LinuxQuestions.org - making, checking secure linux box

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - making, checking secure linux box (https://www.linuxquestions.org/questions/linux-security-4/making-checking-secure-linux-box-179580/)

making, checking secure linux box

I am having slackware 9.1 and the computer is connected about 10hrs to internet daily.
Now I want to make it secure from outsiders and also want to check and see if its secure.
What do I need to make it secure and are there any online sites that check if the computer is secure when connected to internet?

This is a job for... TADA, the Security forum!!!

You'll get lots of good answers here.

Assuming you are a normal home user :
- Use a firewall and close every port. Ask someone else to run a portscanner such as nmap to check that all ports are closed.
- Run a rootkit checker such as rkhunter (www.rootkit.nl) from crontab to check your system.

Note : there is a lot more that you can do; but if you are a normal home user with no open ports exposed to the internet, you are in a low risk category so you will have to be pretty unlucky to be hacked (some people get unlucky - you need to make up your mind as to how much effort you want to put into protecting yourself).

I would also recommend grsecurity kernel patches, if you have the knowledge to apply patches (as the attacker may drastically need to modify exploit code and shellcode) and compile a kernel. It will make many types of vulnerabilities harder to exploit giving you the advantage of more time to patch the yet unknown vulnerabilities and the chance that the scriptkid will leave..
But first make sure you maintain the patches for the latest known vulnerabilites, use a good firewall configuration and use grsecurity and other extra security like chkrootkit to try and detect when your system still does get compromised.. if you have the knowledge you can also setup another machine as a loghost using software like syslog-ng.
Other things you can do is disable any services that you do not use, and choose secure implementations of services you do use, for example proftpd for ftpd, postfix for smtpd. Also check whether these run as root or not.. they shouldn't.
After that you need to configure these services securely, check if you can further secure these services.
If you have done that you can check if you have any executables setuid to a privileged user or group and check if they need to be setuid.

If you have done that your box will have a very high level of security for a homebox.

How do I block all the ports?
Also I would like to know what I can do to be protected to the maximum.
What is a crontab?

A crontab is the inputfile for cron, which is a jobscheduler, and executes commands periodically, see crontab(1) manpage... you can edit it with crontab -e .. check the manpage for details.

I will include a sample iptables/netfilter script.. also check netfilter.org

Code:

#!/bin/sh



# Required settings:



# Settings for device on internet side

EXT_IP="XXX.XXX.XXX.XXX"

EXT_IF="eth0"

EXT_BC="XXX.XXX.XXX.255"



# Settings for device on LAN side

INT_IP="10.0.0.1"

INT_IF="eth1"

INT_IR="10.0.0.0/24"



# Settings for lo device

LO_IF="lo"

LO_IP="127.0.0.1"



# Input information

WHITELIST=/usr/local/etc/whitelist.txt

BLACKLIST=/usr/local/etc/blacklist.txt

BLACKREQ=/usr/local/etc/blackreq.txt

TCPACC="21 22 25 80 110 143 443 993 994"

UDPACC=""



# Load modules here when required



# sysctls

echo "1" > /proc/sys/net/ipv4/ip_forward # masq enable

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter # anti-spoof



# Cleanup

iptables -F



# Start with max. security

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP



# Custom chains

iptables -N mall_tcp # Malicious TCP packets chain

iptables -N allowed

iptables -N tcp_packets

iptables -N udp_packets

iptables -N icmp_packets



# Malicious TCP stuff chain

iptables -A mall_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK \

        -m state --state NEW -j REJECT --reject-with tcp-reset # Block if no co

nn

iptables -A mall_tcp -p tcp ! --syn -m state --state NEW -j LOG \

        --log-level INFO --log-prefix "New not syn: " # Log this scriptkid

iptables -A mall_tcp -p tcp ! --syn -m state --state NEW -j DROP # Drop it



# Allow chain

iptables -A allowed -p TCP --syn -j ACCEPT

iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP packet chain

for port in $TCPACC; do

        iptables -A allowed -p TCP -s 0/0 --dport $port -j ACCEPT

done

# Deal with the rest

iptables -A allowed -p TCP -j DROP

iptables -A allowed -p UDP -j DROP



# TCP packet chain

for port in $TCPACC; do

        iptables -A tcp_packets -p TCP -s 0/0 --dport $port -j ACCEPT

done



# UDP packet chain

for port in $UDPACC; do

        iptables -A udp_packets -p UDP -s 0/0 --dport $port -j ACCEPT

done



# Drop anything else!

iptables -A allowed -p tcp --syn -j DROP



# Setup the ICMP chain

iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT



# Kill malicious packets silently

iptables -A INPUT -p tcp -j mall_tcp



# Special nets

iptables -A INPUT -p ALL -i $INT_IF -s $INT_IR -j ACCEPT

iptables -A INPUT -p ALL -i $LO_IF -s $LO_IP -j ACCEPT

iptables -A INPUT -p ALL -i $LO_IF -s $INT_IP -j ACCEPT

iptables -A INPUT -p ALL -i $LO_IF -s $EXT_IP -j ACCEPT



# Use custom chains

iptables -A INPUT -p ALL -d $EXT_IP -m state --state ESTABLISHED,RELATED \

        -j ACCEPT

iptables -A INPUT -p TCP -i $EXT_IF -j tcp_packets

iptables -A INPUT -p UDP -i $EXT_IF -j udp_packets

iptables -A INPUT -p ICMP -i $EXT_IF -j icmp_packets



# Stop microsoft snobs on this net // don't log this garbage

iptables -A INPUT -i $EXT_IF -d 224.0.0.0/8 -j DROP



# Log ugly packets

iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \

        --log-level INFO --log-prefix "IP: UGLY PACKET killed: "



# Masquerading



# Kill malicious packets

iptables -A FORWARD -p tcp -j mall_tcp

# Forward these

iptables -A FORWARD -i $INT_IF -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Log ugly packets

iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \

        --log-level INFO --log-prefix "FW: UGLY PACKET killed: "



# Output



# Output these

iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

iptables -A OUTPUT -p ALL -s $INT_IP -j ACCEPT

iptables -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT



# Log ugly packets

iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \

        --log-level INFO --log-prefix "OP: UGLY PACKET killed: "



# NAT

iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP

That includes forwarding traffic from a local network connected to eth1 and firewalling.

I am on dial up so I require to modify the file right

Quote:

# Stop microsoft snobs on this net // don't log this garbage
iptables -A INPUT -i $EXT_IF -d 224.0.0.0/8 -j DROP

/boggle that has nothing to do with Microsoft, that's multicast. *shakes head sadly*. Lots of non-Microsoft things use multicast, and in fact off the top of my head I'm not aware of any Microsoft protocols that do use multicast.

dunno, it would surprise me aswell.. much of that script has been ripped from other places, i don't recall that i thought up this rule myself.