Basics of Linux Security
 

I'm aware that this question has been asked in the past, but searches in the forum and online have lead to information that was simply too overwhelming and confusing. I have set up my laptop with Slack 9.1. Local security is already taken care of and no one but me is going to be physically using the machine. However, I want to know what I can practically do to secure this box from outside attacks. Lists of hundreds of security-related pages won't help, since I simply can't understand what is required, what isn't, and what changes affect what. I have followed the suggestions of this site (http://www.oldskoolphreak.com/tfiles/hack/slack_sec.txt), probably closing down more than I need to (but I really don't know). Is this enough? Did that site leave anything important out? I won't be constantly contected on a static IP which probably means I don't need to go to many extreme measures, but I will be using a dynamic IP on a college campus on both wired and wireless networks on a regular basis. The information that's out there is so overwhelming since so much is available. I'd like to read a nice "newbie tutorial" as is being discussed in a News: thread on this forum, but, until that exists, can anyone give me specific points about what needs to be done besides those things listed at the site above. Thanks in advance.

EDIT:
One more thing... after the above is taken care of, what command can I run/steps can I follow to what is currently connected to my machine from outside to check for anything abnormal (and how to I tell if it is abnormal?). Thanks again.

For your uses, you're probably locked down more than necessary. The only suggestion I'd give to you as far as going any further, is to use complex passwords for your root and user accounts and change them with a reasonable frequency. As a general rule, especially where your network access is DHCP, you're not going to be sitting on any IP for long enough to hack. If you change the passwords (especially root) then the bad guys will have even less chance to get in.

But, honestly, if you have data that you consider important, offload it to a password-protected and encrypted cd (or usb key) and stop worrying :D. If you leave your puter connected for days and give an opportunity to be hacked, then there'd be nothing for anyone to get. That is, if anyone'd have a chance. Sounds like you're locked down.

Well I really don't have any extremely important information in the first place, but I'm not aware of what programs store unencrypted passwords or how easy it would be to crack the encrypted ones.

It sounded like that site locked everything down probably too much (I'll probably have to start opening things up to get certain things to work), but I wanted to make sure. Now I'd still just like to know how I can check open ports/connections on eth0 and wlan0 to confirm that nothing is there that shouldn't be. Thanks!

That's actually a rather concise and effective tutorial. One thing I'd add though, is to install a file integrity IDS like tripwire, samhain, aide, etc after you install and configure the machine to your liking. Then make sure to keep the db update and view logs of recent checks.

Cracking /etc/passwd hashes is relatively trivial (just takes time and enough CPU cycles). The key is to really protect them, by perimeter hardening and limiting the effect of local exploitation (kernel/stack hardening).

Off Topic, in regards to your sig, I just attended a lecture by one of the guys who won a recent Nobel Prize (for co-inventing NMR/MRI) and his advice for being successfull was to find somthing that a Nobel Prize winner said was impossible/absurd and then proceed to go out a do it.

Interesting... I remember a year or so ago hearing of someone who helped invent the MRI giving a lecture in town, but I don't remember his name.

Back on topic, that all sounds well and good but it all flew over my head I'm afraid :). Could you elaborate a bit on what you're talking about and what it involves? Thanks!

Interesting... I remember a year or so ago hearing of someone who helped invent the MRI giving a lecture in town, but I don't remember his name.
Paul Lauterbur?

Back on topic, that all sounds well and good but it all flew over my head I'm afraid :). Could you elaborate a bit on what you're tlking about and what it involves? Thanks!
Sure, which part?

I'm afraid I wouldn't remember the name even if I heard it.

Well, for starters, I don't know what a file integrity IDS is or how I'd go about picking on :).

A file integrity IDS, is an application which basically takes a "snapshot" of the file your system at a given point and then runs a check at certain intervals looking for alterations to those files or creation/deletion of files from critical directories. Someone attempting to gain local or root access to a system will often leave telltale files or attempt to hide files by altering system files. One common example would be replacing the ps binary which would normally list currently running processes with a modified version of ps that listed all processes _except_ those executed by a certain user (the evil_hacker). Unless you commonly look at the contents of binaries or perusing /proc, you'd be unaware of the change. Having something like tripwire which functions by calculating a cryptographic checksum of all critical files allows you to quickly check the integrity of the files on your system by comparing their current checksums to those taken when the IDS was installed.

Tripwire is one of the more common file integrity scanners, but there are a number of relatively good ones that have more or less features. Take a look at the security references thread (see my sig for link) where there are a number of them available. Which one you install really depends on the features you would like (but they all do more or less the same thing)

Interesting... I took a quick look at a few of those links and that does sound like something good to have (better to have too much than too little). I'm looking into getting snort and tripwire now. I appreciate the help.

I downloaded tripwire from the sourceforge site, but the INSTALL file wasn't complete and a "make release" in the src/ directory returned a whole list of errors. I can't find an md5 for it to check if it was complete, but it seems it wasn't. I tried redownloading it, but got the same error. Can anyone verify if the INSTALL file in the latest release from the sourceforge site is complete (has a section #3)? That way I'll know if the problem is on my end or not. Thanks!