LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices



Rate this Entry

Slackware-13.37-Hacks-Hardening Tips

Posted 02-04-2012 at 10:17 PM by arniekat

These suggestions are based on advice from the SlackWiki Basic Security Fixes, The Center For Internet Security Slackware Benchmarks and on the General Hardening Tips for Red Hat Enterprise Linux. I condensed and categorized as many of the suggestions as I could glean, however, it is your choice as to how many of them apply in your case.

PHYSICAL SECURITY

Create a BIOS Password to keep others from changing your BIOS settings. After you have installed Slackware, you can disable booting from CD/DVD and USB so that your computer will be forced to boot from the Hard Drive. You can still use the CD/DVD and USB once the machine is running. The BIOS Password keeps others from changing the settings. Since the BIOS can be reset to default setting by removing the watch battery on the motherboard, you should consider adding tamper-resistant computer case screws. The two I have seen are the Torx Security Screws which require a special screwdriver bit to install/remove and the CPU Security Lock, which replaces one of the computer case screws and uses a special barrel-shaped key to install/remove. Setting a lilo password will keep someone else from booting to single-user mode (runlevel 1) or from changing the settings at boot-time.

SEPARATE PARTITIONS

When you first install Slackware, keep the /home, /tmp, /usr and /var on separate partitions so that you can change mount options in /etc/fstab to limit what files on those partitions can do. If you look at your /etc/fstab file and see the 4th column (mount options) as "defaults", this means that the file system being mounted is using the default values for the file system in question. In the case of ext4 (see man mount) these are: rw, suid, dev, exec, auto, nouser, and async. Here are some suggested defaults from the RHEL Hardening Manual.

/home defaults,nodev
/tmp defaults,nodev,nosuid,noexec
/usr defaults,nodev
/var defaults,nodev
tmpfs defaults,nodev,nosuid,noexec

ENCRYPTION

Setting up encryption is fairly easy with Slackware. The README_CRYPT.TXT has all the details on how to do this. You can setup swap space encryption during or after installation and it uses a random key on every boot. You do not need to enter a password to have swap space encryption. To have /home encryption, you will need to do this when you first install the system. With swap and /home encryption, you only need to remember one password to decrypt. Of course you will also need your login password.

USE STRONG PASSWORDS

Weak passwords make your system vulnerable. You can use John The Ripper (current version 1.7.9 available from SlackBuilds) to check your /etc/passwd file and see if the application can crack your password. If it can, you might consider strengthening it up a bit by adding capital letters, numbers, characters, etc.

TURN OFF SERVICES

Turning off services not only saves you resources and RAM, it also makes your computer more secure since it is one less application running that can be hacked or compromised. There is a tutorial for turning off services on Linux Questions.

REMOVE UNUSED SOFTWARE

Normally, I do a Full Installation to have all the tools and compilers available to me since I like compiling everything I need and personalizing my system. However, from a security standpoint, the more unused software you remove, the less chance you have of being affected by a vulnerability in any one piece of software. Here are potential candidates for removal: 1. Games (bsd-games) 2. Extra Shells (ksh93, tcsh, zsh) 3. Server Applications (apache, bluetooth, cups, nfs, samba, sendmail) 4. Window Managers (fluxbox, fvwm, windowmaker, xfce) 5. Misc Applications (emacs) 6. Compilers (gcc-gnat, gcc-objc, others from the "D" Series). With regard to the Compilers and Developer Tools, the reasoning being that if someone were to break-in to your machine, they would try to compile/install a rootkit with kernel modules. If the tools to compile are not there, then you are making it harder for someone to root your box. If you compile your packages on another machine and use the patches provided by Slackware, then you don't need to compile software on your box.

KEEP YOUR SYSTEM UPDATED

You can go to the Slackware website and download the patches to your machine, then use the command "upgradepkg" to install the patches. The automated way to do updates is by using the slackpkg tool included with the Full Installation of Slackware. This will check the packages and perform the update using an ncurses menu. There is a tutorial for installing/configuring slackpkg on Linux Questions.

USE SECURITY-ENHANCING SOFTWARE AND TOOLS

Aide - Available from SlackBuilds. Aide monitors for file system changes. It does this by creating a database with MD5SUM's and SHA1SUM's of your files and binaries. When you run aide later on, if the checksum's don't match, it will let you know. It may mean you have upgraded a package or it could mean you have been hacked.

Chkrootkit - Available from SlackBuilds. Chkrootkit checks your system for known rootkits.

FireHOL - Available from SlackBuilds. FireHOL is a tool for configuring a firewall. There is a tutorial for installing/configuring FireHOL on Linux Questions.

UFW - Available from SlackBuilds. UFW is a tool for configuring a firewall. It is called the Uncomplicated Firewall and comes from the Ubuntu Project. There is a tutorial for installing/configuring UFW on Linux Questions.

LOGIN HARDENING

If you choose to have automatic login, anyone can turn on your machine and get to your files, etc. Configure the Login Manager (KDM, GDM, XDM, SLiM) so that the Login Name is BLANK. If you let the Login Manager display the Login Name, you have just given away half of the information required to login to your machine. Increasing the login delay to 10 seconds in case the wrong password is entered makes a cracker have to take more time guessing at the login password since it creates a time delay.

CONFIGURE SU/SUDO

This will restrict who is able to su to root and use sudo so that if you have multiple users on the computer, they will not be able to do too much damage to the box. Hopefully.
Posted in Uncategorized
Views 2134 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 10:53 AM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration