directories, and /tmp. In addition, there will be directories for a specific group to
write in. This way you control how each user can access specific areas of the system.


root# find / -type f \( -perm -04000 -o -perm -02000 \)

root# find / -perm -2 ! -type l -ls

root# find / \( -nouser -o -nogroup \) -print

root# find /home -name .rhosts -print




Set file system limits instead of allowing unlimited as is the default. You can control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf. For example, limits for group users might look like this:

@users hard core 0
@users hard nproc 50
@users hard rss 5000


You can also use the /etc/login.defs configuration file to set the same limits.