|-|  |  R   5
                   FUN WITH UNIX PART DEUX

		Asmodians Guide to Securing LINUX
		By /|smodian ><ius 

**********************************************************
	1.	Introduction
	2.	Installation Stuff
	3.	Permissions after u install
	4.	Just Say no to root, using the right users
	5.	Installing software the right way
	6.	Disk Usage control with Quotas
**********************************************************

<* Part 1 *>
Introduction

	Linux is one of the most versatile UNIX type operating systems
available.  It's also free, making it the choice of poor micro-sloth hating
hackers everywhere.  So what's the big deal about securing Linux? Why do I
need to worry about some dick reading my mail?  Is this really necessary? 
	The answer to all those questions will be covered within this text. 

*NOTE: This article already assumes you have user knowledge with
UNIX/Linux. If not I suggest you either read some manuals or like read
the users guide to LINUX.  You can get that from "http://sunsite.unc.edu/LDP" 
	
Or if you got 15$ to spare, get the dummies guide to UNIX. 


<* Part 2* > 
Installation

	Setting up Linux is the trickiest thing you will ever run into.  I
will not cover how to install Linux, but I will cover what distributions
you should consider. There are 3 major distributions that you will
encounter, although there are a lot of others. The three major
distributions you will see are, DEBIAN,REDHAT, and SLACKWARE.  Of the
three , DEBIAN is usually the most stable and SLACKWARE is close after
Debian, with REDHAT hauling in dead last. 

	I personally use Slackware v3.4, which contains a bug fix for one
of the binaries.  For all intents an purposes, all examples will use the
Second Extended File system or otherwise known as the EXT2 File system. I
suggest you not use REDHAT because its installation process is some what
messed up.  REDHAT does not support the UMSDOS filesystem for an install
which detracts from its usefulness in other applications.  Keep in mind
the UMSDOS install is TOO slow for running a full LINUX system, however it
is good for a quick and dirty Linux installation. 


Here is a small list of things to get and install for your Linux computer:

o	Quota Support, and utilities <install from distribution>
o	Network support <from Distribution>
o	BSD TCPDUMP program, <http://www.sunsite.unc> great for 
	WINNUKE detection scripts *see below for script
o	programming stuff like GNU C & C++ .. perl.. etc
	<from distribution>
o	agetty <from distribution>
o	Kernel Package <from distribution>
o	Sudo, <prog to allow certain users root access to certain programs>

Heres some items that make life easier:

o	The mail reader PINE, which comes with the popular editor PICO. 
o	X Windows <from Distribution>


< * Part 3 * > 
Permissions after u install

(stuff to run first)
	After you install make sure to log in as root, and change roots
password.  After that make sure you run sudo, and su.  You need to do that
because it will set up the correct permissions on the log files.  NEVER
LET A USER RUN THOSE PROGRAMS FIRST, ROOT MUST DO IT!  A user can clobber
<erase> the su and sudo logs if they run the program first. This is
because when it makes the log file it will still be owned root, but if the
user has his umask set to 0, the logs will be mode 666 (world writability
in logs is NOT K-Rad). 

(Device Permissions) 
	If you install sound support into the Kernel, any user can record
sounds from the microphone.  Which is kind of a bummer because its not
just a data security breech, its a physical breech too. 

(control access to devices and data with groups)
	You can control access to sound or a certain drive or partition by
altering the group permissions to make only a certain group that can
access the desired resource. 

(lock up your Dos and windows files)
	If you want to access your old DOS and windows files and or drives
mount the drives if any using the UMSDOS file system.  It is slow, and it
only supports 8 character but you can control permissions much better. 

(XWINDOWS PERMISSIONS PROBLEM)  
	Xwindows will happily cough out roots encrypted password if told
to fetch the password list via the "alternate init script switch" feature
on startx. change it so only root or some other protected account can
access the startx, xinit and possibly the xdm programs..

<* part 4 * > 
Just Say no to ROOT, Using the right users

	Your first impulse will be to use the all powerful root account to
do everything.  Well don't... Root is the first thing people go after to
compromise your security.  We want to cut root off for people who fish for
passwords, weather by telnet or a dial- up that you may have.  There's a
file called "/etc/login.access", inside there are some brief instructions
on how to restrict certain users and groups from logging in remotely. 
This will stop most hacks.  Although users can still get ROOT like powers
from buggy utilities and such.  But I wont go into detail about what you
should fix.  Instead I suggest you get on the bugtraq mailing list.
Another good mailing list to be on is the one at <www.rootshell.com>. 
They will email you security bulletins as soon a s they are reported, as
well as fixes. 
	
<* part 5 *>
INSTALLING SOFTWARE THE RIGHT WAY

	When you are root, one of the main reasons to be root is to
install new software, BE CAREFUL, only get software from trusted sources,
such as the dealers own web page.  NEVER EVER INSTALL SOFTWARE GIVEN TO
YOU FROM A USER, find out where to get it or make sure it has source
code, and go over it well!! 

(all TARed up) 
	When using tar, be sure to check the permissions on the files as
well as ownership. change it to be owned by a secure account after you've
verified the content of the package.  Tar will some times allow for files
installed to be owned by another UID <user ID number> than your own, that
originated on another system.  This will cause havoc because suddenly some
random user has rights to that new widget you just compiled, not to
mention the persons quotas will be wrecked.  <SEE QUOTAS BELOW>

<* PART 6 *>
Control disk usage with quotas

	Quotas so far only works with the ext2 file system < which is the
most advanced file system available for use with Linux.> A person will
also want to consult the MINI-HOWTO regarding installation of quotas. 
Installation requires a kernel with quotas support and support for the
ext2 file system.  All you need to do is read the mini HOWTO <the howtos
are included in most distributions of Linux <at least Slackware does.>
	From there on you just need to run "edquota" when ever you want to
alter a users file usage limits.  You can control multiple file systems
just by attaching all the file systems to the root directory, or
individually, a device at a time, each with its own quota settings. 
again, be sure to control access to the quota files and utilities. 
	One note, some versions of quota, will ignore UID's <user id
numbers> and in some cases, login names above 65535.  Just the writer 
forgot to make a variable big enough.  So users with a high UID or a
login name of "65536" or higher can avoid quota control. When making new 
users, keep that fact in mind. 

<EOF AGSL>

<ADDENDUM 1>

#!/bin/bash

#NUKE DETECTION SCRIPT
#****************!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#This script works best for a stand alone Linux system
#that IS NOT connected to a WINDOWS 9x computer TCP/ip network .
#you will get a huge log of WIN 95 trafuck.  But a PPP connection should 
#not have any win crap.  Thus what ever win shit you get 
#should be a WINNUKE.. complete with return address :>
#
#RETURN TO SENDER BITCH!
#***********************************************************

#either pipe the output to a terminal, or a file or use "cut" or "awk" and 
#just have it crank out the senders IP address 

TCPDUMP |grep "wins">> /var/logs/nuke.log
#<EOF>