Chapter 12. Strategies for Keeping a Secure Server

Linux can certainly be considered to be as secure -- or more secure -- than operating systems from other vendors. Admittedly, with Linux becoming more and more popular, it is becoming a very attractive target for crackers to concentrate their break-in efforts on. There are exploits that are discovered from time to time, however the open nature of Linux usually means that such exploits are patched quickly, and security announcements are disseminated widely, containing either temporary workarounds or pointers to updated software.

I won't pretend to be an expert on security issues, however I am at least aware of these issues, which I believe to be a large part of the battle towards making one's systems as secure as possible. Although being aware and diligent in keeping up with security updates will in no way guarantee that a system's security measures won't be circumvented, the likelihood of a break-in is greatly reduced.

Although there have been security exploits found in external services which could have been used by crackers to break into a system (for example, the IMAP daemon exploit), I believe that it is far more likely that a determined cracker will penetrate the system from within. Compared to the handful of services communicating with the outside world, there are thousands of commands and utilities available from the shell, one or more of which may contain bugs which can be exploited to penetrate security (that being said, I must admit to recently discovering one of the servers I maintain had been compromised through an external service).

For this reason, I recommend avoiding giving out shell accounts to users unless they are absolutely necessary. Even if you consider your users completely trustworthy and have no qualms in providing them with access to the shell, all it takes is just one of these users to have a weak password. An outside cracker, finding its way into your system by exploiting this weak password, will then be able to work at his or her leisure internally, looking for further weaknesses.

There are, fortunately, things you can do to greatly increase the security of your Linux system. While a detailed discussion of security issues is beyond the scope of this document, the following checklist provides some of the most important things you should do to enhance security:

For more information on security-related issues, an excellent resource entitled, “Securing RedHat 5.x” document is available at http://redhat-security.ens.utulsa.edu/. An excellent resource for Linux crypto and related software is at http://replay.com/redhat/.