Securing-Optimizing-RH-Linux-1_2_38
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
38
Linux General Security
Overview
A secure Linux server depends of how the administrator makes it. Once we are eliminating the
potential securities risk by removing unneeded RPM services, we can now start to secure our
existing services and software on our server. In this chapter we will discuss some of the general
base techniques used to secure your system. The following is a list of features that can be used
to help prevent attacks from external and internal sources.
1. BIOS Security, set a boot password
It is recommended to disallow booting from floppy drives and set passwords to access some
BIOS features. You can check your BIOS manual or look at it the next time you boot up your
system to know how to do this. Disallowing the possibility to boot from floppy drives and be able
to set password to access the BIOS features will improve the security of your system. This will
block undesired people trying to boot your Linux system with a special boot disk and will protect
you from people trying to change BIOS feature like allowing boot from floppy drive or booting the
server without prompt password.
2. Security Policy
It is important to point out that you can not implement security if you have not decided what needs
to be protected and from whom. You need a security policy, a list of what you consider allowable
and what you do not consider allowable upon which to base any decisions regarding security.
The policy should also determine your response to security violations. What you should consider
when compiling a security policy will depend entirely on your definition of security. The following
questions should provide some general guidelines:
·
How do you classify confidential or sensitive information?
·
Does the system contain confidential or sensitive information?
·
Exactly whom do you want to guard against?
·
Does remote users really need access to your system?
·
Does passwords or encryption provide enough protection?
·
Do you need access to the Internet?
·
How much access do you want to allow to your system from the Internet?
·
What action will you take if you discover a breach in your security?
This list is short, and your policy will probably encompass a lot more before it is completed. Any
security policy must be based on some degree of paranoia; deciding how much you trust people,
both inside and outside your organization. The policy must, however, provide a balance between
allowing your users reasonable access to the information they require to do their jobs and totally
disallowing access to your information. The point where this line is drawn will determine your
policy.