I am pretty new to security and like the feeling of having a secure system. From what hear linux is supposed to have one of the most secure systems. Although, In the past I have heard that linux is the most common system used fo hacking. I think this is because linux is used in large coorporations. Well, i'm no large coorporation. But I would like my system protected. Currently I am running RH9 on FLuxBox with a cable modem. I have been using Firestarter to build a fire wall as people portscan me. I feel like there a lot of people hitting my connection. I must have woken up this mornign with nearly 20 items in the firestarter application that I added to block hos and block port. Is this a good security method? I am not big on networking and security terms. I recently switched to linux. Please use lamers terms for me here. Things I am conerned about:

1)Port Scans
2)File Access
3)Viruses
4)Trojans
5)Spyware
6)Password Security
7)Remote Access

Seems a little paranoid but I rather be safe than sorry. I had programs for this stuff in windows. I realize there is less viruses and the such in linux. But feel there should be measures taken against this stuff. What do you suggest I do to start securing my box?

Probobaly what I need is:

Firewall Setup (should i add certain ports)
Virus Program
Services turn off (i want the bare mininum with access to internet)
Password super encryption or something
Spyware and trojan scanner
Program that check if there has been remote access without haveing to look through long logs


Sorry for the long request but I am sure this will be useful for many new linux users...

with Firestarter, when it asks what "services" you want to run, only check the ones you are running as a server on your own PC. Often this would be none. That should firewall off any traffic that may attempt to connect to those servers on your PC. (Shut down unneeded services if you know how to in your distro.)
Follow security updates for your distro.

Im not sure how to turn off other services. I know there is a GUI to be able to do this in RH9. I switched to fluxbox though. I will need to find the command to switch them off. When I initially set-up firestarter I oped for all services to be turned off.

In redhat you want to use the chkconfig utility:

To see the current config:
chkconfig --list

To see what's on:
chkconfig --list | grep on

To keep services from turning on at boot:
chkconfig --level 345 servicename off

To turn something off temporarily (will get turned back on with a reboot)
service servicename stop

You have to be root in order to execute all those commands.

Things you definitely don't want on:
portmap
nfs
nfslock
netfs
named

There are alot of things you can turn off (and should turn off) if you aren't planning on using them:
autofs
rawdevices
isdn
irda
lpd
etc...

A couple things can cause problems if you do turn them off:
random
apmd pmcia } if you have a laptop
network
kudzu
crond

If you don't know what something is either google or ask here and you can usually find out if you need it or not.

Thanks for your help. I will check these services out tomorrow. Is it possible to create a partition so that it does not have any remote-access?

You can encrypt part or all of a filesystem if you want to, but what you really should focus on is limiting access and reducing the number of publically available services to the minimum you need. Turn off alot of the extra services you don't need, then with the services you have to run, limit who can access them. For example if you need to have something like windows-file sharing with samba on your LAN, don't run it open to the public; use tcpwarappers and iptables to only allow LAN computers to connect.

Then make sure to install a file integrity checker like tripwire or aide. That way if someone actually does access your system and change something, you'll know about it. Similarly a network intrusion detection system (NIDS) like Snort will give you an idea about what's going on with the "barbarians at the gate".

I installed snort but have no idea what to do with it. Some of the other stuff you were mentioning sounds like a good idea and I will have to definatly check it out.

Finally removed serviced un-needed. I think I stripped it down to the bare mininum that I could. I hope my next system restart all goes well. Can someone give some help on how to run snort. I think this is an important utility. I am concerned with port scanners on the computer. I have also heard that linux is commonly port scanned a lot. I also get a lot of hits on the firestarter. I block the port and host. Am I doing good precautions for setting up the firewall or should I do more than just useing the firestarter?

Can someone give some help on how to run snort.
Download the tarball from snort.org (latest is 2.1.0) and pcre from www.pcre.org.
Install pcre, then run "rpmbuild -ta (name of tarball)" and install.
Check out the Snort docs before you configure Snort, make sure you only load the rules you need and also pay attention to how you log. Logging in unified binary format is faster, but then you need to install "Barnyard" from snort.org/contrib.
*I just installed a static Snort-2.1.0 binary with pcre-3.4 using a customized spec file, if anyone is interested I'll post the diff.


I am concerned with port scanners on the computer. I have also heard that linux is commonly port scanned a lot.
"Common" portscanning should not be a "problem". Best is to ignore them script kiddies unless the scanning becomes excessive or if it's followed by an attack. Also read up on current scanning and worm behaviour so you don't go beserk with each alert for IIS and Nachia scans.


I also get a lot of hits on the firestarter. I block the port and host. Am I doing good precautions for setting up the firewall or should I do more than just useing the firestarter?
Setting your default policy to DROP would be a good start wrt the firewall.
Wrt a firewall being enough I'd say this is a rather broad topic and that overlaps your other question in this forum. Best not to have ppl duplicate their efforts helping you.

How am I able to set a drop policy on the firewall?