LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Slackware install, no Firewall out of the box? Suggestions on what to do? (http://www.linuxquestions.org/questions/linux-newbie-8/slackware-install-no-firewall-out-of-the-box-suggestions-on-what-to-do-685881/)

bapigoo9 11-24-2008 10:21 PM

Slackware install, no Firewall out of the box? Suggestions on what to do?
 
With all of the distro frenzy out there, I thought that I would try an installation of Slackware while I had the entire weekend to sit and tinker with it....without the kids! It was an easy install. Ran like clockwork. I had so much time left over that I decided to see about the Firewall.

Then, I noted that there was no default Firewall for it. Does Slackware not have a Firewall built in to it, or did I just miss something?

Any suggestions on what to use with Slackware or what features I would enable to get a basic Firewall out of the box? And, does Slackware have built in the ability to run the browser in a contained play space? Then I can turn the kids loose on it and not worry about them tearing up the fresh install?

SqdnGuns 11-24-2008 10:29 PM

Basic Slackware Security by Chess Griffin

http://chessgriffin.com/files/docs/slack_sec.txt

Code:

Post-Install Security
---------------------
You're booted up.  The first thing to do is to configure tcpwrappers by
editing /etc/hosts.deny and hosts.allow.  Add the following line to
hosts.deny to disallow access by any host to your box.

        ALL: ALL

Once this is in place, you can reinforce host denial in hosts.allow with

        ALL: ALL: DENY

or you can poke holes to allow access by certain hosts, or ranges of hosts,
to certain services.  A common entry would be to allow ssh connections:

        # ALL: ALL: DENY
        sshd: ALL: ALLOW

Firewalls are not a panacea for security.  But they are an imperative
beginning step.  iptables provides the packet filtering, or firewalling, for
the 2.4.x and 2.6.x kernels.  And if setting up an iptables firewall is not
your first step in securing your Slack box, it better be your second.

Below is an example of a basic iptables script.  The comments included
explain what the rules are doing.  Name the script rc.firewall, chmod 755
rc.firewall and mv rc.firewall /etc/rc.d.

        #!/bin/bash

        # rc.firewall for
        # Basic Slackware Security

        # These two rules set the default policies, i.e. what to do if a
        # packet doesn't match any other rule, to drop any packet coming
        # into (INPUT) or routing through (FORWARD) the box.
        iptables -P INPUT DROP
        iptables -P FORWARD DROP

        # These rules are added (-A) to the INPUT chain.  They allow packets
        # from any previously established connections and accept anything
        # from the loopback interface.
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT

        # This rule added to the INPUT chain accepts any ssh connections.
        iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT

With a basic firewall in place, it's time to edit /etc/inetd.conf to remove
unneeded services.  Now unless you absolutely know you need a service
mentioned in inetd.conf, comment it out with #.  You will probably find
that, at least initially,  you'll comment out the entire file.  Here's a
Perl script that will do it for you.

        #!/usr/bin/perl

        $conf = "/etc/inetd.conf";

        system("cp $conf $conf.bak");

        open FILE, "$conf" or die "Can't open $conf: $!";
        open TEMP, ">temp" or die "Can't create temp file: $!";

        while (<FILE>) {
                s/^/#/ if ($_ !~ /^#/);
                print TEMP;
        }

        close FILE;
        close TEMP;

        unlink "$conf";
        system("mv temp $conf");

If there's a service that you want shut down that you didn't choose to
during the install, stay in /etc and head to rc.d.  You can edit rc.M (M
for multi-user) and comment out the respective section that starts the
daemon, and/or you can chmod 644 rc.<service> to keep it from starting, as
rc.M starts a service based on the file test, -x.

It's safe to say that the major steps to securing your box are complete.
There are many things left to do, including advancing the above topics,
that can tighten up security.  Configuring individual services should weigh
heavily in this advancement.  Staying in line with the above examples, we
will go through some important settings for sshd.

The configuration file for sshd is /etc/ssh/sshd_config.  Edit the file and
consider making the following changes.

        # Force the more secure Protocol 2
        Protocol 2

        # Do not let root login remotely
        PermitRootLogin no

        # Watch out for world writables
        StrictModes yes

        # Require passwords
        PasswordAuthentication yes

        # Don't allow null passwords
        PermitEmptyPasswords no

        # What do you need X for anyway?
        X11Forwarding no

        # No extraneous info
        PrintMotd no

Now run kill -s 1 `cat /var/run/sshd.pid` to force sshd to reload its
configuration.

To be sure, there is no security through obscurity.  Then again, there's no
reason to give an attacker any more information than you have to.  Turn off
or change any banner or motd, and edit /etc/issue and issue.net to your
liking.  (bland's is set to "Welcome to Windows Server 2003.")

suid, or Set User ID, programs are usually plentiful in any distro and their
root interaciton with regular users should be controlled.  Going through
your suid programs and removing the s bit can significantly reduce
vulnerability.  A Perl script has been provided that can simplify this
process.

Save the below Perl script as sup.pl and run it.  Then go through the
resulting suid.txt text file and comment out, with #, the programs that
do not need suid permission.  Save it and then run sup.pl with the -u
switch.  Commented programs will no longer be suid, and you'll have a
record of what was done.

        #!/usr/bin/perl

        if ($#ARGV < 0) {
                system("find / -perm +4000 2>/dev/null > suid.txt");
                exit;
        }
                                                                                                                             
        if ($ARGV[0] =~ /-u/) {
                open(UPDATE, "<suid.txt") or die "Can't read file: $!";
                                                                                                                             
                while (<UPDATE>) {
                        if (/^#/) {
                                s/#//;
                                system("chmod -s $_");
                        }
                }
                close(UPDATE);
        }
        else {
                print "Usage: perl sup.pl <-u>\n";
                exit;
        }

There are a couple of final touches before moving on to third party
applications.  Edit /etc/securetty, which controls which devices root can
login to, and comment out, well, everything for more security.  And change
your umask to a more restrictive 077.


bapigoo9 11-24-2008 10:44 PM

Quote:

Basic Slackware Security by Chess Griffin
Thanks for the link!

Hangdog42 11-25-2008 07:16 AM

Quote:

And, does Slackware have built in the ability to run the browser in a contained play space? Then I can turn the kids loose on it and not worry about them tearing up the fresh install?
If you give your kids their own accounts, they shouldn't be able to damage anything.

H_TeXMeX_H 11-25-2008 07:18 AM

There's also Alien Bob's firewall generator, just copy the result into '/etc/rc.d/rc.firewall', make it executable and it will run on every boot.
http://www.slackware.com/~alien/efg/

bapigoo9 11-29-2008 07:16 PM

Quote:

There's also Alien Bob's firewall generator
thanks for the tip.

Edit: Bob's firewall has several modprobe commands in it to load a lot of modules for iptables. Some are commented out. Are these modules for older kernels, such as 2.4.x kernels? Slack 12 has a 2.6.24.x kernel?

These are the modules: ip_tables, ip_conntrack, iptable_filter, iptable_nat, iptable_mangle, ipt_LOG, ipt_limit, ipt_MASQUERADE, multiport, ipt_state, ipt_unclean, ...

Several modules I can not find in my installation, such as: multiport, ipt_unclean, ...


All times are GMT -5. The time now is 09:52 AM.