---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 38 Linux General Security Overview A secure Linux server depends of how the administrator makes it. Once we are eliminating the potential securities risk by removing unneeded RPM services, we can now start to secure our existing services and software on our server. In this chapter we will discuss some of the general base techniques used to secure your system. The following is a list of features that can be used to help prevent attacks from external and internal sources. 1.    BIOS Security, set a boot password It is recommended to disallow booting from floppy drives and set passwords to access some BIOS features. You can check your BIOS manual or look at it the next time you boot up your system to know how to do this. Disallowing the possibility to boot from floppy drives and be able to set password to access the BIOS features will improve the security of your system. This will block undesired people trying to boot your Linux system with a special boot disk and will protect you from people trying to change BIOS feature like allowing boot from floppy drive or booting the server without prompt password. 2.    Security Policy It is important to point out that you can not implement security if you have not decided what needs to be protected and from whom. You need a security policy, a list of what you consider allowable and what you do not consider allowable upon which to base any decisions regarding security. The policy should also determine your response to security violations. What you should consider when compiling a security policy will depend entirely on your definition of security. The following questions should provide some general guidelines: · How do you classify confidential or sensitive information? · Does the system contain confidential or sensitive information? · Exactly whom do you want to guard against? · Does remote users really need access to your system? · Does passwords or encryption provide enough protection? · Do you need access to the Internet? · How much access do you want to allow to your system from the Internet? · What action will you take if you discover a breach in your security? This list is short, and your policy will probably encompass a lot more before it is completed. Any security policy must be based on some degree of paranoia; deciding how much you trust people, both inside and outside your organization. The policy must, however, provide a balance between allowing your users reasonable access to the information they require to do their jobs and totally disallowing access to your information. The point where this line is drawn will determine your policy.