| Previous | Table of Contents | Next |
by Tim Parker
Covering everything about security would take several volumes of books, so we can only look at the basics in this chapter. We’ll take a quick look at the primary defenses you need in order to protect yourself from unauthorized access through telephone lines (modems), as well as some aspects of network connections. We won’t bother with complex solutions that are difficult to implement because they can require a considerable amount of knowledge and they apply only to specific configurations.
Instead, we can look at the basic methods of buttoning up your Linux system, most of which are downright simple and effective. Many system administrators either don’t know what is necessary to protect a system from unauthorized access, or they have discounted the chances of a break-in happening to them. It happens with alarming frequency, so take the industry’s advice: Don’t take chances. Protect your system.
Believe it or not, the most common access method of breaking into a system through a network, over a modem connection, or sitting in front of a terminal is through weak passwords. Weak (which means easily guessable) passwords are very common. When these are used by system users, even the best security systems can’t protect against intrusion.
If you’re managing a system that has several users, you should implement a policy requiring users to set their passwords at regular intervals (usually every six to eight weeks is a good idea), and to use non-English words. The best passwords are combinations of letters and numbers that are not in the dictionary.
Sometimes, though, having a policy against weak passwords isn’t enough. You may want to consider forcing stronger password usage by using public domain or commercial software that checks potential passwords for susceptibility. These packages are often available in source code, so they can be compiled for Linux without a problem.
Security begins at the file permission level and should be carried out carefully. Whether you want to protect a file from snooping by an unauthorized invader or another user, you should carefully set your umask (file creation mask) to set your files for maximum security.
Of course, this is really only important if you have more than one user on the system or have to consider hiding information from certain users. However, if you are on a system with several users, consider forcing umask settings for everyone and set read-and-write permissions only for the user, and no permissions for everyone else. This is as good as you can get with file security.
For very sensitive files (such as accounting or employee information), consider encrypting them with a simple utility. There are many such programs available. Most require only a password to trigger the encryption or decryption.
For most Linux users, protecting your system from access through an Internet gateway isn’t important because few users have an Internet access machine directly connected to their Linux box. Instead, the concern should be about protecting yourself from break-in through the most accessible method open to system invaders: modems.
Modems are the most commonly used interface into every Linux system (unless you’re running completely standalone or on a closed network). Modems are used for remote user access, as well as for network and Internet access. Securing your system’s modem lines from intrusion is simple and effective enough to stop casual browsers.
The safest technique to prevent unauthorized access through modems is to employ a callback modem. A callback modem lets users connect to the system as usual; it then hangs up and consults a list of valid users and their telephone numbers, before calling the user back to establish the call. Callback modems are quite expensive, so this is not a practical solution for many systems.
Callback modems have some problems, too, especially if users change locations frequently. Also, callback modems are vulnerable to abuse because of call-forwarding features of modern telephone switches.
The typical telephone modem can be a source of problems if it doesn’t hang up the line properly after a user session has finished. Most often, this is a problem with the wiring of the modem or the configuration setup.
Wiring problems may sound trivial, but there are many systems with hand-wired modem cables that don’t properly control all the pins so the system can be left with a modem session not properly closed and a logout not completed. Anyone calling that modem continues where the last user ended.
To prevent this kind of problem, make sure the cables connecting the modem to the Linux machine are complete. Replace hand-wired cables that you are unsure of with properly constructed commercial ones. Also, watch the modem when a few sessions are completed to make sure the line hangs up properly.
Configuration problems can also prevent line hangups. Check the modem documentation to make sure your Linux script can hang up the telephone line when the connection is broken. This is seldom a problem with the most commonly used modems, but off-brand modems that do not have true compatibility with a supported modem can cause problems. Again, watch the modem after a call to make sure it is hanging up properly.
One way to prevent break-ins is to remove the modem from the circuit when it’s not needed. Because access through modems by unwanted intruders is usually attempted after normal business hours, you can control the serial ports that the modems are connected to by using cron to change the status of the ports or disable the ports completely after-hours.
For most systems this is not practical, but for many businesses it is a simple enough solution. If late-night access is required, one or two modem lines out of a pool can be kept active. Some larger systems keep a dedicated number for the after-hours modem line, usually different than the normal modem line numbers.
| Previous | Table of Contents | Next |