(Simply) Securing your Linux and Windows Environment

Tutorial 1 of 2

Forward

This tutorial uses tools on both the Linux and Windows platform. The tutorial assumes you have Linux and Windows experience. The tests were conducted on Fedora Core 5 Linux kernel 2.6 and Windows XP SP 2.

It also assumes your development environment is Linux, and your Desktop is Windows. This is a common setup for those developing LAMP (Linux/Apache/MySQL/PHP) applications.

This tutorial does not pretend to be the end all be all of security documents. It does include a lot of basic security procedures and practices that are easy to implement and don't get in the way of getting your work done. Common and uncommon ways of practicing security will be covered. These methods are meant to be included into your existing security practices, and do not offer satisfactory security when practiced alone.

This tutorial is being delivered in segments. The first will cover:

1. Securing your PC

   1.  Process Explorer
   2.  TCPView

2. Securing your server

   1.  SSH on nonstandard ports
   2.  Setting up SSL (HTTPS)

3. Remote Access

   1.  Allowing incoming connections through your router

The second tutorial, will continue where the first finishes and include:

1. Securing your PC

   1.  Encrypting your email
   2.  Finding rootkits

2. Securing your server

   1.  Using PGP to encrypt files
   2.  .htaccess setup for remote authentication

3. Remote Access

   1.  Using DynDNS to map dynamic Ips to static hostnames
   2.  Wireless encryption (WPA)

Links to utilities and informational resources are included at the end of this tutorial.

Introduction

Security. It is a concern for developers, businesses and consumers ... just about everyone is affected by security and the lack of it. I recently received a letter from my credit union stating sensitive financial data had been stolen, mine possibly included. My question to them is, “Why was this data not encrypted?”. There is no excuse for not encrypting data in 2007 when storage costs are at an all time low and computing power, an all time high.

Securing your PC

I don't use anti-virus or spy ware programs. Call me crazy, but I don't visit sites or download software that would require it. However I do check for the existence of such evil programs, by running two great utilities developed out of the sysinternals lab, prior to their acquisition by Microsoft. One is 'Process Explorer' and the other is 'TCPView'. Download the tools now from the links provided at the end of this tutorial and install them.

Lets take a look at the 'Process Explorer' output:

Figure 1. Process Explorer Output

The screen shot details many of the running applications on a Windows XP PC. The real value to this utility is knowing what your PC looks like stock. By stock I mean, before you installed all sorts of software onto it and connected to the Internet. Periodically running 'Process Explorer' and checking if any new programs have popped up without your knowledge is wise.

This utility is much more powerful than task manager (CRTL-ALT-DEL -> Task manager) because it shows all .exe running, and what parent processes spawned them.

Another feature allows you to right click on the program name, select 'Google' and a web browser is launched, returning information about the utility. This can be used to get familiar with utilities and possibly identify unwanted software. You can also kill/stop processes directly from the window.

The second tool, 'TCPView', shows all incoming and outgoing TCP/UDP (Network) connections. Take a look at the TCPView output below:

Figure 2. TCPView Output.

This screen shot details a list of applications running that have network connections. It lists the ports and the remote address. You can easily see if you have applications talking over the network that you didn't allow. Similar to Process Explorer, get familiar with the applications that require network access. This way, you can easily spot surreptitious software and block it via your firewall, or remove it all together.

TCPView also includes a useful options; right clicking an application with a remote connection and selecting 'Whois', will display detailed information about the owner of the IP or Host name.

Our last simple security precaution for securing your PC, is to use a browser other than Internet Explorer. Because IE holds over 60% of the browser market, most exploits are built to target this platform. It gives crackers and malicious software writers a better 'bang for their buck'. If you do use IE, make sure you've updated to the latest version and disable active X controls, only allowing it for trusted sites.

This tutorial does not suggest removing your anti-virus or spy ware. However,  realize there are additional avenues you can pursue to protect your PC. Never rely on just one software or hardware solution. You now have two new tools to add to your arsenal against virus and malware.

Securing your Server

When developing over the LAN, connecting to the Linux server from the Windows desktop can be done securely via SSH. SSH also works great for connecting from across the Internet to your home or office. SSH over the LAN or Internet enables command line access to Linux server, with all traffic encrypted. 'Putty' is an excellent utility that can be downloaded for free for Windows. On Linux, the SSH daemon is installed by default on most distributions and can be enabled with the following command as root:

[root@projectskyline.com] /sbin/service sshd start

SSH runs on port 22 by default. If you are allowing remote access from your router, we suggest moving to a non-standard port. This will block many brute force attempts that are defined to hunt for SSH on port 22. It will also thwart any worm or automated exploits that are targeted for the default SSH port.

To change the port SSH runs on, as root execute the following commands:

[root@projectskyline.com] emacs /etc/ssh/sshd_config

In the sshd_config file, comment out (place a # in front of the line) the 'Port 22' line and add 'Port 8022' on a new line (as detailed below):

#Port 22

Port 8022

Save the file and restart the SSHD process:

[root@projectskyline.com] /sbin/service sshd restart

Your SSH service will now be running on port 8022.

Securing your Server Continued

Web access is a necessity when developing web based applications. When running over the LAN, unencrypted, non-SSL web traffic is fine. However, when remote employees or clients want access to projects, it is important to encrypt the traffic.

Apache, by default on most Linux platforms, includes a generic security certificate and is set to run on both port 80 (http) and port 443 (https).

To enable SSL web traffic, just change your URLs from HTTP://target to HTTPS://target. You will receive a prompt like the one pictured below:

Figure 3. SSL Certificate Warning

This warning is presented because we do not have a valid certificate. Certificates can be purchased from companies such as Verisign, at $399 for the cheapest*. The free certificate works just the same as the purchased one, but will allow visitors to bypass the warning message. For retail websites, investing in the Verisign certificate is wise. However, for a low traffic development server, its probably not a necessary purchase.

Allowing Remote Access to your Development Server

Often, you will want to allow customers a sneak-peak of their projects as they are being developed. You may also have satellite offices that need access to the development server. Such needs are easy and securely addressed below.

Now that you have HTTPS and SSH setup on the LAN, configure the router to allow incoming connections from the Internet to the two services offered on the Linux server.

For this tutorial, we are using a Linksys Wireless Router, but the process is similar for most routers. Access the routers web interface and navigate to the page that allows configuration similar to that detailed below:

Figure 4. Router Configuration

Fill in the values exactly as above, however, for the 'IP Address' field, place in the value of your Linux server on your LAN. To find this information, execute:

[ben@projectskyline ~]$ /sbin/ifconfig

eth1      Link encap:Ethernet  HWaddr 00:08:54:B2:73:C8

          inet addr:192.168.1.102

And note the 'inet addr:', which is your IP Address of your Linux server.

Once the values are set above, you can update the router and exit.

You will now be able to connect to your router from anywhere on the Internet, to both SSH port (8022) and HTTPS port (443).

The next tutorial will explain how to map your dynamic IP address to a static hostname. This provides a reliable way of accessing your server from anywhere in the world, securely.

If you have any questions or comments please contact me.

References

TCPView:
www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

Process Explorer:
www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

SSH:
en.wikipedia.org/wiki/Secure_Shell

PUTTY:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Browser Statistics:
http://www.w3schools.com/browsers/browsers_stats.asp

*As of 3/19/07 from Verisign.com

Ben Sgro is the chief engineer and co-founder of ProjectSkyLine LLC, a full service software company that provides web development, graphic design, application programming, identity standards, Internet marketing and security. ProjectSkyLine has just released their premier product, Project-Contact, a full-featured RSVP management application for web use. If your company needs a custom solution please contact Ben or anyone on the ProjectSkyLine team at http://www.projectskyline.com.