LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-28-2004, 11:08 PM   #1
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
General steps for securely installing an OS


Given the recent "this OS vs. that OS" banter going on, I thought I would repost this general information. It's a loose guide to follow for installing ANY OS (although the references are mostly to UNIX-like services).

No matter what OS you have, you should always follow these general rules after installing:
1.) Keep the box unplug from the Internet if at all possible (install from CD-ROM), if you must have an Internet connection to install packages, then make sure it's behind a firewall and nothing can make inbound connections to it, yet.
2.) Remove all packages and users that are not needed
3.) Shutdown and disable any services that remain, but aren't required, and make sure that any services that you leave running are doing so with the least privilages, i.e. only bound to loopback if they don't need to be accessible from outside.
4.) Substitute secure services and daemons in the place of insecure ones, such as SSH instead of telnet, sftp instead of ftp (if possible), Postfix instead of Sendmail, vsftp or Pure-ftpd instead of wu-ftpd, etc
5.) Install a Host Intrusion Detection System (HIDS) and have it take a snapshot of your system. It should be configured to generate a warning if any files change. Regenerate your checksums after each step that involves changing files (adding, removing, or editing)
6.) Install a host firewall and configure it (this should deny all inbound connections at the very least, and possibly deny outbound connections except for those needed to function)
7.) Install a Network IDS (NIDS) and configure it to watch traffic to your host
8.) Install a log monitoring program to do some of the dirty work of going through logs for you. Make sure it generates a periodic report and sends it to you some how, such as by e-mail (and remember to check the reports every day!)
9.) Download and install all security updates from your OS and software application vendors. Preferably, this should be done off-line (have the updates on a different host and either connect via the LAN or burn a CD with them). You're still not safe to plug into the Internet since you are probably running some vulnerable software by default.
10.) Recheck all your configurations to make sure none of them have been modified by updates or other packages. Remember to re-run the checksum generator on your HIDS.

You're still not done! Security is an every day process, not a patch-and-forget-it deal. Keep monitoring your reports and logs every day for suspicious activity and make sure to check with your vendors regularly for security updates.
 
Old 01-30-2004, 10:27 AM   #2
enigmasoldier
Member
 
Registered: Jul 2003
Location: Florence, Ky
Distribution: CentOS 3.3-4, OpenBSD 3.3, Fedora Core 4, Ubuntu, Novell Open Enterprise Server
Posts: 213

Rep: Reputation: 30
OpenNA's book is AMAZING for anyone wanting to learn how to secure a linux box. They have some pretty good howtos online also. TrinityOS is also a very detailed document on securing any linux system.

Links:
http://www.openna.com/documentations/docs.php
http://www.ecst.csuchico.edu/~dranch...html#trinityos
 
Old 01-31-2004, 11:01 AM   #3
mysterio
Member
 
Registered: Sep 2003
Location: Springfield Ma.
Distribution: Mandrake 9.2,Knoppix 3.7,Slackware 10.0, FreeBSD. 5.3, OpenBSD 3.6, NetBSD 2.0, Debian
Posts: 275

Rep: Reputation: 30
Hey Chort, nice little tut there. It's something I myself do religiously, but unfortunately not everybody else does.
 
Old 01-31-2004, 11:23 PM   #4
studpenguin
Member
 
Registered: Nov 2003
Location: Pacific Northwest United States
Posts: 262

Rep: Reputation: 32


DJ Bernstein DNS

http://cr.yp.to/djbdns.html

http://cr.yp.to/djbdns/install.html

DJBDNS

is supposedly way, way, way superior to BIND

BIND reputedly is a piece of crap by comparison


Last edited by studpenguin; 01-31-2004 at 11:25 PM.
 
Old 01-31-2004, 11:27 PM   #5
studpenguin
Member
 
Registered: Nov 2003
Location: Pacific Northwest United States
Posts: 262

Rep: Reputation: 32
I don't know MUCH ABOUT what they are refering to, but here's why:

http://cr.yp.to/djbdns/blurb/easeofuse.html

Last edited by studpenguin; 02-01-2004 at 02:43 AM.
 
Old 02-01-2004, 12:53 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Original Poster
Rep: Reputation: 69
studpenguin

a) What does the above have to do with installing an OS?
b) If you don't know the pros and cons of a software package, don't preach about it (hint: there are several reasons why BIND is superior to DJBDNS).
 
Old 02-01-2004, 02:41 AM   #7
studpenguin
Member
 
Registered: Nov 2003
Location: Pacific Northwest United States
Posts: 262

Rep: Reputation: 32
Well I at least know that several reputable trustworthy people I've come across have recommended djbdns over BIND.

If you think you know of sucha a good bunch of general steps for securally installing an OS, a lot of people like to know why yours doesn't involve djbdns..

And if anyone else, such as you, can disagree, well there's a link to the evidence.

Go ahead challenge it.

There's a $500 reward. http://cr.yp.to/djbdns/guarantee.html

We'd sure like to hear you refute this.

What are you waiting for?


Last edited by studpenguin; 02-01-2004 at 02:56 AM.
 
Old 02-01-2004, 02:50 AM   #8
studpenguin
Member
 
Registered: Nov 2003
Location: Pacific Northwest United States
Posts: 262

Rep: Reputation: 32
//moderator.note: removed OT remarks. See note.

Last edited by unSpawn; 02-02-2004 at 03:13 AM.
 
Old 02-01-2004, 04:00 AM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Original Poster
Rep: Reputation: 69
Why are you trying to turn this thread into a flamefest, especially considering you're not the expert and you're just parrotting what your friends say?

I sure don't see any vulnerabilities listed for BIND 9.2.3, which is what I use. I also don't see you saying anything about IPv6, which is going to be a requirement going forward (FreeBSD and OpenBSD already use it by default).

As to why I don't recommend using a BIND replacement, a) when run chroot'd with privsep, there really isn't much difference as far as security and b) there are a lot more abundent examples for configuring BIND, since it's been around a lot longer. Now if BIND was as difficult to configure as Sendmail, I would say the usability of DJBDNS would be a factor, but since BIND is not brain surgery, I see no reason to switch.

By the way, I really don't appreciate your attempt at flaming in a serious discussion. Hopefully the moderators will take the approriate action.

Last edited by chort; 02-01-2004 at 04:01 AM.
 
Old 02-01-2004, 07:11 AM   #10
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
I suggest you stay away from DJBDNS if you want to have a dns server which is compatible to the standards. Bernstain has clearly stated that he will only implement the parts of the dns stuff that HE LIKES, which is breaking standards. PowerDNS is nice and also superior in security, flexibility than BIND if you want an auth only nameserver.
 
Old 02-01-2004, 09:33 PM   #11
studpenguin
Member
 
Registered: Nov 2003
Location: Pacific Northwest United States
Posts: 262

Rep: Reputation: 32
//moderator.note: removed OT remark. See note.

Quote:
As to why I don't recommend using a BIND replacement, a) when run chroot'd with privsep, there really isn't much difference as far as security and b) there are a lot more abundent examples for configuring BIND, since it's been around a lot longer. Now if BIND was as difficult to configure as Sendmail, I would say the usability of DJBDNS would be a factor, but since BIND is not brain surgery, I see no reason to switch.

By the way, I really don't appreciate your attempt at flaming in a serious discussion. Hopefully the moderators will take the approriate action. [/B]
Feel flamed all you want, be faint of heart, it wasn't meant to be personal attack on you. I'm just a curious novice trying to learn. I learn best when I'm having fun and being entertained rather than wasting money on insane tuition rates sittling in a lecture hall desperately trying to force myself to listen attentively to some old, (and sometimes even young) dork ramble on and on and on.

Dan Bernstein's seems like a pretty entertaining combative show off to me and as such I enjoy and learn best seeing an opposing camp in action.

The clash of differing opinions was what I had hoped to incite --- NOT a flamefest.

Though I suppose, if I ever met Dan in person or attended one of his classes knowing nothing of his brilliant software, I'd lump him into that category of being one of the biggest old arrogant dorks I've ever met -- but hey no one can judge a book by its cover? --- Right?

//moderator.note: removed OT remark. See note.

Last edited by studpenguin; 02-03-2004 at 12:05 AM.
 
Old 02-02-2004, 03:17 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
//moderator.note: Studpenguin, right now you're trying to hijack up Chort's discussion for your own "BIND vs DJBDNS" means. While such a discussion is a Good Thing, hijacking threads the way you did isn't. That is not what we like to see at LQ, and especially not at the Linux - Security forum.
- Please do not to be offending or rude towards your fellow LQ members, and
- DO back up claims you make: if you can't, then don't.
- If someone replies stating facts, then doing it off with like "eyes can be deceiving" isn't showing respect towards fellow LQ members: there is no shame in (admitting) having to learn stuff.
- If you have remarks that will not be constructive to this thread or off topic: please set up your own thread to discuss pro's and con's of them if your remarks won't fit in in the current discussion. If you want sensation, R&R or fuel heated debates: please check out the General forum. The Linux - Security forum should be used for discussing security in an factual, openminded, constructive manner.
- If OTOH you're interested in discussing DNS implementations as a part of what Chort is trying to do, try to compare ISC's BIND and DJBDNS on facts, qualities: using DJB's challenge is not an argument that will get you far to discuss ISC BIND security, DJBDNS compatibility or licensing etc, etc.

As moderator I have taken the liberty to remove some of your replies that are off topic or questionable. Please do edit your posts in this thread yourself and
- remove claims you cannot back up (or properly rephrase them),
- remove or rewrite OT responses.

Please think before you post, mind your fellow LQ members, the LQ rules and general netiquette. Please understand I'm not here to limit you in how you want to express yourself or deprive you of necessary discussion, but consider yourself warned continuing on this path will force me to talk to you differently the next time.

Please note my actions are subject to the moderators rules of conduct. If you want to dispute this or any other (of my) moderation actions you're always invited to take it up with me by email. If after discussing you feel your case has not been handled to your satisfaction, then you're invited to take it up with the site owner, Jeremy.


Chort, thanks for posting your steps but *please* do not "threathen" fellow members with moderators to take action before mods reach a decision. If we don't (or disagree on action to take) it'll look bad for all of us.
 
Old 02-02-2004, 12:20 PM   #13
studpenguin
Member
 
Registered: Nov 2003
Location: Pacific Northwest United States
Posts: 262

Rep: Reputation: 32
I had thought I wrote that IPv6 would involve

340,282,856,360,466,376,620,684,388,469,930,214,496 different numbers

which could cause a lot of complications.

IPv4 would only involves only 4,294,967,296 and could be further expanded to meet the needs of growing numbers of computers and servers with CIDR notation Classless addresses.

Is that a fact or not?





Last edited by studpenguin; 02-02-2004 at 12:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Final steps for installing Gaim with ssl support dev8080 Slackware 37 07-21-2007 01:35 PM
What steps might I have missed while installing Intel 537EP modem kit on Mandrake 10. Junior Hacker Mandriva 0 01-15-2005 05:12 PM
Steps before installing Geforce driver? colly Linux - Newbie 1 02-13-2004 01:06 AM
general instalation steps of slackware on raid/raid0 comp_ Slackware - Installation 1 02-07-2004 12:02 PM
Steps installing Tar.gz ody1 Linux - Software 3 12-03-2002 02:40 PM


All times are GMT -5. The time now is 07:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration