(Imported from MoinMoin)
m (1 revision(s))
Revision as of 16:36, 24 May 2008
DRAFT: Fedora Security Basics
Understanding Computer Security
Although new viruses and security flaws are announced daily, threats fall into several well-understood categories. The common types of threat to networked computer systems include:
- Viruses that spread between systems
- Malicious Software Applications, often designed to modify the system or transmit data to other systems
- Malicious Servers designed to exploit vulnerabilities in software that accesses them
- Attacks on Network Services by specialized cracking tools
- Interception of Information transmitted between networked systems
- User Behavior includes accidental errors and, more rarely, deliberate attempts to compromise the system
All of these threats have been in existance for many years. Researchers, developers, and security professionals, have developed a wide range of approaches to deal with each type of threat. As a result, it is possible to actively reduce the overall vulnerability of the system to both current and future threats. Applications and network services may be designed to avoid behavior that is known to be potentially unsafe, and specialized countermeasures may be implemented within the operating system itself.
The Red Hat Enterprise Linux Security Guide provides an overview of security issues, and advice on how to configure common software.
Security Measures in Fedora Systems
The security measures in Fedora include:
- A system firewall
- Separated user accounts
- Every system and user file is marked with a set of permissions that specify how it may be used
- Many network services may only access appropriate parts of the system
- No access to administrative facilities from standard user accounts without separate authorization
- Software installation methods that reject software from untrusted sources
- Utilities to update all of the supplied software on your system with one command
- Several features that prevent software from modifying other parts of the running system
- Automated e-mail status reports
By default, the installation process configures all of these features. One of the overall design goals of Fedora is that every system should be secure, without requiring extra efforts by the users. To this end, Fedora developers continue to refine core technologies such as software management, the SELinux access framework, and the GCC software compiler. The recommended applications and network services also have features that address common security issues.
You may modify the configurations of each component to tailor the security of your system to your requirements. The Fedora Project only provides software that is licensed under open source terms, to ensure that you may study and customize the software to any level that you wish. You may also directly help to improve the security of the Fedora distribution by participating in the processes of testing, documentation, and development.
The sections below provide some general advice on particular aspects of system security.
User Accounts and the Root Account
Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.
To perform administrative tasks, log in to your system with a standard user account, and use the
sudo to run individual commands with the privileges of the
root account. This ensures that only the specified commands are run with
root access. The supplied configuration tools automatically prompt for the
root password, if the user has not specified
root access with
info manual on your system for details of the
If you have several administrators for a system, configure
sudo to enable each administrator to carry out commands with
root access. The
sudo facility also enables administrators to grant
root access to user accounts for specific applications only.
Only One Administrator Needs the
root Password Authorized
sudo users use their own password to run
root commands with
sudo. For this reason, only one administrator needs to know the
root password for a server.
visudo command to edit the configuration file for
Refer to the
sudo project Website for more information on
Ensuring Strong Passwords
Automated password cracking programs include multiple dictionaries for one or more languages, in order to be able to identify any password that is based on a standard word or name. Password cracking programs are also often able to identify a word even if characters are substituted.
To ensure that your passwords may not be easily identified, use a combination of upper case letters, lower case letters, numbers, and punctuation.
Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.
If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.
Understanding Viruses and Spyware
Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.
Some spyware programs use a feature of Microsoft Internet Explorer to install on Windows systems without the consent of a user. Other spyware products claim to provide features in order to convince users to install them.
Fedora systems do not allow new items of software to be installed or run without the explicit permission of a user:
- By default, applications such as the Open
Office.org suite and the Evolution e-mail client do not run programs embedded in e-mails or documents
- Web browsers require you to approve the installation of plug-ins
- Fedora supplies software as packages, rather than working programs
- If you download a working program, it cannot run until you choose to mark the files as executable
The Fedora Project distributes all software as package files, rather than working programs, and encourages other vendors to provide software for Fedora systems in the same format. The supplied utilities use these packages to construct or update working copies of software. Packages that fail integrity or digital signature tests are automatically rejected by the management utilities.
Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer.
Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems.
Refer to the ClamAV project Website for more information on the ClamAV software:
For more details on software installation, read the documentation on our Website:
Protecting Network Services from Attack
Every system connected to the Internet is eventually checked by automated cracking programs. Such programs frequently run on systems that have already been compromised by crackers, or infected with a virus. Compromised systems constantly check thousands of Internet addresses for active systems that use specific network services, and attack those that they find. These attacks may be defeated by simple countermeasures.
The default firewall configuration for Fedora systems blocks connections from other systems. Any attempt by a remote system to access a service on a blocked port simply fails. This means that no other system may connect to the SSH remote access service, or any other installed service, unless you specifically choose to unblock the relevant port.
If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access.
Remote Access to E-mail and Printers By default, the e-mail (SMTP) and printing (CUPS) services reject connections from remote systems. You may change the configuration of these services to allow access from other systems.
The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them:
- FTP: Use SSH or HTTP (with WebDAV for write access) instead
- NFS: Only use between trusted systems on private networks
- The "r" suite of utilities (e.g.
rlogin): Superceded by SSH
- Telnet: Superceded by SSH
If possible, configure each accessible service to only accept connections from specific IP addresses. For information on how to secure a service, refer to the documentation for the product.
In all cases, only allow write access if it is necessary. Certain services, like HTTP file transfer, provide read-only access by default. If you configure a service to allow write access to files or databases, ensure that access is protected by strong passwords.
Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.
Many Services Transmit Information without Encryption The SSH service automatically encrypts all of the communications between SSH clients and the server. Many other types of service do not encrypt your password, or any other information, until you configure the options for SSL or SSH support. Configure encryption as described in the product documentation.
Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.
Keeping Your System Updated
To carry out a full system update, follow the instructions in the Fedora documentation:
For more details on software installation and updates with
yum, refer to the documentation:
yum utility may only manage software packages. You must check and manage downloaded scripts and manually compiled software. To ensure that you have the latest versions of manually installed
software, subscribe to e-mail or RSS services that notify you when new versions are released.
Subscribing to Security Announcement Services
The Fedora Project provides both an e-mail announcements service, and RSS information feeds.
To subscribe to e-mail announcements, go to the webpage for the fedora-announce-list
To view, or subscribe to, RSS feeds, visit the Fedora Project website
Enabling Status Reports
Automated processes on your Fedora system use the e-mail service to send reports to the system administrator. The
logwatch script sends an overall status report each day at 4am.
Follow the instructions below to configure the e-mail service to deliver these messages to an administrator:
Edit the file
/etc/aliases. You must have
root access in order to edit this file.
su -c 'gedit /etc/aliases'
root password when prompted.
Change the line:
Replace the second root with your e-mail address. For example:
Save the file, and close the text editor.
To update the e-mail server configuration with the new alias, run the
su -c 'newaliases'
root password when prompted.
Using the System Safely
- Use strong passwords for your accounts
- Log in with a standard user account
sudo, or the supplied configuration tools, to perform administrative tasks that require
- Only install software or plug-ins from trusted sources
- Discard e-mails with attachments if you do not recognise the source
- Only keep or copy a file if you know the original source of that file
Secure System Configuration
- Create one system account per active user
- If a number of users require some form of administrative access, configure
sudorather than distributing the
- Only enable additional network services if they are necessary
- If possible, configure services to allow connections only from specific IP addresses that you know
- Only configure a service to allow write access to files if it is necessary
- If possible, require SSH keys rather than passwords for remote access
- If you expect to receive infected files, install and configure anti-virus software
- Enable e-mail reporting by setting an e-mail alias for
Routine Security Tasks
- Check the messages from your RSS and e-mail subscriptions for security announcements
- Update the system regularly
- If you install anti-virus software, update the virus signature data regularly
- Make backups of data and configuration files
- Lock user accounts that are no longer required
- Deactivate any network services that are no longer required
- Check the log files for unusual activity
You may wish to automate some of these tasks, so that they are performed automatically.