Front cover - IBM Redbooks

For example, if a system is being used as a file server, there is little benefit in
enabling electronic mail (e-mail) services. E-mail services run as root, and there
is a long history of e-mail-related security breaches. Proper system-hardening
procedures call for these services to be shut down, resulting in a dedicated
system with the fewest opportunities for exploitation.
The process of hardening a UNIX or GNU/Linux server begins at the time of
installation. Thereafter, additional activities are performed, which include:
► Eliminating points of attack by shutting down or reconfiguring services and
ports as well as removing unnecessary libraries
► Adding robustness to the file system by looking at file ownership and
permissions
► Properly setting up user accounts so that privileged accounts are only used
when appropriate (and necessary) and that all accounts have proper,
non-trivial passwords
Some common guidelines for configuring UNIX servers more securely by default
are available from CERT's Web site at the following URL:
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines
9.4.2 Partitioning for protection
Typically, no matter the flavor of UNIX being installed, a number of partitions are
defined, each having a specific purpose, such as SWAP and /tmp. Beyond these
obvious partitions, work should be done to protect against out-of-disk-space
denial-of-service attacks.
Some examples of typical attacks are trying to create an excessive generation of
logging data; or filling the file system of the UNIX server with large files through
FTP, or, if your Domino server isn’t configured properly, by trying to send
inordinately large messages that will make the mail.box file grow accordingly and
allocate the needed space on the hard drive.
The best way to protect against this kind of attack is to segment the file system
hierarchy into separate physical partitions:
► root partition (“/”): This partition can be small because it generally contains
just the kernel, meaning the necessary files, libraries, and configuration for
booting in /bin, /sbin, /etc, and /lib. Access to the attached devices is provided
through the /dev and /devices directories. Many GNU/Linux distributions store
kernels and symbol data in the /boot directory, whereas kernel libraries are
stored under /lib.
► /usr partition: This partition is normally where user-accessible applications
are stored. Normally, /usr does not contain data or configuration files that
Chapter 9. Server hardening 389