SecurityBasics

From FedoraProject

Jump to: navigation, search
Warning (medium size).png
This page is a draft only
It is still under construction and content may change. Do not rely on the information on this page.

Contents

DRAFT: Fedora Security Basics

Fedora Security related Features

For a description fedora security related features see Security Features

Understanding Computer Security

Although new viruses and security flaws are announced daily, threats fall into several well-understood categories. The common types of threat to networked computer systems include:

  • Viruses that spread between systems
  • Malicious Software Applications, often designed to modify the system or transmit data to other systems
  • Malicious Servers designed to exploit vulnerabilities in software that accesses them
  • Attacks on Network Services by specialized cracking tools
  • Interception of Information transmitted between networked systems
  • User Behavior includes accidental errors and, more rarely, deliberate attempts to compromise the system

All of these threats have been in existance for many years. Researchers, developers, and security professionals, have developed a wide range of approaches to deal with each type of threat. As a result, it is possible to actively reduce the overall vulnerability of the system to both current and future threats. Applications and network services may be designed to avoid behavior that is known to be potentially unsafe, and specialized countermeasures may be implemented within the operating system itself.

The Red Hat Enterprise Linux Security Guide provides an overview of security issues, and advice on how to configure common software.

Security Measures in Fedora Systems

The security measures in Fedora include:

  • A system firewall
  • Separated user accounts
  • Every system and user file is marked with a set of permissions that specify how it may be used
  • Many network services may only access appropriate parts of the system
  • No access to administrative facilities from standard user accounts without separate authorization
  • Software installation methods that reject software from untrusted sources
  • Utilities to update all of the supplied software on your system with one command
  • Several features that prevent software from modifying other parts of the running system
  • Automated e-mail status reports

By default, the installation process configures all of these features. One of the overall design goals of Fedora is that every system should be secure, without requiring extra efforts by the users. To this end, Fedora developers continue to refine core technologies such as software management, the SELinux access framework, and the GCC software compiler. The recommended applications and network services also have features that address common security issues.

You may modify the configurations of each component to tailor the security of your system to your requirements. The Fedora Project only provides software that is licensed under open source terms, to ensure that you may study and customize the software to any level that you wish. You may also directly help to improve the security of the Fedora distribution by participating in the processes of testing, documentation, and development.

The sections below provide some general advice on particular aspects of system security.

User Accounts and the Root Account

Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.

Warning (medium size).png
Avoid Logging in as root
You do not need to log in with the root account in order to manage your Fedora system.

To perform administrative tasks, log in to your system with a standard user account, and use the su or sudo to run individual commands with the privileges of the root account. This ensures that only the specified commands are run with root access. The supplied configuration tools automatically prompt for the root password, if the user has not specified root access with su or sudo.

Read the info manual on your system for details of the su command:

info su

If you have several administrators for a system, configure sudo to enable each administrator to carry out commands with root access. The sudo facility also enables administrators to grant root access to user accounts for specific applications only.

Note.png
Only One Administrator Needs the root Password
Authorized sudo users use their own password to run root commands with sudo. For this reason, only one administrator needs to know the root password for a server.

Use the visudo command to edit the configuration file for sudo.

Refer to the sudo project Website for more information on sudo:

Ensuring Strong Passwords

Automated password cracking programs include multiple dictionaries for one or more languages, in order to be able to identify any password that is based on a standard word or name. Password cracking programs are also often able to identify a word even if characters are substituted.

To ensure that your passwords may not be easily identified, use a combination of upper case letters, lower case letters, numbers, and punctuation.

Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.

Idea.png
The passwd Utility Tests Password Strength
The passwd utility sets account passwords, and prompts if the password is too easily guessed.

If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.

Important.png
Create Unique Passwords
Do not use the same passwords or key for more than one system.

Understanding Viruses and Spyware

Important.png
Viruses for Microsoft Windows do not affect Linux systems
Software written for Microsoft Windows requires an appropriate system to run.

Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.

Some spyware programs use a feature of Microsoft Internet Explorer to install on Windows systems without the consent of a user. Other spyware products claim to provide features in order to convince users to install them.

Fedora systems do not allow new items of software to be installed or run without the explicit permission of a user:

  • By default, applications such as the OpenOffice.org suite and the Evolution e-mail client do not run programs embedded in e-mails or documents
  • Web browsers require you to approve the installation of plug-ins
  • Fedora supplies software as packages, rather than working programs
  • If you download a working program, it cannot run until you choose to mark the files as executable

The Fedora Project distributes all software as package files, rather than working programs, and encourages other vendors to provide software for Fedora systems in the same format. The supplied utilities use these packages to construct or update working copies of software. Packages that fail integrity or digital signature tests are automatically rejected by the management utilities.

Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer.

Warning (medium size).png
Avoid Copying or Sending Suspicious E-mails and Files
You may pass on files that are infected with viruses designed to affect Microsoft Windows systems.

Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems.

Refer to the ClamAV project Website for more information on the ClamAV software:

For more details on software installation, read the documentation on our Website:

Protecting Network Services from Attack

Every system connected to the Internet is eventually checked by automated cracking programs. Such programs frequently run on systems that have already been compromised by crackers, or infected with a virus. Compromised systems constantly check thousands of Internet addresses for active systems that use specific network services, and attack those that they find. These attacks may be defeated by simple countermeasures.

The default firewall configuration for Fedora systems blocks connections from other systems. Any attempt by a remote system to access a service on a blocked port simply fails. This means that no other system may connect to the SSH remote access service, or any other installed service, unless you specifically choose to unblock the relevant port.

If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access.

Note.png
Remote Access to E-mail and Printers
By default, the e-mail (SMTP) and printing (CUPS) services reject connections from remote systems. You may change the configuration of these services to allow access from other systems.

The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them:

  • FTP: Use SSH or HTTP (with WebDAV for write access) instead
  • NFS: Only use between trusted systems on private networks
  • The "r" suite of utilities (e.g. rexec, rlogin): Superceded by SSH
  • Telnet: Superceded by SSH

If possible, configure each accessible service to only accept connections from specific IP addresses. For information on how to secure a service, refer to the documentation for the product.

In all cases, only allow write access if it is necessary. Certain services, like HTTP file transfer, provide read-only access by default. If you configure a service to allow write access to files or databases, ensure that access is protected by strong passwords.

Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.

Stop (medium size).png
Many Services Transmit Information without Encryption
The SSH service automatically encrypts all of the communications between SSH clients and the server. Many other types of service do not encrypt your password, or any other information, until you configure the options for SSL or SSH support. Configure encryption as described in the product documentation.

Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.

Keeping Your System Updated

Most Fedora installations will have yum as well as PackageKit including one or more of its many GUI frontends installed. Either of this tools can be used, for a more extensive overview see

Either tool can only manage software packages for packages originating from Fedora repositories. You must check and manage downloaded scripts and manually compiled software by yourself.

Yum

Usually doing
yum update
from the command line will do what is necessary.

For more details on software installation and updates with yum, refer to the documentation: http://fedora.redhat.com/docs/yum/

Yum provides also fine grained capabilities to filter and manage security updates:

yum --security update

will install updates marked as security relevant.

yum updateinfo list security

will list security relevant updates.

Some of this functionality was previously provided by the yum-plugin-security plugin which is now integrated into yum.

Automatised updates and automatic checks for updates with yum are described in AutoUpdates.

Subscribing to Security Announcement Services

The Fedora Project has no dedicated security announcements. It is possible to receive security relevant package update announcements by email. Subscribe to https://admin.fedoraproject.org/mailman/listinfo/package-announce and use the freshly emailed password to login at https://admin.fedoraproject.org/mailman/options/package-announce and change the list options to filer for security updates.

Security relevant updates can be also seen in this web interface: https://admin.fedoraproject.org/updates/

The low traffic security mailing list is for general questions regarding security: https://admin.fedoraproject.org/mailman/listinfo/security

To view, or subscribe to, RSS feeds, visit the Fedora Project website http://fedoraproject.org/infofeed/

Enabling Status Reports

Automated processes on your Fedora system use the e-mail service to send reports to the system administrator. The logwatch script sends an overall status report each day at 4am.

Follow the instructions below to configure the e-mail service to deliver these messages to an administrator:

Edit the file /etc/aliases. You must have root access in order to edit this file.

su -c 'gedit /etc/aliases'

Enter the root password when prompted.

Note.png
Alternative Text Editors
If you use an alternative desktop or text editor, replace gedit with your preferred text editor.

Change the line:

root: root

Replace the second root with your e-mail address. For example:

root: me@example.com

Save the file, and close the text editor.

To update the e-mail server configuration with the new alias, run the newaliases command.

su -c 'newaliases'

Enter the root password when prompted.

Security Checklists

Using the System Safely

  • Use strong passwords for your accounts
  • Log in with a standard user account
  • Use su, sudo, or the supplied configuration tools, to perform administrative tasks that require root access
  • Only install software or plug-ins from trusted sources
  • Discard e-mails with attachments if you do not recognise the source
  • Only keep or copy a file if you know the original source of that file

Secure System Configuration

  • Create one system account per active user
  • If a number of users require some form of administrative access, configure sudo rather than distributing the root password
  • Only enable additional network services if they are necessary
  • If possible, configure services to allow connections only from specific IP addresses that you know
  • Only configure a service to allow write access to files if it is necessary
  • If possible, require SSH keys rather than passwords for remote access
  • If you expect to receive infected files, install and configure anti-virus software
  • Enable e-mail reporting by setting an e-mail alias for root

Routine Security Tasks

  • Check the messages from your RSS and e-mail subscriptions for security announcements
  • Update the system regularly
  • If you install anti-virus software, update the virus signature data regularly
  • Make backups of data and configuration files
  • Lock user accounts that are no longer required
  • Deactivate any network services that are no longer required
  • Check the log files for unusual activity

You may wish to automate some of these tasks, so that they are performed automatically.