Chapter 48. Securing Your Network
48.1. Workstation Security
48.1.1. Evaluating Workstation Security
- BIOS and Boot Loader Security — Can an unauthorized user physically access the machine and boot into single user or rescue mode without a password?
- Password Security — How secure are the user account passwords on the machine?
- Administrative Controls — Who has an account on the system and how much administrative control do they have?
- Available Network Services — What services are listening for requests from the network and should they be running at all?
- Personal Firewalls — What type of firewall, if any, is necessary?
- Security Enhanced Communication Tools — Which tools should be used to communicate between workstations and which should be avoided?
48.1.2. BIOS and Boot Loader Security
48.1.2.1. BIOS Passwords
- Preventing Changes to BIOS Settings — If an intruder has access to the BIOS, they can set it to boot from a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive data.
- Preventing System Booting — Some BIOSes allow password protection of the boot process. When activated, an attacker is forced to enter a password before the BIOS launches the boot loader.
48.1.2.1.1. Securing Non-x86 Platforms
48.1.2.2. Boot Loader Passwords
- Preventing Access to Single User Mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
- Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the
cat
command. - Preventing Access to Insecure Operating Systems — If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.
48.1.2.2.1. Password Protecting GRUB
grub-md5-crypt
/boot/grub/grub.conf
. Open the file and below the timeout
line in the main section of the document, add the following line:
password --md5 <password-hash>
/sbin/grub-md5-crypt
[15].
/boot/grub/grub.conf
file must be edited.
title
line of the operating system that you want to secure, and add a line with the lock
directive immediately beneath it.
title DOS lock
Warning
password
line must be present in the main section of the /boot/grub/grub.conf
file for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.
lock
line to the stanza, followed by a password line.
title DOS lock password --md5 <password-hash>
48.1.3. Password Security
/etc/passwd
file, which makes the system vulnerable to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, they can copy the /etc/passwd
file to their own machine and run any number of password cracking programs against it. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.
/etc/shadow
, which is readable only by the root user.
48.1.3.1. Creating Strong Passwords
- Do Not Use Only Words or Numbers — Never use only numbers or words in a password.Some insecure examples include the following:
- 8675309
- juan
- hackme
- Do Not Use Recognizable Words — Words such as proper names, dictionary words, or even terms from television shows or novels should be avoided, even if they are bookended with numbers.Some insecure examples include the following:
- john1
- DS-9
- mentat123
- Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is not secure.Some insecure examples include the following:
- cheguevara
- bienvenido1
- 1dumbKopf
- Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.Some insecure examples include the following:
- H4X0R
- 1337
- Do Not Use Personal Information — Avoid using any personal information in your passwords. If the attacker knows your identity, the task of deducing your password becomes easier. The following is a list of the types of information to avoid when creating a password:Some insecure examples include the following:
- Your name
- The names of pets
- The names of family members
- Any birth dates
- Your phone number or zip code
- Do Not Invert Recognizable Words — Good password checkers always reverse common words, so inverting a bad password does not make it any more secure.Some insecure examples include the following:
- R0X4H
- nauj
- 9-DS
- Do Not Write Down Your Password — Never store a password on paper. It is much safer to memorize it.
- Do Not Use the Same Password For All Machines — It is important to make separate passwords for each machine. This way if one system is compromised, all of your machines are not immediately at risk.
- Make the Password at Least Eight Characters Long — The longer the password, the better. If using MD5 passwords, it should be 15 characters or longer. With DES passwords, use the maximum length (eight characters).
- Mix Upper and Lower Case Letters — Red Hat Enterprise Linux is case sensitive, so mix cases to enhance the strength of the password.
- Mix Letters and Numbers — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength.
- Include Non-Alphanumeric Characters — Special characters such as &, $, and > can greatly improve the strength of a password (this is not possible if using DES passwords).
- Pick a Password You Can Remember — The best password in the world does little good if you cannot remember it; use acronyms or other mnemonic devices to aid in memorizing passwords.
48.1.3.1.1. Secure Password Creation Methodology
- Think of an easily-remembered phrase, such as:"over the river and through the woods, to grandmother's house we go."
- Next, turn it into an acronym (including the punctuation).
otrattw,tghwg.
- Add complexity by substituting numbers and symbols for letters in the acronym. For example, substitute
7
fort
and the at symbol (@
) fora
:o7r@77w,7ghwg.
- Add more complexity by capitalizing at least one letter, such as
H
.o7r@77w,7gHwg.
- Finally, do not use the example password above for any systems, ever.
48.1.3.2. Creating User Passwords Within an Organization
48.1.3.2.1. Forcing Strong Passwords
passwd
, which is Pluggable Authentication Manager (PAM) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the pam_cracklib.so
PAM module. Since PAM is customizable, it is possible to add more password integrity checkers, such as pam_passwdqc
(available from http://www.openwall.com/passwdqc/) or to write a new module. For a list of available PAM modules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html. For more information about PAM, refer to Section 48.4, “Pluggable Authentication Modules (PAM)”.
Note
- John The Ripper — A fast and flexible password cracking program. It allows the use of multiple word lists and is capable of brute-force password cracking. It is available online at http://www.openwall.com/john/.
- Crack — Perhaps the most well known password cracking software, Crack is also very fast, though not as easy to use as John The Ripper. It can be found online at http://www.openwall.com/john/.
- Slurpie — Slurpie is similar to John The Ripper and Crack, but it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools online at http://www.ussrback.com/distributed.htm.
Warning
48.1.3.2.2. Password Aging
chage
command or the graphical User Manager (system-config-users
) application.
-M
option of the chage
command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command:
chage -M 90 <username>
99999
after the -M
option (this equates to a little over 273 years).
chage
command in interactive mode to modify multiple password aging and account details. Use the following command to enter interactive mode:
chage <username>
~]# chage davido
Changing the aging information for davido
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
~]#
- Click themenu on the Panel, point to and then click to display the User Manager. Alternatively, type the command
system-config-users
at a shell prompt. - Click the Users tab, and select the required user in the list of users.
- Clickon the toolbar to display the User Properties dialog box (or choose on the menu).
- Click the Password Info tab, and select the check box for Enable password expiration.
- Enter the required value in the Days before change required field, and click .

Figure 48.1. Specifying password aging options
48.1.4. Administrative Controls
sudo
or su
. A setuid program is one that operates with the user ID (UID) of the program's owner rather than the user operating the program. Such programs are denoted by an s
in the owner section of a long format listing, as in the following example:
-rwsr-xr-x 1 root root 47324 May 1 08:09 /bin/su
Note
s
may be upper case or lower case. If it appears as upper case, it means that the underlying permission bit has not been set.
pam_console.so
, some activities normally reserved only for the root user, such as rebooting and mounting removable media are allowed for the first user that logs in at the physical console (refer to Section 48.4, “Pluggable Authentication Modules (PAM)” for more information about the pam_console.so
module.) However, other important system administration tasks, such as altering network settings, configuring a new mouse, or mounting network devices, are not possible without administrative privileges. As a result, system administrators must decide how much access the users on their network should receive.
48.1.4.1. Allowing Root Access
- Machine Misconfiguration — Users with root access can misconfigure their machines and require assistance to resolve issues. Even worse, they might open up security holes without knowing it.
- Running Insecure Services — Users with root access might run insecure servers on their machine, such as FTP or Telnet, potentially putting usernames and passwords at risk. These services transmit this information over the network in plain text.
- Running Email Attachments As Root — Although rare, email viruses that affect Linux do exist. The only time they are a threat, however, is when they are run by the root user.
48.1.4.2. Disallowing Root Access
- Changing the root shell
- To prevent users from logging in directly as root, the system administrator can set the root account's shell to
/sbin/nologin
in the/etc/passwd
file.Table 48.1. Disabling the Root Shell
Effects Does Not Affect Prevents access to the root shell and logs any such attempts. The following programs are prevented from accessing the root account:login
gdm
kdm
xdm
su
ssh
scp
sftp
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root account:sudo
- FTP clients
- Email clients
- Disabling root access via any console device (tty)
- To further limit access to the root account, administrators can disable root logins at the console by editing the
/etc/securetty
file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to their machine as root via Telnet, which transmits the password in plain text over the network.By default, Red Hat Enterprise Linux's/etc/securetty
file only allows the root user to log in at the console physically attached to the machine. To prevent the root user from logging in, remove the contents of this file by typing the following command at a shell prompt as root:echo > /etc/securetty
To enablesecuretty
support in the KDM, GDM, and XDM login managers, add the following line:auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
to the files listed below:/etc/pam.d/gdm
/etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint
/etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard
/etc/pam.d/kdm
/etc/pam.d/kdm-np
/etc/pam.d/xdm
Warning
A blank/etc/securetty
file does not prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication.Table 48.2. Disabling Root Logins
Effects Does Not Affect Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:login
gdm
kdm
xdm
- Other network services that open a tty
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. The following programs are not prevented from accessing the root account:su
sudo
ssh
scp
sftp
- Disabling root SSH logins
- To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file,
/etc/ssh/sshd_config
, and change the line that reads:#PermitRootLogin yes
to read as follows:PermitRootLogin no
Table 48.3. Disabling Root SSH Logins
Effects Does Not Affect Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:ssh
scp
sftp
Programs that are not part of the OpenSSH suite of tools. - Using PAM to limit root access to services
- PAM, through the
/lib/security/pam_listfile.so
module, allows great flexibility in denying specific accounts. The administrator can use this module to reference a list of users who are not allowed to log in. To limit root access to a system service, edit the file for the target service in the/etc/pam.d/
directory and make sure thepam_listfile.so
module is required for authentication.The following is an example of how the module is used for thevsftpd
FTP server in the/etc/pam.d/vsftpd
PAM configuration file (the\
character at the end of the first line is not necessary if the directive is on a single line):auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
This instructs PAM to consult the/etc/vsftpd.ftpusers
file and deny access to the service for any listed user. The administrator can change the name of this file, and can keep separate lists for each service or use one central list to deny access to multiple services.If the administrator wants to deny access to multiple services, a similar line can be added to the PAM configuration files, such as/etc/pam.d/pop
and/etc/pam.d/imap
for mail clients, or/etc/pam.d/ssh
for SSH clients.For more information about PAM, refer to Section 48.4, “Pluggable Authentication Modules (PAM)”.Table 48.4. Disabling Root Using PAM
Effects Does Not Affect Prevents root access to network services that are PAM aware. The following services are prevented from accessing the root account:login
gdm
kdm
xdm
ssh
scp
sftp
- FTP clients
- Email clients
- Any PAM aware services
Programs and services that are not PAM aware.
48.1.4.3. Limiting Root Access
su
or sudo
.
48.1.4.3.1. The su
Command
su
command, they are prompted for the root password and, after authentication, is given a root shell prompt.
su
command, the user is the root user and has absolute administrative access to the system[16]. In addition, once a user has become root, it is possible for them to use the su
command to change to any other user on the system without being prompted for a password.
usermod -G wheel <username>
wheel
group.
- Click themenu on the Panel, point to and then click to display the User Manager. Alternatively, type the command
system-config-users
at a shell prompt. - Click the Users tab, and select the required user in the list of users.
- Clickon the toolbar to display the User Properties dialog box (or choose on the menu).
- Click the Groups tab, select the check box for the wheel group, and then click . Refer to Figure 48.2, “Adding users to the "wheel" group.”.
- Open the PAM configuration file for
su
(/etc/pam.d/su
) in a text editor and remove the comment # from the following line:auth required pam_wheel.so use_uid
This change means that only members of the administrative groupwheel
can switch to another user using the su command.

Figure 48.2. Adding users to the "wheel" group.
Note
wheel
group by default.
48.1.4.3.2. The sudo
Command
sudo
command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo
, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
sudo
command is as follows:
sudo <command>
mount
.
Important
sudo
command should take extra care to log out before walking away from their machines since sudoers can use the command again without being asked for a password within a five minute period. This setting can be altered via the configuration file, /etc/sudoers
.
sudo
command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers
configuration file are allowed to use the sudo
command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled, as shown in Section 48.1.4.2, “Disallowing Root Access”.
sudo
command also provides a comprehensive audit trail. Each successful authentication is logged to the file /var/log/messages
and the command issued along with the issuer's user name is logged to the file /var/log/secure
.
sudo
command is that an administrator can allow different users access to specific commands based on their needs.
sudo
configuration file, /etc/sudoers
, should use the visudo
command.
visudo
and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
juan
, can use sudo
from any host and execute any command.
sudo
:
%users localhost=/sbin/shutdown -h now
/sbin/shutdown -h now
as long as it is issued from the console.
sudoers
has a detailed listing of options for this file.
48.1.5. Available Network Services
48.1.5.1. Risks To Services
- Denial of Service Attacks (DoS) — By flooding a service with requests, a denial of service attack can render a system unusable as it tries to log and answer each request.
- Script Vulnerability Attacks — If a server is using scripts to execute server-side actions, as Web servers commonly do, a cracker can attack improperly written scripts. These script vulnerability attacks can lead to a buffer overflow condition or allow the attacker to alter files on the system.
- Buffer Overflow Attacks — Services that connect to ports numbered 0 through 1023 must run as an administrative user. If the application has an exploitable buffer overflow, an attacker could gain access to the system as the user running the daemon. Because exploitable buffer overflows exist, crackers use automated tools to identify systems with vulnerabilities, and once they have gained access, they use automated rootkits to maintain their access to the system.
Note
Note
48.1.5.2. Identifying and Configuring Services
cupsd
— The default print server for Red Hat Enterprise Linux.lpd
— An alternative print server.xinetd
— A super server that controls connections to a range of subordinate servers, such asgssftp
andtelnet
.sendmail
— The Sendmail Mail Transport Agent (MTA) is enabled by default, but only listens for connections from the localhost.sshd
— The OpenSSH server, which is a secure replacement for Telnet.
cupsd
running. The same is true for portmap
. If you do not mount NFSv3 volumes or use NIS (the ypbind
service), then portmap
should be disabled.
system-config-services
), ntsysv, and chkconfig
. For information on using these tools, refer to Chapter 18, Controlling Access to Services.

Figure 48.3. Services Configuration Tool
48.1.5.3. Insecure Services
- Transmit Usernames and Passwords Over a Network Unencrypted — Many older protocols, such as Telnet and FTP, do not encrypt the authentication session and should be avoided whenever possible.
- Transmit Sensitive Data Over a Network Unencrypted — Many protocols transmit data over the network unencrypted. These protocols include Telnet, FTP, HTTP, and SMTP. Many network file systems, such as NFS and SMB, also transmit information over the network unencrypted. It is the user's responsibility when using these protocols to limit what type of data is transmitted.Remote memory dump services, like
netdump
, transmit the contents of memory over the network unencrypted. Memory dumps can contain passwords or, even worse, database entries and other sensitive information.Other services likefinger
andrwhod
reveal information about users of the system.
rlogin
, rsh
, telnet
, and vsftpd
.
rlogin
, rsh
, and telnet
) should be avoided in favor of SSH. Refer to Section 48.1.7, “Security Enhanced Communication Tools” for more information about sshd
.
finger
authd
(this was calledidentd
in previous Red Hat Enterprise Linux releases.)netdump
netdump-server
nfs
rwhod
sendmail
smb
(Samba)yppasswdd
ypserv
ypxfrd
48.1.6. Personal Firewalls
Important
system-config-securitylevel
). This tool creates broad iptables
rules for a general-purpose firewall using a control panel interface.
iptables
is probably a better option. Refer to Section 48.8, “Firewalls” for more information. Refer to Section 48.9, “IPTables” for a comprehensive guide to the iptables
command.
48.1.7. Security Enhanced Communication Tools
- OpenSSH — A free implementation of the SSH protocol for encrypting network communication.
- Gnu Privacy Guard (GPG) — A free implementation of the PGP (Pretty Good Privacy) encryption application for encrypting data.
telnet
and rsh
. OpenSSH includes a network service called sshd
and three command line client applications:
ssh
— A secure remote console access client.scp
— A secure remote copy command.sftp
— A secure pseudo-ftp client that allows interactive file transfer sessions.
Important
sshd
service is inherently secure, the service must be kept up-to-date to prevent security threats. Refer to Section 47.5, “Security Updates” for more information.