UNIX - Good Computer Security Practices

This document will address prevention of the loss or misuse of Unix-based computer equipment or the information they contain. Persons at Virginia Commonwealth University who are setting up Unix-based workstations must insure that their systems are secure once they connect to the University network.

Potential Threats

  • Loss of equipment due to theft, accidental damage, or environmental hazards.
  • Unauthorized copying or data destruction, such as: e-mail, financial, student or medical records, research data, or important system files such as password information.
  • Destruction or copying of applications.
  • Unauthorized use of computer systems.
  • Poorly behaved programs or malicious programs such as computer viruses, macro viruses, and trojan horses.
  • Masquerading as an authorized user to obtain unauthorized access to locally stored data, or as a base to break into other computer systems locally or on the internet.

Also see:
Computer and Network Resources Use Policy

Password Security

Importance. Because most computer security depends upon passwords, implementing good password security procedures is the easiest way to secure all computer systems. Many users believe that information on their accounts is not important, therefore they don't need to be cautious. Unfortunately, many hacks into servers start by a hacker gaining access to an account, then obtaining access to privilege server information from there. Since a poorly guarded account is a "foot in the door" for hackers, it is important for all users to try to keep their accounts secure.

Selection. Although given enough time, passwords can be discovered by a determined hacker, some passwords are much harder to guess than others. Here are some suggestions to prevent discovery:

  • Use 6 or more characters
  • Use at least one character that is not a letter, such as a punctuation mark or a number.
  • Don't use your account name, your name, your spouse's name, your children's name or your pet's names.
  • >Don't use publicly accessible information about yourself, such as SSN, license numbers, birthdays, etc.
  • Don't use a word found in a dictionary.
  • Don't use all numbers.

See also: Selecting Good Passwords.

Updating. You should change your passwords periodically. Because all passwords can be discovered by a determined hacker, given enough time, even a well select password can be guessed by hacker software. By changing your password, you keep a hacker guessing longer.
Also, some hackers gain access to an accounts only to save them to use when they have been blocked on other accounts. One rule of thumb: If you are worried that someone may have obtained your password, it's time to change.

Memorization. There is a substantial loss of security by writing down passwords, instead of memorizing them. Writing passwords onto notes attached to ones computer provides no security at all.

Software that remembers your passwords. Beware of always selecting "Remember Password" features on Networking, Mail or FTP software. If someone gains access to your computer workstation when no one is around, they have instant access to the servers you connect with.

Using the same passwords on different computer systems. Users who access different computer systems increase their security risk by using the same password on the different system. A hacker who cracks the password on one system then has access to others.

Physical Security

Select a location to prevent system failure due to environmental hazards such as overheating from HACV system or sunlight, fire, exposure to moisture, water, chemicals, or dust. Reduce the chance of accidental damage of equipment by food or drink, unhooking of network cables, etc.

Lock the door to your office when you are not there. This also is known to prevent other types of crime such as theft of computers or small but expensive internal computer parts. Computers in public areas should be locked to heavy tables or bolted to walls. Their cases should be secured so that no one can quickly gain access inside the case with a simple screwdriver. Special designed cables or prevent portable computers from being quickly swiped.

System Security

The best way to run a secure system, is to run a properly configured system. Research the security vulnerabilities in your system using resources found on the internet: web sites and newsgroups.

Not all suggestions listed below are appropriate for all systems. Servers need different security approaches than workstations. Proper system security will address the following issues:

User authentication & control. Promote the use of proper passwords. For increased security use shadow passwords. Disable inactive accounts to prevent their misuse. Remote system administration requiring root access should use secure shell protocol (ssh). See http://www.rz.uni-karlsruhe.de/~ig25/ssh-faq/ and http://www.lysator.liu.se/~nisse/lsh/

Limit access & track use of system resources. Checking the security state of the system, starting with routine examination of the log files. These are usually found in /usr/adm or /var/logs Track system load using the program top. When setting up systems, consider using different partitions to separate system files, user accounts, ftp documents, web documents, and log files, to prevent problems in one partition from causing damage to the others. Increase file protection by changing owner and group privileges to limiting access.

Secure client/server services. Look for server daemons running on your system such as web servers (httpd), FTP servers (ftpd), mail servers (sendmail), and file servers ( nfsd or smbd ) These programs are gateways into your system and are frequently targeted for attacks. Disable any that are not needed. Do vulnerability searches for the ones that must be running, and obtain the latest patches. Inform users to of security holes in client software, such as web browsers.

Network access control. Make sure your computer and all the computers it is closely linked to are secure. Inspect hosts files for improper entries. Critical systems or systems with sensitive information should consider implementation of a firewall.

Preserve Data Integrity. Make file backups and verify them with your system. Be prepared in case all your security plans fail.

Intruder Detection. Look for evidence of hacking by reviewing log files. Critical systems should consider using intruder detection software.

Information on Selected Unix Systems

Sun - Solaris: Security White Paper - Networking Security -SunSolve Online Security Info - comp.sys.sun - comp.unix.solaris
Silicon Graphics (SGI) - IRIX: Security - Advisories - Security Patches - Other Patches - comp.sys.sgi
Intel-based PCs - Linux: Security HOWTO

Selected Linux Distributions and Information:
Red Hat: Web Site | Support | Patches
Caldera: Web Site | Support | SuSE: Web Site | Support | TurboLinux: Web Site | Support

For all systems, also see:

Linux Administrators Security Guide:
http://www.seifried.org/lasg/

CERT Command Center:
http://www.cert.org

NIH Computer Security Information:
http://www.alw.nih.gov/Security/security.html

NIH Computer Security Links:
http://www.alw.nih.gov/Security/security-www.html

Freshmeat - Updates on Linux and other Unix software
http://www.freshmeat.net

Slashdot - Technology News:
http://www.slashdot.org

 

701 W. Broad St., Box 843059
Richmond, VA 23284
(804) 828-1177
RSS

 
VCU