View the Most Wanted LQ Wiki articles.
Go Back > Blogs > arniekat
User Name


Rate this Entry

Slackware-13.37-Hacks-Hardening Tips

Posted 02-04-2012 at 09:17 PM by arniekat

These suggestions are based on advice from the SlackWiki Basic Security Fixes, The Center For Internet Security Slackware Benchmarks and on the General Hardening Tips for Red Hat Enterprise Linux. I condensed and categorized as many of the suggestions as I could glean, however, it is your choice as to how many of them apply in your case.


Create a BIOS Password to keep others from changing your BIOS settings. After you have installed Slackware, you can disable booting from CD/DVD and USB so that your computer will be forced to boot from the Hard Drive. You can still use the CD/DVD and USB once the machine is running. The BIOS Password keeps others from changing the settings. Since the BIOS can be reset to default setting by removing the watch battery on the motherboard, you should consider adding tamper-resistant computer case screws. The two I have seen are the Torx Security Screws which require a special screwdriver bit to install/remove and the CPU Security Lock, which replaces one of the computer case screws and uses a special barrel-shaped key to install/remove. Setting a lilo password will keep someone else from booting to single-user mode (runlevel 1) or from changing the settings at boot-time.


When you first install Slackware, keep the /home, /tmp, /usr and /var on separate partitions so that you can change mount options in /etc/fstab to limit what files on those partitions can do. If you look at your /etc/fstab file and see the 4th column (mount options) as "defaults", this means that the file system being mounted is using the default values for the file system in question. In the case of ext4 (see man mount) these are: rw, suid, dev, exec, auto, nouser, and async. Here are some suggested defaults from the RHEL Hardening Manual.

/home defaults,nodev
/tmp defaults,nodev,nosuid,noexec
/usr defaults,nodev
/var defaults,nodev
tmpfs defaults,nodev,nosuid,noexec


Setting up encryption is fairly easy with Slackware. The README_CRYPT.TXT has all the details on how to do this. You can setup swap space encryption during or after installation and it uses a random key on every boot. You do not need to enter a password to have swap space encryption. To have /home encryption, you will need to do this when you first install the system. With swap and /home encryption, you only need to remember one password to decrypt. Of course you will also need your login password.


Weak passwords make your system vulnerable. You can use John The Ripper (current version 1.7.9 available from SlackBuilds) to check your /etc/passwd file and see if the application can crack your password. If it can, you might consider strengthening it up a bit by adding capital letters, numbers, characters, etc.


Turning off services not only saves you resources and RAM, it also makes your computer more secure since it is one less application running that can be hacked or compromised. There is a tutorial for turning off services on Linux Questions.


Normally, I do a Full Installation to have all the tools and compilers available to me since I like compiling everything I need and personalizing my system. However, from a security standpoint, the more unused software you remove, the less chance you have of being affected by a vulnerability in any one piece of software. Here are potential candidates for removal: 1. Games (bsd-games) 2. Extra Shells (ksh93, tcsh, zsh) 3. Server Applications (apache, bluetooth, cups, nfs, samba, sendmail) 4. Window Managers (fluxbox, fvwm, windowmaker, xfce) 5. Misc Applications (emacs) 6. Compilers (gcc-gnat, gcc-objc, others from the "D" Series). With regard to the Compilers and Developer Tools, the reasoning being that if someone were to break-in to your machine, they would try to compile/install a rootkit with kernel modules. If the tools to compile are not there, then you are making it harder for someone to root your box. If you compile your packages on another machine and use the patches provided by Slackware, then you don't need to compile software on your box.


You can go to the Slackware website and download the patches to your machine, then use the command "upgradepkg" to install the patches. The automated way to do updates is by using the slackpkg tool included with the Full Installation of Slackware. This will check the packages and perform the update using an ncurses menu. There is a tutorial for installing/configuring slackpkg on Linux Questions.


Aide - Available from SlackBuilds. Aide monitors for file system changes. It does this by creating a database with MD5SUM's and SHA1SUM's of your files and binaries. When you run aide later on, if the checksum's don't match, it will let you know. It may mean you have upgraded a package or it could mean you have been hacked.

Chkrootkit - Available from SlackBuilds. Chkrootkit checks your system for known rootkits.

FireHOL - Available from SlackBuilds. FireHOL is a tool for configuring a firewall. There is a tutorial for installing/configuring FireHOL on Linux Questions.

UFW - Available from SlackBuilds. UFW is a tool for configuring a firewall. It is called the Uncomplicated Firewall and comes from the Ubuntu Project. There is a tutorial for installing/configuring UFW on Linux Questions.


If you choose to have automatic login, anyone can turn on your machine and get to your files, etc. Configure the Login Manager (KDM, GDM, XDM, SLiM) so that the Login Name is BLANK. If you let the Login Manager display the Login Name, you have just given away half of the information required to login to your machine. Increasing the login delay to 10 seconds in case the wrong password is entered makes a cracker have to take more time guessing at the login password since it creates a time delay.


This will restrict who is able to su to root and use sudo so that if you have multiple users on the computer, they will not be able to do too much damage to the box. Hopefully.
Posted in Uncategorized
Views 2353 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 07:31 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration