LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-24-2008, 11:21 PM   #1
bapigoo9
Member
 
Registered: Aug 2008
Posts: 107

Rep: Reputation: 16
Slackware install, no Firewall out of the box? Suggestions on what to do?


With all of the distro frenzy out there, I thought that I would try an installation of Slackware while I had the entire weekend to sit and tinker with it....without the kids! It was an easy install. Ran like clockwork. I had so much time left over that I decided to see about the Firewall.

Then, I noted that there was no default Firewall for it. Does Slackware not have a Firewall built in to it, or did I just miss something?

Any suggestions on what to use with Slackware or what features I would enable to get a basic Firewall out of the box? And, does Slackware have built in the ability to run the browser in a contained play space? Then I can turn the kids loose on it and not worry about them tearing up the fresh install?
 
Old 11-24-2008, 11:29 PM   #2
SqdnGuns
Member
 
Registered: Aug 2005
Location: Fountain Valley, CA / Thailand
Distribution: Slackware64® 14.0
Posts: 981

Rep: Reputation: 88
Basic Slackware Security by Chess Griffin

http://chessgriffin.com/files/docs/slack_sec.txt

Code:
Post-Install Security
---------------------
You're booted up.  The first thing to do is to configure tcpwrappers by
editing /etc/hosts.deny and hosts.allow.  Add the following line to
hosts.deny to disallow access by any host to your box.

	ALL: ALL

Once this is in place, you can reinforce host denial in hosts.allow with

	ALL: ALL: DENY

or you can poke holes to allow access by certain hosts, or ranges of hosts,
to certain services.  A common entry would be to allow ssh connections:

	# ALL: ALL: DENY
	sshd: ALL: ALLOW

Firewalls are not a panacea for security.  But they are an imperative
beginning step.  iptables provides the packet filtering, or firewalling, for
the 2.4.x and 2.6.x kernels.  And if setting up an iptables firewall is not
your first step in securing your Slack box, it better be your second.

Below is an example of a basic iptables script.  The comments included
explain what the rules are doing.  Name the script rc.firewall, chmod 755
rc.firewall and mv rc.firewall /etc/rc.d.

	#!/bin/bash

	# rc.firewall for
	# Basic Slackware Security

	# These two rules set the default policies, i.e. what to do if a
	# packet doesn't match any other rule, to drop any packet coming
	# into (INPUT) or routing through (FORWARD) the box.
	iptables -P INPUT DROP
	iptables -P FORWARD DROP

	# These rules are added (-A) to the INPUT chain.  They allow packets
	# from any previously established connections and accept anything
	# from the loopback interface.
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT

	# This rule added to the INPUT chain accepts any ssh connections.
	iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT

With a basic firewall in place, it's time to edit /etc/inetd.conf to remove
unneeded services.  Now unless you absolutely know you need a service
mentioned in inetd.conf, comment it out with #.  You will probably find
that, at least initially,  you'll comment out the entire file.  Here's a
Perl script that will do it for you.

	#!/usr/bin/perl

	$conf = "/etc/inetd.conf";

	system("cp $conf $conf.bak");

	open FILE, "$conf" or die "Can't open $conf: $!";
	open TEMP, ">temp" or die "Can't create temp file: $!";

	while (<FILE>) {
		s/^/#/ if ($_ !~ /^#/);
		print TEMP;
	}

	close FILE;
	close TEMP;

	unlink "$conf";
	system("mv temp $conf");

If there's a service that you want shut down that you didn't choose to
during the install, stay in /etc and head to rc.d.  You can edit rc.M (M
for multi-user) and comment out the respective section that starts the
daemon, and/or you can chmod 644 rc.<service> to keep it from starting, as
rc.M starts a service based on the file test, -x.

It's safe to say that the major steps to securing your box are complete.
There are many things left to do, including advancing the above topics,
that can tighten up security.  Configuring individual services should weigh
heavily in this advancement.  Staying in line with the above examples, we
will go through some important settings for sshd.

The configuration file for sshd is /etc/ssh/sshd_config.  Edit the file and
consider making the following changes.

	# Force the more secure Protocol 2
	Protocol 2

	# Do not let root login remotely
	PermitRootLogin no

	# Watch out for world writables
	StrictModes yes

	# Require passwords
	PasswordAuthentication yes

	# Don't allow null passwords
	PermitEmptyPasswords no

	# What do you need X for anyway?
	X11Forwarding no

	# No extraneous info
	PrintMotd no

Now run kill -s 1 `cat /var/run/sshd.pid` to force sshd to reload its
configuration.

To be sure, there is no security through obscurity.  Then again, there's no
reason to give an attacker any more information than you have to.  Turn off
or change any banner or motd, and edit /etc/issue and issue.net to your
liking.  (bland's is set to "Welcome to Windows Server 2003.")

suid, or Set User ID, programs are usually plentiful in any distro and their
root interaciton with regular users should be controlled.  Going through
your suid programs and removing the s bit can significantly reduce
vulnerability.  A Perl script has been provided that can simplify this
process.

Save the below Perl script as sup.pl and run it.  Then go through the
resulting suid.txt text file and comment out, with #, the programs that
do not need suid permission.  Save it and then run sup.pl with the -u
switch.  Commented programs will no longer be suid, and you'll have a
record of what was done.

	#!/usr/bin/perl

	if ($#ARGV < 0) {
		system("find / -perm +4000 2>/dev/null > suid.txt");
		exit;
	}
                                                                                                                               
	if ($ARGV[0] =~ /-u/) {
		open(UPDATE, "<suid.txt") or die "Can't read file: $!";
                                                                                                                               
		while (<UPDATE>) {
			if (/^#/) {
				s/#//;
				system("chmod -s $_");
			}
		}
		close(UPDATE);
	}
	else {
		print "Usage: perl sup.pl <-u>\n";
		exit;
	}

There are a couple of final touches before moving on to third party
applications.  Edit /etc/securetty, which controls which devices root can
login to, and comment out, well, everything for more security.  And change
your umask to a more restrictive 077.

Last edited by SqdnGuns; 11-24-2008 at 11:30 PM.
 
Old 11-24-2008, 11:44 PM   #3
bapigoo9
Member
 
Registered: Aug 2008
Posts: 107

Original Poster
Rep: Reputation: 16
Quote:
Basic Slackware Security by Chess Griffin
Thanks for the link!
 
Old 11-25-2008, 08:16 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
And, does Slackware have built in the ability to run the browser in a contained play space? Then I can turn the kids loose on it and not worry about them tearing up the fresh install?
If you give your kids their own accounts, they shouldn't be able to damage anything.
 
Old 11-25-2008, 08:18 AM   #5
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
There's also Alien Bob's firewall generator, just copy the result into '/etc/rc.d/rc.firewall', make it executable and it will run on every boot.
http://www.slackware.com/~alien/efg/
 
Old 11-29-2008, 08:16 PM   #6
bapigoo9
Member
 
Registered: Aug 2008
Posts: 107

Original Poster
Rep: Reputation: 16
Quote:
There's also Alien Bob's firewall generator
thanks for the tip.

Edit: Bob's firewall has several modprobe commands in it to load a lot of modules for iptables. Some are commented out. Are these modules for older kernels, such as 2.4.x kernels? Slack 12 has a 2.6.24.x kernel?

These are the modules: ip_tables, ip_conntrack, iptable_filter, iptable_nat, iptable_mangle, ipt_LOG, ipt_limit, ipt_MASQUERADE, multiport, ipt_state, ipt_unclean, ...

Several modules I can not find in my installation, such as: multiport, ipt_unclean, ...

Last edited by bapigoo9; 12-01-2008 at 01:05 AM. Reason: read link to Bob's Firewall
 
  


Reply

Tags
firewall, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware® 12.1 Install Suggestions onebuck Slackware 16 05-07-2008 04:41 PM
New Linux box. Need suggestions FictionPimp Linux - Newbie 8 12-07-2005 08:17 AM
XP Box won't connect to internet thru RH9 Box (firewall/dhcpd), it can only ping fire Rhapsodic Linux - Networking 4 07-10-2004 04:02 PM
Slackware 9.1 firewall box svarreby Linux - Security 3 04-04-2004 07:10 PM
Slackware firewall install jamaso Linux - Newbie 0 11-25-2001 10:20 AM


All times are GMT -5. The time now is 05:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration