Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I installed FC-6 and setup firestarter for a firewall. I was wondering is there a program that will harden FC-6? I had a RH7.3 OS hardened by Bastille and no one ever cracked it! I tried Bastille on FC-6 it let me install it then when I tried to configure it ..it said FC-6 was not supported ... any help here?
FC6 ships with SELinux, if thats the kind of thing you are after.
I'm no expert on this kind of thing, but one of the first things you should also do is to disable unused services from starting up.
I'm not in front of an FC6 box at the moment, but if you navigate to the System menu, you will find a service manager. There are actually quite a few things you can disable (if you don't need them), like Avahi, Bluetooth, RCP, NFS, Samba, and a couple of others.
The SELinux suggestion is definitely one to give lots of consideration to if you're looking to harden the installation. Or when you said you "did that" did you mean you already have SELinux going? I think the fact Fedora comes with SELinux out-of-the-box is a great advantage to Fedora users. I remember reading somewhere that the newest Fedora version tries to make SELinux a lot more friendly than it has been in previous versions. Anyhow, another project you might wanna check-out is grsecurity, but I'm not sure if you're into the whole kernel patch/recompile thing or not. What kinda security measures do you have on the box currently? Is it just the Firestarter?
Originally Posted by tied2
I was looking to someway to set it so you can not login as root ...you can only su
Even better yet, why not setup sudo? You can then, for example, set which user(s) can execute commands as root (via sudo) by simply adding them to the admin group. No one will be able to login as root if you have root's password field in /etc/shadow replaced with an exclamation mark. From man shadow on my Ubuntu 7.04 box:
If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7).
This is what my root account line looks like in my /etc/shadow:
This is what my /etc/sudoers looks like:
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
I looked through the package Mgr. I see SElinux what file is it that I need??? there's like 5 of them... is SElinux a add on like Bastille? recompileing a kernal is over my head. editing file ... I have done it but mostly I screw it up lol it's been like 4 years since I had a linux box lol so I'm rusty!! yes I shut down all the thinks I didn't need in run level 5 and installed firestarter... I been tring to upate packages there like 238 updates and it locks up ... some error sqlcashe needs updated... I have a post in the Fedors forum but no answers on that. it ther a rpm I can download and just install it the old fassion way? rpm -ivh ?
You really should read-up on SELinux before you attempt to use it. It's no cakewalk from what I understand. I can't really help you with it, as I have no experience with it at all, but of course someone else can. I would strongly recommend upgrading to the latest version of Fedora (7 at the time of this post) if possible if you do decide to go with SELinux right now.
That said, I honestly think you should start out with setting-up sudo (which is super simple) and other minor security enhancements (such as a file integrity checker, for example) before embarking on something as major as SELinux, wouldn't you agree?
Of course, if my understanding (or possible delusion) about the Fedora Project's attempt of making SELinux unbelievably simple in version 7 is correct, then perhaps you can have a working SELinux setup in no time (or possibly even out-of-the-box) simply by upgrading.