Security Is an Attitude

David Bandel

Issue #102, October 2002

Those of you familiar with my column know I'm pretty fanatical about security. In this issue, you're going to read about system and network security, but I want to provide you the gospel according to David. I don't have the luxury of being able to sit in a nice quiet office and contemplate security, I'm just expected to implement something for my customers so they're as protected as they can be without spending a lot of money. My recipe is fairly short and simple, but the bottom line is to make wannabe black hats go where the pickins are easier.

First, shut off all non-essential network services (starting with inetd if nothing started by inetd is required). Verify using netstat -tupan. Make very restrictive /etc/hosts.allow rules (verify using tcpdchk and tcpdmatch), and make judicious use of Netfilter's state table, denying anything not specifically permitted.

Ensure all programs providing network services (Apache, sendmail, wu-ftpd, sshd, etc.), if on, are updated the day the updates are available. And, review log files daily for anomalies (use available programs to cull out routine messages). Logs ideally should be written to a very secure central log server.

Make sure user passwords are secure passwords. Ensure the public is routed through the firewall only to the untrusted LAN, and permit no direct access from the Internet into the trusted LAN. Use VPNs (FreeS/WAN, OpenSSH), and encrypt everything possible that will travel over the wire (FreeS/WAN, OpenSSH, GnuPG).

Never attribute to malice that which can be attributed to ignorance. Your users will never cease to amaze you with how little they know or how much their stumbling around in the dark will look like an attack. It probably isn't.

The above recipe will help, but it does nothing without this final ingredient: security is an attitude, not a set of programs or user restrictions. Set the example, and help users practice good security procedures. They can be your greatest asset or worst nightmare. If you practice the above religiously, you should not be the victim of a break-in. But if that should happen, unplug from the network, determine how the attacker got in (and what the intent was), then reload the system, recheck all patches, close the door so the attacker can't come back (if possible) and get back on-line. Reporting to the authorities is good, but not a priority unless the powers that be decide to pursue to prosecute and are willing to pay.

ProBIND probind.sourceforge.net

I'm always looking for better ways to handle DNS administration, and ProBIND does a good job, although the security area is lacking if you have multiple users updating only their DNS servers. It works extremely well if either the users are all trusted or only one person is updating many zones. (Or perhaps I missed something.) Another drawback is the requirement to have the PHP CGI module (the standalone interpreter). But if you have a lot of DNS zones to handle, I'd look closely at this application. Requires: MySQL, PHP with MySQL (both as a module and as a standalone interpreter), Apache, Perl, Perl module Net::DNS, OpenSSH (optional).

Tux Paint www.newbreedsoftware.com/tuxpaint

My kids love to play with the computers in the house. At four years old, both my daughters were logging in, playing games, even surfing the Web (barbie.com and cartoonnetwork.com have some great kids games). But they love to be creative and that means painting programs. When I want to see how good a program of this type is, I show my kids and let them go at it. If they're asking for it the next time they log in, I've got a winner. Requires: libSDL, libpthread, libSDL_image, libSDL_ttf, libSDL_mixer, libm, libesd (optional), libdl, libartsc, libX11, libXext, libjpeg, libpng, libz, libtiff, libfreetype, libvorbisfile, libvorbis, libogg, libsmpeg, glibc.

Tux Paint

hdup www.miek.nl/projects/hdup/hdup.shtml

Need to make some nonproprietary backups of your system on a regular basis? How about copying that backup to another system? And perhaps encrypting the backup as well? Easily done. Define the particular backup type in a config file, then call it as a monthly, weekly or daily (full or incremental) job. Requires: glibc, bash, openssh, mcrypt (optional).

Nebula Cards nebulacards.sourceforge.net

Anyone for a game of Spades? Play against humans and fill in the open seats with computer players. Other four-player games should be implemented easily (Hearts, Bridge, etc.). You even can provide a web interface via an applet. Requires: Java.

User-Friendly IPTables Firewall lug.mfh-iserlohn.de/uif

If you have problems creating iptables rules, you might want to check out UIF. Although UIF doesn't actually create rules for you, it can help you create your own. The configuration file of UIF is less complicated than the iptables rules, so you create the configuration file, and then UIF builds rules according to its slightly more understandable syntax. Let UIF remember whether a chain or target is capitalized. This program also handles stateful connections. Requires: Perl, Perl modules NetAddr::IP, Net::LDAP and, of course, iptables.

Linux Monitor sourceforge.net/projects/linux-mon

This utility is a good way to keep an eye on critical parts of a system. If it finds that a disk partition is too full or a service isn't running, it will make an entry in the syslog. Linux Monitor also can run a program; you set the time interval, and linux_mon watches. This program can be particularly effective for a large number of systems reporting to a central logger. Requires: libcrypto, libdl, glibc.

Downloader for X www.krasu.ru/soft/chuchelo

This month's pick from three years ago wasn't easy. It had to come from entries such as Geneweb and PortSentry, all of which I still use. I finally chose Downloader for X, which allows you to schedule downloads to start at a later time. You also can limit download speeds dynamically. These small features make this utility an excellent one, particularly if you have limited bandwidth. You also can download FTP or HTTP sites or files. Its one limitation is that it only runs in X (though few users would consider that a limitation). Requires: libpthread, libglib, libgtk, libgdk, libgmodule, libdl, libXext, libX11, libgdk_pixbuf, libstdc++, libm, glibc. Until next month.

David A. Bandel (david@pananix.com) is a Linux/UNIX consultant currently living in the Republic of Panama. He is coauthor of Que Special Edition: Using Caldera OpenLinux.