Armoring (Grid) Linux systems

This page is intended to system administrators willing to improve the security of their Linux systems in a Grid environment. It contains specific configuration changes aimed at reducing the risk of intrusion and at limiting the impact of potential compromises.

This page only focus on the security of the system level (as opposed to the grid middleware level).

Generic recommendations are available from Site Security Guidelines

Remove useless network services

Unless specifically needed by some application, the following network services should be uninstalled: portmap,nfslock, and xinetd.

# Turning off useless services

/sbin/chkconfig --level 2345 portmap off
/sbin/chkconfig --level 2345 nfslock off
/sbin/chkconfig --level 2345 xinetd off
/etc/init.d/nfslock stop
/etc/init.d/portmap stop
/etc/init.d/xinetd stop 

The list of active network services should be carefully controlled and validated. It is available using:

netstat -tplu

Remove unnecessary applications

It is important to check that every installed application is useful for the service provided by the node. In particular, potentially dangerous applications (such as nmap, tcpdump or ethereal) should be removed.

For instance, the following set of packages should be uninstalled:

rpm -e ethereal tcpdump nmap libpcap redhat-config-rootpassword  cups redhat-lsb cups-libs samba-common 
wireless-tools ftp  dhclient audiofile ppp esound arts libgnome samba-client wvdial  rp-pppoe libgnomeui
 memprof libbonoboui gnome-python2 gnome- python2-bonobo  redhat-config-packages libao-0.8.3-3.1 
libao-devel-0.8.3-3.1 

Configure a secure local firewall

It is highly recommended to configure a local firewall on all the machines. Such a firewall would control the incoming connection to the system. The local firewall is far more effective when the default behavior is to reject the connections, except is it is specifically allowed. A sample iptables configuration:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Maintaining established connections
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# This node accepts SSH connections from the following subnets:
-A INPUT -s 137.138.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.141.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.142.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT

# NTP from cern servers
-A INPUT -s 137.138.17.69  -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -s 137.138.16.69  -p udp -m udp --sport 123 -j ACCEPT

# Drop invalid packets.
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

# Enable local loop and ICMP-ping
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp --icmp-type timestamp-request -j DROP

COMMIT

Armoring SSH configuration

Remote root login via SSH should be done using public_key or Kerberos only. By doing so, even if the root password of the node is compromised (sniffed, cracked, guessed), is would still be impossible for the attacker to remotely login as root (physical access to the machine or the su command is necessary to login as root with the root password).

It is assumed that system administrators are knowledgable and will reasonably protect their SSH private key.

It is possible to implement this with:

echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config 

Single user mode

Very often, single-user mode Linux, which can be activated with physical access to the machine, enable the user to login as root without being prompted for a password. It is highly recommended to disable this feature:

echo "# What to do in single-user mode." >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab

-- Romain Wartel - Romain.Wartel@cernNOSPAMPLEASE.ch - 03 Feb 2006

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2006-03-07 - RomainWartel
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback