LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-25-2007, 07:24 PM   #1
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Rep: Reputation: 30
Hardening FC-6


I installed FC-6 and setup firestarter for a firewall. I was wondering is there a program that will harden FC-6? I had a RH7.3 OS hardened by Bastille and no one ever cracked it! I tried Bastille on FC-6 it let me install it then when I tried to configure it ..it said FC-6 was not supported ... any help here?
 
Old 06-25-2007, 08:00 PM   #2
easuter
Member
 
Registered: Dec 2005
Location: Portugal
Distribution: Slackware64 13.0, Slackware64 13.1
Posts: 538

Rep: Reputation: 62
FC6 ships with SELinux, if thats the kind of thing you are after.

I'm no expert on this kind of thing, but one of the first things you should also do is to disable unused services from starting up.
I'm not in front of an FC6 box at the moment, but if you navigate to the System menu, you will find a service manager. There are actually quite a few things you can disable (if you don't need them), like Avahi, Bluetooth, RCP, NFS, Samba, and a couple of others.
 
Old 06-25-2007, 08:36 PM   #3
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
I did that....thanks I was looking to someway to set it so you can not login as root ...you can only su
 
Old 06-25-2007, 09:00 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
The SELinux suggestion is definitely one to give lots of consideration to if you're looking to harden the installation. Or when you said you "did that" did you mean you already have SELinux going? I think the fact Fedora comes with SELinux out-of-the-box is a great advantage to Fedora users. I remember reading somewhere that the newest Fedora version tries to make SELinux a lot more friendly than it has been in previous versions. Anyhow, another project you might wanna check-out is grsecurity, but I'm not sure if you're into the whole kernel patch/recompile thing or not. What kinda security measures do you have on the box currently? Is it just the Firestarter?

Quote:
Originally Posted by tied2
I was looking to someway to set it so you can not login as root ...you can only su
Even better yet, why not setup sudo? You can then, for example, set which user(s) can execute commands as root (via sudo) by simply adding them to the admin group. No one will be able to login as root if you have root's password field in /etc/shadow replaced with an exclamation mark. From man shadow on my Ubuntu 7.04 box:
Quote:
If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7).
This is what my root account line looks like in my /etc/shadow:
Code:
root:!:13626:0:99999:7:::
This is what my /etc/sudoers looks like:
Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults

Defaults        !lecture,tty_tickets,!fqdn

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
Just my

Last edited by win32sux; 06-25-2007 at 09:16 PM.
 
Old 06-25-2007, 10:12 PM   #5
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
I looked through the package Mgr. I see SElinux what file is it that I need??? there's like 5 of them... is SElinux a add on like Bastille? recompileing a kernal is over my head. editing file ... I have done it but mostly I screw it up lol it's been like 4 years since I had a linux box lol so I'm rusty!! yes I shut down all the thinks I didn't need in run level 5 and installed firestarter... I been tring to upate packages there like 238 updates and it locks up ... some error sqlcashe needs updated... I have a post in the Fedors forum but no answers on that. it ther a rpm I can download and just install it the old fassion way? rpm -ivh ?
 
Old 06-25-2007, 10:32 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You really should read-up on SELinux before you attempt to use it. It's no cakewalk from what I understand. I can't really help you with it, as I have no experience with it at all, but of course someone else can. I would strongly recommend upgrading to the latest version of Fedora (7 at the time of this post) if possible if you do decide to go with SELinux right now.

That said, I honestly think you should start out with setting-up sudo (which is super simple) and other minor security enhancements (such as a file integrity checker, for example) before embarking on something as major as SELinux, wouldn't you agree?

Of course, if my understanding (or possible delusion) about the Fedora Project's attempt of making SELinux unbelievably simple in version 7 is correct, then perhaps you can have a working SELinux setup in no time (or possibly even out-of-the-box) simply by upgrading.

Last edited by win32sux; 06-25-2007 at 10:36 PM.
 
Old 06-25-2007, 10:48 PM   #7
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
Is tripwire still the way to go for a file checker?
 
Old 06-26-2007, 09:07 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by tied2
Is tripwire still the way to go for a file checker?
Yeah, pretty much. Lots of people like AIDE also.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hardening Fedora GraemeK Linux - Security 2 05-17-2005 08:38 AM
Hardening Apache XaViaR Linux - Security 2 05-14-2005 06:25 PM
I need some ideas for hardening Bill Johns Linux - Security 2 05-01-2005 03:11 PM
Hardening Slackware AhYup Slackware 8 03-07-2005 06:35 PM
Hardening RH 9 velan Red Hat 4 06-16-2004 07:40 AM


All times are GMT -5. The time now is 10:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration