Originally Published: Sunday, 25 June 2000 Author: Jeff White
Published to: featured_articles/Featured Articles Page: 1/1 - [Printable]

Post Installation

Not every Linux user has the time, devotion or patience needed in order to become an apt, security-minded Linux user. Fortunately there are a few simple steps that, if followed, can increase the integrity and security of a network-connected Linux system.

   Page 1 of 1  

Unfortunately, the most popular of Linux distributions are those with insecure out-of-the-box setups. One of the defining features of Linux is its customizability, and that can make it more secure. But, improperly configured, Linux can be notoriously insecure.

Not every Linux user has the time, devotion or patience needed in order to become an apt, security-minded Linux user. Fortunately there are a few simple steps that, if followed, can increase the integrity and security of a network-connected Linux system.
As for the inetd daemon, the "mother of all processes," you should be aware of what to look for in the inetd.conf file. Daemons that are not commented (lines started without a #) will run in the background waiting for incoming connections. [Correction: The daemons will not be running in the background. Inetd will listen for incoming connections at their specified ports and activate the services when needed. --Ed.] A quick and simple way to see which daemons will start is to type in the following command:

grep -v "^#" /etc/inetd.conf

If any of the resulting output daemons do not need to be running, simply edit the /etc/inetd.conf file and place a hash (#) at the beginning of the line to comment it out. Once you are satisfied with what daemons will run from the inetd, issue the following command to accept the changes:

killall -HUP inetd

When it comes to kernels, I would highly suggest, at least for multi-user systems, upgrading to the latest Openwall supported kernel. Now that Bastille Linux supports modified systems, the two solutions combined can create a more security-conscious systems.

Follow the instructions in the Openwall source and patch your kernel source. After you have selected the necessary kernel requirements that you need for your Linux system, compile your kernel and reboot your machine. The following command works quite well to compile your new kernel; be sure to point /etc/lilo.conf to the proper kernel image that you have just compiled:

make dep clean modules modules_install bzImage

For Red Hat-based systems (including Linux-Mandrake), the command ntsysv will display a list of daemons that will be brought up on the networking runlevel. Take the asterix away from the daemons that are not needed by using the spacebar.

Below is an excerpt from the list of post-installation steps I always go through when I install a new Linux system:

  1. Check /etc/inetd.conf
  2. ntsysv (take away unnecessary daemons)
  3. Install Secure Shell (ssh) or openssh
  4. Upgrade kernel with the openwall patch
  5. Bastille Linux installation

The above steps are, most certainly, not the only means of securing an out-of-the-box installation, but it will definitely improve security as opposed to leaving everything as it was installed.

Jeff White is currently visiting Halifax, Nova Scotia, and would like to thank r0b and mitch for making his trip enjoyable. Whichever critic said that Titan A.E was not a good movie must be a Windows user.





   Page 1 of 1