best way to secure the system
dear sir can you tell me the best way to secure the linux system....
The #nmap command tells the open ports.... The unwanted services and ports can be blocked by the firewall.... But which are the services that can be a potential danger to the system?? like telnet....shh...etc?? I am using Fedora core 6 regards, kanishk |
There is a book on Securing and Optimizing Linux on the www.tldp.org website. There are many things to do, and a lot depends on whether you are talking about a workstation or a server on the internet. For example, for a server, you wouldn't just not run telnet, you would remove it and all unnecessary software. You would search for suid binaries and see what you can do without. If this isn't a personal computer with one user, you need to setup limits, so a single user can't exaust the resources. For both, you need to secure ssh if you need to use it only allowing connections from authorized users. If it is a server with mysql, the mysql manual has a chapter on securing the server. Lest I forget, Fedora Core uses SELinux as well.
I would suggest going to a book store and finding a book on securing linux. Fedora Core also comes with a lot of documentation, as well as documentation on the website. |
The best way to secure the system. I mean, really the best one, is to let it off :p
|
any and all open ports can be and are vulnerable. Remember a vulnerability is already exploited before it is announced. I could be looking at your /etc/shadow file right now, and if I discovered a vulnerability/hole, no one will know about it unless someone using that technique screws up and doesn't cover their tracks. Or an ethical hacker finds it also.
- The best way to secure your system first of all is to use passwords. - The next best way I can think of is to be behind a router. - Close or turn off services you don't want running. If you want to use it, you can always enable it by hand later. - Check the log files. - Someone the other day recommended a security program called tripwire. - Enter this on the command line: ifconfig -a | grep PROMISC If the return value is not empty, an interface is running in promiscuous mode. It would be a good idea to put this in a cron job that runs every few hours or whatever to alert you if one is found. - Try to stay up to date with versions of important software/services. - Check recently published vulnerabilities found here: Common Vulnerabilities and Exposures cve.mitre.org/cve CERT/CC Vulnerability Notes Database http://www.kb.cert.org/vuls NIST ICAT Metabase icat.nist.gov/icat.cfm And many other things. Basically if you want to be safe from your enemies, you must know your enemy. Study and learn about hackers and their mannerisms. There is no such thing as security. All you can really do is limit the choices a hacker has. Maintaining security is a perpetual thing. |
Oh I forgot a really important one. Open up a bash window or whatever terminal program you want to use. I use bash.
go to the /home directory: Code:
cd /home Code:
ls -l Code:
drwx------ Code:
chmod 700 yourhomedirectoryname Buy a Linux book or 2 or 3. Buy security books, and it can't hurt to buy books on networking and hacking. Also it may sound funny, but to go textfiles.com and read their files on hacking. Alot of the stuff mentioned there still applies today, as far as basic Linux/UNIX security and tricks. Hope my advice helped point you in the right direction. otacon :) |
Quote:
Quote:
One of *the* best measures you can take is to keep your system updated with security patches. So make sure that automatic updates are enabled. See the Security References thread for more Security guides and HOWTOs |
Quote:
And I consider being behind a hardware firewall to be a must as well. I am behind two, one a "smoothwall," (very highly recommended: www.smoothwall.org) and the second a Mandriva machine doing connection sharing. Requires a bit more hardware, but the main target, my primary machine right here under my fingers, has never been touched from the outside. My LAN is dead silent except for my traffic. Routers are OK, but they are more easily hacked, and not as secure by design. NAT is not a security feature, it's merely a way to share one valid IP. I tell everyone I can lay hands on they NEED a smoothwall. Security just doesn't get much better that that without shelling out money. cat |
If you need ssh, I advise setting the AllowUsers option in the config file /etc/ssh/sshd_config, which lists the users who are allowed to login via ssh. You should probably also install something such as DenyHosts to prevent brute force attacks. I'm pretty sure that there will be a Fedora package for it available via yum.
|
Quote:
I agree, though, that you should run a hardware firewall such as smoothwall or pf or IpCop, and "personal" firewalls on the systems within your network...especially on a Windows dominant network. This way, if one jerk downloads a virus or whatnot, you don't have quite as much to worry about =) If you're overly paranoid about security, then building a dual homed bastion host firewall system with two OpenBSD machines sandwiching whatever proxy server system you're comfortable with is a must. |
Hey, rocket...
Quote:
I have every reason to be "overly paranoid" by most people's standards. I call it "being smart." I even had a smoothwall hacked on me once... good thing all it could do is portscan the second HWFW, which triggered an alert. OpenBSD does look like the way to go, ultimately. |
what is the tproxy
what is the tproxy service which uses the 8081 port??
Is it potentially dangerous to the system?? and what port is ued for VPN?? regards, kanishk |
Quote:
http://www.openbsd.org/faq/pf/ But, if you can find an e-book called "Building secure firewalls with OpenBSD and pf" (or similar, can't recall the exact name off the top of my head), that might be a more "hands-on" or "step-by-step" approach compared to a manual that's designed to show off pf's capabilities. The book, mind you, is a bit dated, so you might read it to get a good grasp of the overall concept, then read the link above to see what's changed and what's been added. |
Please have a look at "CIS-Tool" to check how secure is your system:
http://www.cisecurity.org/ This tool will check your system, will show you the unsecure files and will score your box. |
All times are GMT -5. The time now is 10:36 AM. |