Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I am a total newbie and have probably done a silly thing. A couple of weeks ago I got my new dedicated server - planning to learn as I go. However I timed out before doing all the things I should have done - then went on holiday.
So, I would much appreciate it if someone could show me step by step how to make my server as secure as possible while I gradually learn about it and install a firewall, etc.
In particular I think I need to shutdown all external services (except ssh) just to make it secure for the time being, how do I do this?
Also, is there some way I can check that my machine has not been compromised whilst I left it in its insecure state?
Distribution: WinXP SP2 and SP3, W2K Server, Ubuntu
First, I might recommend using ntsysv. This utility can be run from the command line. Uncheck or 'unstar' the services you do not want to run. Definitely turn off sendmail and telnet. Telnet may be called telnetd. Ntsysv is located in:
You need to be root to run it.
Also, you can use lokkit to help set up a decent firewall until you feel ready to tackle iptables. Lokkit is in /usr/sbin/lokkit and you need to be root to run it. For very basic services like ssh and telnet, you can just check or uncheck the boxes. You can add other ports on the text line below the checkboxes in the format of port:service. For example to allow Samba, you need to let the following ports through:
You would put these on the 'other ports' line in lokkit with a space between each. Strangely enough, when installing RH9, you can also set up these 'extra ports' during one of the setup screeens in the same mannor but must separate each value with a comma.
You will want to make sure the internet server configuration does not start up programs by checking the configuration file of each service in "/etc/xinetd.d" . The internet server listens for connections on the ports of these services in this file. To disable an individual service, you can open the file in pico or nano or vi and add or edit the "disable = " line to say "disable = yes".
For example here is a copy of my /etc/xinetd.d/rshd file. I want it turned off for good. I added the line disable = yes as the first configuration line inside the brackets.
# default: on
# description: The rshd server is the server for the rcmd(3) routine and, \
# consequently, for the rsh(1) program. The server provides \
# remote execution facilities with authentication based on \
# privileged port numbers from trusted hosts.
disable = yes
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
Use ntsysv to kill:
telnet (for sure!)
rhnsd (maybe - check with someone else to conform this)
Use an editor to change those /etc/xinetd.d configurations then
you can restart the xinetd with:
This is only a small start. I reccomend 'Maximum Linux Security' as a readable primer for newbies (like me).
JD - I have killed telnet, but none of the other services in your list appear to be present when I do chkconfig --list - though there are many other ones - how would I go about working out which ones I need and at what level?
Also, when I ran lokkit it appeared to be already set at high - so I assume I am reasonably safe for the time being while I gradually work out what I need to run my site.
I've got RedHat 9, and I assume my provider (Rackshack) has defaulted to a reasonably safe default installation (or am I now being unduly optimistic?).
Is there a checklist of logs I should check now and periodically to ensure my machine is not compromised?
Distribution: WinXP SP2 and SP3, W2K Server, Ubuntu
>>>>how would I go about working out which ones I need and at what level?
unfortunately, you have to go to the web and research (Google) what each service does and make that determination yourself. In general, the services in /etc/xinetd.d that start with the letter 'r' are used to provide 'r'emote services but not all. For example:
I pulled this off Google about rhnsd:
rhnsd is a daemon process that runs in the background and periodically polls the Red Hat Network to see if there are any queued actions available. If any are queued, it runs them.
Based on this, you may want to run this to keep your OS up to date, but I dont think you need it because I think you can run Up2Date from the main console to do the same thing. So you must research each daemon/service.
>>>>Also, when I ran lokkit it appeared to be already set at high - so I assume I am reasonably safe for the time being while I gradually work out what I need to run my site.
Here is the official explanation of the settings (Google again):
High Security — This option disables almost all network connects except DNS replies and DHCP so that network interfaces can be activated. IRC, ICQ, and other instant messaging services as well as RealAudioTM will not work without a proxy.
Low Security — This option will not allow remote connections to the system, including NFS connections and remote X Window System sessions. Services that run below port 1023 will not accept connections, including FTP, SSH, Telnet, and HTTP.
Disable Firewall — This option does not create any security rules. It is recommended that this option only be chosen if the system is on a trusted network (not on the Internet), if the system is behind a larger firewall, or if you write your own custom firewall rules. If you choose this option and click Next, proceed to the Section called Activating the iptables Service. The security of your system will not be changed.
As you can see, high prevents ssh from running. Click high in lokkit, then go to customize, and reallow ssh port (22:tcp).
>>>>I've got RedHat 9, and I assume my provider (Rackshack) has defaulted to a reasonably safe default installation (or am I now being unduly optimistic?).
If your not in charge, assume the worst
>>>>Is there a checklist of logs I should check now and periodically to ensure my machine is not compromised?
Yes. But I do not know what they are. I would love to have a complete list of logs, what they mean, what to look for, etc. I asked for this in a previous post, but recieved the less than 'thourough' answers you get sometimes.
Could someone point us to this? There must be a website somewhere?
Ok, thanks again - I think I'm on the right path now - I have used lokkit on high just to keep me safe for the time being while I work out how to get a bit more sphisticated.
As a matter of interest, after looking at other posts I realise that a number of people have had problems with lokkit in the same way that I have (I am talking about the non-GUI version). Every time you go into it it displays 'high', and you assume this is what your settings are, whereas I don't think it is showing you what your current settings are at all - the display just defaults to this. If you then OK rather than cancel you will change your setting to high (with no 'customisation'). The result for me was that this then locked me out of the machine.
I have seen some posts where obviously experienced people have said that it is broken - I doubt it is broken, this is just the way it works. When you know this it works fine. I have set mine to high for the time being and 'customised' SSH and HTTP to work, which suits me until I get a firewall properly sorted.
Hope this may help others (but if I've got it wrong someone please let me know).
Distribution: WinXP SP2 and SP3, W2K Server, Ubuntu
This might help. Lokkit is a tool used to write the iptables files for you. When you start up lokkit, you are preparing to write a new file, you are not viewing the contents of the current iptables file. The current file is just sitting at:
When you are done setting up lokkit (ie. putting in the ports you want to 'pinhole', checking off the default offerings,etc), and click the final 'OK', then and only then does lokkit "rewrite" the
file overtop the old file. I think you are comparing it to a "real-time" utility that would list the current setup while you are making changes, but that is not how it works. lokkit is basically a script generator.
Iptables is a well accepted (must be, it comes with the kernal) and popular firewall that is a nice supplement to your hardware firewall (ie. Linksys Router, 3COM appliance, whatever). Iptables are well documented and "relatively" easy to configure. For these reasons I would learn as much as you can about it before moving on to another firewall system. Ofcourse if you have sensitive or mission critical information on this computer, I have no opinion whatsoever. In my case, my computer is just a toy/distraction/learning experience, and if I were hacked, the information on the computer would not be damaging. By the way, the last time my Linux box got hit, it was through the windows boxes on the network! Apparently even having a windows box is dangerous [lol].