Basic Security Tips For Sysops Revision 1.0(May 26, 1998) By: Lord Somer of The Hackers Layer http://www.lordsomer.com This file is intended for system operators who want to take the basic security precautions to stop their systems from being hacked with ease or information seen by someone who it wasn't meant for. This guide is as generic as possible, due to the many flavors of unix I cannot give you specific information that would work on all servers. But this will give you a basis for finding the information in a faq on your os or in a mailing list and will save these resources alot of time by not having to explain things to you. ########### # Step 1. # ########### Do not have an unshadow'd /etc/passwd, this is the easiest way to get your server hacked. It allows any user on the server to eventually get every pass for the system. Many os's like bsd automatically do this for you. If you dont know how to shadow your os's passwd file please contact the vendor for information on how to do that. ########### # Step 2. # ########### Dont use the same groupid for your users, they can use this to snoop around in each others dirs. If you had a site being hosted by you that logged credit card orders on the web server you wouldn't want all your users seeing those logs. So in these 2 examples change the 1 to the same number as their userid. Before: test:x:2786:100:Test User:/home/test:/bin/bash test2:x:2787:100:Test User 2:/home/test2:/bin/bash After: test:x:2786:2786:Test User:/home/test:/bin/bash test2:x:2787:2787:Test User 2:/home/test2:/bin/bash ########### # Step 3. # ########### Dont Give out shell access. In your passwd file you have entries like: test:x:2786:2786:Test User:/home/test:/bin/bash test2:x:2787:2787:Test User 2:/home/test2:/bin/bash This is very very bad!!! Your basically giving them access to run any thing they like on the server. The /bin/bash is giving them 'Shell Access' which is what is used to compile exploits which can be used to gain root access to your sys. So change these to something more like: test:x:2786:2786:Test User:/home/test:/bin/ftplogin test2:x:2787:2787:Test User 2:/home/test2:/bin/ftplogin Here is a sample file to place on the server as /bin/ftplogin: ----FILE BEGINS HERE---- #!/bin/sh echo echo "This account allows FTP access only. You are not allowed" echo "usage of shell access. If you have a specific need that" echo "requires shell access please contact us at webmaster@hosting.com" echo "and please specify what exactly you need to do and we'll" echo "attempt to accomodate you anyway we can." echo echo " Thank you," echo " Your Hosting Services" ----FILE ENDS HERE---- Also add the line /bin/ftplogin to /etc/shells otherwise your users wont be able to use ftp either. /etc/inetd.conf ########### # Step 4. # ########### Disable anonymous ftp access. Just delete the user ftp from /etc/passwd and /etc/shadow This is a highly recommended thing to do. Anonymous ftp access is mainly used by 'hackers' to store 'pirated software' in your incoming dir if you have one or to get your passwd if it isn't shadow'd. If you want to keep anonymous ftp access do not allow dir listing in your incoming dir if you have one, better yet dont have one! ########### # Step 5. # ########### Make ftpd use chroot so when users login to their ftp account, their dir appears as / but is actually their home dir. This is extremely recommended if you have an unshadow'd passwd file. This is usefull to keep system config files from being viewed. Just a note this along with the groupid items are easily by passed if you allow users to run cgi's on the web server. It is suggested that you only enable cgi/ssi if your users specifically request access to these services due to the amount of security features these can be used to bypass. ########### # Step 6. # ########### Disable remote services like rlogin. Just put a # in front of the service in the /etc/inetd.conf If you have done all or most of the above your system should be save from basic attacks. It will require alot more effort upon the hacker to 'hack' your server. This is in no way going to gaurantee you wont get 'hacked' by someone who is really out to get your server but will stop most 'casual' hackers from hacking your server. Credits for this file: Thanks to eythan for giving me the idea to write this and thanks for zula for some ideas on things to add and other bits of info.