Next: Practical changes to improve Up: *NIX Security Guide Previous: Contents Contents
You might be tempted to believe that securing your *NIX computer is a waste of your time. After all, a freshly installed Linux or IRIX distribution would surely be fairly safe when you first install it, and the chances of someone finding and attacking your computer in the vast expanse of the Internet would be fairly small anyway, right? No. Please read on.
Most *NIX operating systems are not sufficiently secure after a standard installation from distribution media. Vendors often provide a wide array of services to suit the range of clients who purchase their software, which means that insecure services you don't need could be active on your computer. Also, most vendors provide a range of patches to install after the operating system installation in order to fix possibly serious bugs or vulnerabilities that have been detected after the operating system was written to distribution media--these patches must be applied to improve system security and stability.
Don't be tempted to believe your computer is unlikely to become the target of a break-in attempt because of the very large number of other hosts on the Internet that hackers have to choose from. If your machine is connected to the Internet it is likely that someone (likely many someones) will try to break into it sooner rather than later. The fact that your computer doesn't have DNS entries or sits in an obscure subnet buried amidst many other computers will not stop people from finding and attacking it. Hackers often use subnet or domain name lists to scan many hosts at a time for vulnerabilities that will grant them unauthorised access. This university certainly sees on a daily basis a fair number of sweeping scans that usually presage more serious attacks against individual machines.
When setting up your *NIX computer please leave it physically disconnected from the Internet until you have made at least the inetd changes and setup packet filtering as suggested in this document. This air gap security approach is recommended because there have been instances of computers being hacked within one or two hours of initial connection to the Internet before anyone had a chance to audit operating system security. There is little point trying to secure a computer that has already been broken into and has backdoors and rootkits installed.
Always install from the latest stable distribution of the operating system. If you have one year old media lying about and you are tempted to use it to do a new installation, don't. Using the latest distribution will mean you're less likely to wind up with an operating system featuring nasty security holes that many hackers already know about and are actively trying to exploit. If your operating system provides several types of install strategies such as workstation or server please be sure to choose a workstation model or similar that provides the lowest functionality with regard to Internet services.
Ensure that the latest patches have been applied to the operating system and applications. Links to security advisory and patch sites can be found in section §3.2.
Physics IT Support 2003-09-16