From Fedora Project Wiki

m (1 revision(s))
m (Fixed templates)
Line 1: Line 1:
{{Draft}}
= DRAFT: Fedora Security Basics =
= DRAFT: Fedora Security Basics =
{{Template:Warning}} '''DRAFT''' Do not rely on this document - it has not yet been audited. Information here may be incomplete or inaccurate.
'''Contents:'''


== Understanding Computer Security ==
== Understanding Computer Security ==
Line 23: Line 18:


* [http://www.redhat.com/docs/manuals/enterprise/]  
* [http://www.redhat.com/docs/manuals/enterprise/]  


== Security Measures in Fedora Systems ==
== Security Measures in Fedora Systems ==
Line 44: Line 38:


The sections below provide some general advice on particular aspects of system security.
The sections below provide some general advice on particular aspects of system security.


== User Accounts and the Root Account ==
== User Accounts and the Root Account ==
Line 50: Line 43:
Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.
Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.


{{Template:Warning}} '''Avoid Logging in as <code>root</code>''' You do not need to log in with the <code>root</code> account in order to manage your Fedora system.
{{Admon/warning | Avoid Logging in as <code>root</code> | You do not need to log in with the <code>root</code> account in order to manage your Fedora system.}}


To perform administrative tasks, log in to your system with a standard user account, and use the <code>su</code> or <code>sudo</code> to run individual commands with the privileges of the <code>root</code> account. This ensures that only the specified commands are run with <code>root</code> access. The supplied configuration tools automatically prompt for the <code>root</code> password, if the user has not specified <code>root</code> access with <code>su</code> or <code>sudo</code>.
To perform administrative tasks, log in to your system with a standard user account, and use the <code>su</code> or <code>sudo</code> to run individual commands with the privileges of the <code>root</code> account. This ensures that only the specified commands are run with <code>root</code> access. The supplied configuration tools automatically prompt for the <code>root</code> password, if the user has not specified <code>root</code> access with <code>su</code> or <code>sudo</code>.
Line 62: Line 55:
If you have several administrators for a system, configure <code>sudo</code> to enable each administrator to carry out commands with <code>root</code> access. The <code>sudo</code> facility also enables administrators to grant <code>root</code> access to user accounts for specific applications only.
If you have several administrators for a system, configure <code>sudo</code> to enable each administrator to carry out commands with <code>root</code> access. The <code>sudo</code> facility also enables administrators to grant <code>root</code> access to user accounts for specific applications only.


{{Template:Note}} '''Only One Administrator Needs the <code>root</code> Password''' Authorized <code>sudo</code> users use their own password to run <code>root</code> commands with <code>sudo</code>. For this reason, only one administrator needs to know the <code>root</code> password for a server.
{{Admon/note | Only One Administrator Needs the <code>root</code> Password | Authorized <code>sudo</code> users use their own password to run <code>root</code> commands with <code>sudo</code>. For this reason, only one administrator needs to know the <code>root</code> password for a server.}}


Use the <code>visudo</code> command to edit the configuration file for <code>sudo</code>.
Use the <code>visudo</code> command to edit the configuration file for <code>sudo</code>.
Line 69: Line 62:


* [http://www.courtesan.com/sudo/]  
* [http://www.courtesan.com/sudo/]  


== Ensuring Strong Passwords ==
== Ensuring Strong Passwords ==
Line 79: Line 71:
Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.
Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.


{{Template:Tip}} '''The <code>passwd</code> Utility Tests Password Strength''' The <code>passwd</code> utility sets account passwords, and prompts if the password is too easily guessed.
{{Admon/tip | The <code>passwd</code> Utility Tests Password Strength | The <code>passwd</code> utility sets account passwords, and prompts if the password is too easily guessed.}}


If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.
If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.


{{Template:Important}} '''Create Unique Passwords''' Do not use the same passwords or key for more than one system.
{{Admon/important | Create Unique Passwords | Do not use the same passwords or key for more than one system.}}
 


== Understanding Viruses and Spyware ==
== Understanding Viruses and Spyware ==


{{Template:Important}} '''Viruses for Microsoft Windows do not affect Linux systems''' Software written for Microsoft Windows requires an appropriate system to run.
{{Admon/important | Viruses for Microsoft Windows do not affect Linux systems | Software written for Microsoft Windows requires an appropriate system to run.}}


Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.
Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.
Line 105: Line 96:
Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer.
Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer.


{{Template:Warning}} '''Avoid Copying or Sending Suspicious E-mails and Files''' You may pass on files that are infected with viruses designed to affect Microsoft Windows systems.
{{Admon/warning | Avoid Copying or Sending Suspicious E-mails and Files | You may pass on files that are infected with viruses designed to affect Microsoft Windows systems.}}


Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems.
Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems.
Line 116: Line 107:


* [http://fedora.redhat.com/docs/yum/]  
* [http://fedora.redhat.com/docs/yum/]  


== Protecting Network Services from Attack ==
== Protecting Network Services from Attack ==
Line 126: Line 116:
If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access.
If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access.


{{Template:Note}} '''Remote Access to E-mail and Printers''' By default, the e-mail (SMTP) and printing (CUPS) services reject connections from remote systems. You may change the configuration of these services to allow access from other systems.
{{Admon/note | Remote Access to E-mail and Printers | By default, the e-mail (SMTP) and printing (CUPS) services reject connections from remote systems. You may change the configuration of these services to allow access from other systems.}}


The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them:
The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them:
Line 141: Line 131:
Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.
Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.


{{Template:Caution}} '''Many Services Transmit Information without Encryption''' The SSH service automatically encrypts all of the communications between SSH clients and the server. Many other types of service do not encrypt your password, or any other information, until you configure the options for SSL or SSH support. Configure encryption as described in the product documentation.
{{Admon/caution | Many Services Transmit Information without Encryption | The SSH service automatically encrypts all of the communications between SSH clients and the server. Many other types of service do not encrypt your password, or any other information, until you configure the options for SSL or SSH support. Configure encryption as described in the product documentation.}}


Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.
Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.


== Keeping Your System Updated ==
== Keeping Your System Updated ==
Line 158: Line 147:
The <code>yum</code> utility may only manage software packages. You must check and manage downloaded scripts and manually compiled software. To ensure that you have the latest versions of manually installed
The <code>yum</code> utility may only manage software packages. You must check and manage downloaded scripts and manually compiled software. To ensure that you have the latest versions of manually installed
software, subscribe to e-mail or RSS services that notify you when new versions are released.
software, subscribe to e-mail or RSS services that notify you when new versions are released.


== Subscribing to Security Announcement Services ==
== Subscribing to Security Announcement Services ==
Line 171: Line 159:


* [http://fedoraproject.org/infofeed/]  
* [http://fedoraproject.org/infofeed/]  


== Enabling Status Reports ==
== Enabling Status Reports ==
Line 210: Line 197:


Enter the <code>root</code> password when prompted.
Enter the <code>root</code> password when prompted.


== Security Checklists ==
== Security Checklists ==

Revision as of 15:14, 2 June 2008

This page is a draft only
It is still under construction and content may change. Do not rely on the information on this page.

DRAFT: Fedora Security Basics

Understanding Computer Security

Although new viruses and security flaws are announced daily, threats fall into several well-understood categories. The common types of threat to networked computer systems include:

  • Viruses that spread between systems
  • Malicious Software Applications, often designed to modify the system or transmit data to other systems
  • Malicious Servers designed to exploit vulnerabilities in software that accesses them
  • Attacks on Network Services by specialized cracking tools
  • Interception of Information transmitted between networked systems
  • User Behavior includes accidental errors and, more rarely, deliberate attempts to compromise the system

All of these threats have been in existance for many years. Researchers, developers, and security professionals, have developed a wide range of approaches to deal with each type of threat. As a result, it is possible to actively reduce the overall vulnerability of the system to both current and future threats. Applications and network services may be designed to avoid behavior that is known to be potentially unsafe, and specialized countermeasures may be implemented within the operating system itself.

The Red Hat Enterprise Linux Security Guide provides an overview of security issues, and advice on how to configure common software.

Security Measures in Fedora Systems

The security measures in Fedora include:

  • A system firewall
  • Separated user accounts
  • Every system and user file is marked with a set of permissions that specify how it may be used
  • Many network services may only access appropriate parts of the system
  • No access to administrative facilities from standard user accounts without separate authorization
  • Software installation methods that reject software from untrusted sources
  • Utilities to update all of the supplied software on your system with one command
  • Several features that prevent software from modifying other parts of the running system
  • Automated e-mail status reports

By default, the installation process configures all of these features. One of the overall design goals of Fedora is that every system should be secure, without requiring extra efforts by the users. To this end, Fedora developers continue to refine core technologies such as software management, the SELinux access framework, and the GCC software compiler. The recommended applications and network services also have features that address common security issues.

You may modify the configurations of each component to tailor the security of your system to your requirements. The Fedora Project only provides software that is licensed under open source terms, to ensure that you may study and customize the software to any level that you wish. You may also directly help to improve the security of the Fedora distribution by participating in the processes of testing, documentation, and development.

The sections below provide some general advice on particular aspects of system security.

User Accounts and the Root Account

Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.

Avoid Logging in as root
You do not need to log in with the root account in order to manage your Fedora system.

To perform administrative tasks, log in to your system with a standard user account, and use the su or sudo to run individual commands with the privileges of the root account. This ensures that only the specified commands are run with root access. The supplied configuration tools automatically prompt for the root password, if the user has not specified root access with su or sudo.

Read the info manual on your system for details of the su command:

info su

If you have several administrators for a system, configure sudo to enable each administrator to carry out commands with root access. The sudo facility also enables administrators to grant root access to user accounts for specific applications only.

Only One Administrator Needs the root Password
Authorized sudo users use their own password to run root commands with sudo. For this reason, only one administrator needs to know the root password for a server.

Use the visudo command to edit the configuration file for sudo.

Refer to the sudo project Website for more information on sudo:

Ensuring Strong Passwords

Automated password cracking programs include multiple dictionaries for one or more languages, in order to be able to identify any password that is based on a standard word or name. Password cracking programs are also often able to identify a word even if characters are substituted.

To ensure that your passwords may not be easily identified, use a combination of upper case letters, lower case letters, numbers, and punctuation.

Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.

The passwd Utility Tests Password Strength
The passwd utility sets account passwords, and prompts if the password is too easily guessed.

If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.

Create Unique Passwords
Do not use the same passwords or key for more than one system.

Understanding Viruses and Spyware

Viruses for Microsoft Windows do not affect Linux systems
Software written for Microsoft Windows requires an appropriate system to run.

Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.

Some spyware programs use a feature of Microsoft Internet Explorer to install on Windows systems without the consent of a user. Other spyware products claim to provide features in order to convince users to install them.

Fedora systems do not allow new items of software to be installed or run without the explicit permission of a user:

  • By default, applications such as the OpenOffice.org suite and the Evolution e-mail client do not run programs embedded in e-mails or documents
  • Web browsers require you to approve the installation of plug-ins
  • Fedora supplies software as packages, rather than working programs
  • If you download a working program, it cannot run until you choose to mark the files as executable

The Fedora Project distributes all software as package files, rather than working programs, and encourages other vendors to provide software for Fedora systems in the same format. The supplied utilities use these packages to construct or update working copies of software. Packages that fail integrity or digital signature tests are automatically rejected by the management utilities.

Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer.

Avoid Copying or Sending Suspicious E-mails and Files
You may pass on files that are infected with viruses designed to affect Microsoft Windows systems.

Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems.

Refer to the ClamAV project Website for more information on the ClamAV software:

For more details on software installation, read the documentation on our Website:

Protecting Network Services from Attack

Every system connected to the Internet is eventually checked by automated cracking programs. Such programs frequently run on systems that have already been compromised by crackers, or infected with a virus. Compromised systems constantly check thousands of Internet addresses for active systems that use specific network services, and attack those that they find. These attacks may be defeated by simple countermeasures.

The default firewall configuration for Fedora systems blocks connections from other systems. Any attempt by a remote system to access a service on a blocked port simply fails. This means that no other system may connect to the SSH remote access service, or any other installed service, unless you specifically choose to unblock the relevant port.

If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access.

Remote Access to E-mail and Printers
By default, the e-mail (SMTP) and printing (CUPS) services reject connections from remote systems. You may change the configuration of these services to allow access from other systems.

The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them:

  • FTP: Use SSH or HTTP (with WebDAV for write access) instead
  • NFS: Only use between trusted systems on private networks
  • The "r" suite of utilities (e.g. rexec, rlogin): Superceded by SSH
  • Telnet: Superceded by SSH

If possible, configure each accessible service to only accept connections from specific IP addresses. For information on how to secure a service, refer to the documentation for the product.

In all cases, only allow write access if it is necessary. Certain services, like HTTP file transfer, provide read-only access by default. If you configure a service to allow write access to files or databases, ensure that access is protected by strong passwords.

Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.

Many Services Transmit Information without Encryption
The SSH service automatically encrypts all of the communications between SSH clients and the server. Many other types of service do not encrypt your password, or any other information, until you configure the options for SSL or SSH support. Configure encryption as described in the product documentation.

Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.

Keeping Your System Updated

To carry out a full system update, follow the instructions in the Fedora documentation:

For more details on software installation and updates with yum, refer to the documentation:

The yum utility may only manage software packages. You must check and manage downloaded scripts and manually compiled software. To ensure that you have the latest versions of manually installed software, subscribe to e-mail or RSS services that notify you when new versions are released.

Subscribing to Security Announcement Services

The Fedora Project provides both an e-mail announcements service, and RSS information feeds.

To subscribe to e-mail announcements, go to the webpage for the fedora-announce-list

To view, or subscribe to, RSS feeds, visit the Fedora Project website

Enabling Status Reports

Automated processes on your Fedora system use the e-mail service to send reports to the system administrator. The logwatch script sends an overall status report each day at 4am.

Follow the instructions below to configure the e-mail service to deliver these messages to an administrator:

Edit the file /etc/aliases. You must have root access in order to edit this file.

su -c 'gedit /etc/aliases'

Enter the root password when prompted.

Alternative Text Editors If you use an alternative desktop or text editor, replace gedit with your preferred text editor.

Change the line:

root: root

Replace the second root with your e-mail address. For example:

root: me@example.com

Save the file, and close the text editor.

To update the e-mail server configuration with the new alias, run the newaliases command.

su -c 'newaliases'

Enter the root password when prompted.

Security Checklists

Using the System Safely

  • Use strong passwords for your accounts
  • Log in with a standard user account
  • Use su, sudo, or the supplied configuration tools, to perform administrative tasks that require root access
  • Only install software or plug-ins from trusted sources
  • Discard e-mails with attachments if you do not recognise the source
  • Only keep or copy a file if you know the original source of that file

Secure System Configuration

  • Create one system account per active user
  • If a number of users require some form of administrative access, configure sudo rather than distributing the root password
  • Only enable additional network services if they are necessary
  • If possible, configure services to allow connections only from specific IP addresses that you know
  • Only configure a service to allow write access to files if it is necessary
  • If possible, require SSH keys rather than passwords for remote access
  • If you expect to receive infected files, install and configure anti-virus software
  • Enable e-mail reporting by setting an e-mail alias for root

Routine Security Tasks

  • Check the messages from your RSS and e-mail subscriptions for security announcements
  • Update the system regularly
  • If you install anti-virus software, update the virus signature data regularly
  • Make backups of data and configuration files
  • Lock user accounts that are no longer required
  • Deactivate any network services that are no longer required
  • Check the log files for unusual activity

You may wish to automate some of these tasks, so that they are performed automatically.