LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-09-2004, 08:35 AM   #1
archish
Member
 
Registered: Apr 2003
Location: India
Distribution: Slackware 9.1
Posts: 94

Rep: Reputation: 15
making, checking secure linux box


I am having slackware 9.1 and the computer is connected about 10hrs to internet daily.
Now I want to make it secure from outsiders and also want to check and see if its secure.
What do I need to make it secure and are there any online sites that check if the computer is secure when connected to internet?
 
Old 05-09-2004, 01:11 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
This is a job for... TADA, the Security forum!!!

You'll get lots of good answers here.
 
Old 05-09-2004, 01:30 PM   #3
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Assuming you are a normal home user :
- Use a firewall and close every port. Ask someone else to run a portscanner such as nmap to check that all ports are closed.
- Run a rootkit checker such as rkhunter (www.rootkit.nl) from crontab to check your system.

Note : there is a lot more that you can do; but if you are a normal home user with no open ports exposed to the internet, you are in a low risk category so you will have to be pretty unlucky to be hacked (some people get unlucky - you need to make up your mind as to how much effort you want to put into protecting yourself).
 
Old 05-10-2004, 04:08 AM   #4
robkg
LQ Newbie
 
Registered: May 2004
Posts: 18

Rep: Reputation: 0
I would also recommend grsecurity kernel patches, if you have the knowledge to apply patches (as the attacker may drastically need to modify exploit code and shellcode) and compile a kernel. It will make many types of vulnerabilities harder to exploit giving you the advantage of more time to patch the yet unknown vulnerabilities and the chance that the scriptkid will leave..
But first make sure you maintain the patches for the latest known vulnerabilites, use a good firewall configuration and use grsecurity and other extra security like chkrootkit to try and detect when your system still does get compromised.. if you have the knowledge you can also setup another machine as a loghost using software like syslog-ng.
Other things you can do is disable any services that you do not use, and choose secure implementations of services you do use, for example proftpd for ftpd, postfix for smtpd. Also check whether these run as root or not.. they shouldn't.
After that you need to configure these services securely, check if you can further secure these services.
If you have done that you can check if you have any executables setuid to a privileged user or group and check if they need to be setuid.

If you have done that your box will have a very high level of security for a homebox.
 
Old 05-10-2004, 04:59 AM   #5
archish
Member
 
Registered: Apr 2003
Location: India
Distribution: Slackware 9.1
Posts: 94

Original Poster
Rep: Reputation: 15
How do I block all the ports?
Also I would like to know what I can do to be protected to the maximum.
What is a crontab?
 
Old 05-10-2004, 05:11 AM   #6
robkg
LQ Newbie
 
Registered: May 2004
Posts: 18

Rep: Reputation: 0
A crontab is the inputfile for cron, which is a jobscheduler, and executes commands periodically, see crontab(1) manpage... you can edit it with crontab -e .. check the manpage for details.

I will include a sample iptables/netfilter script.. also check netfilter.org

Code:
#!/bin/sh

# Required settings:

# Settings for device on internet side
EXT_IP="XXX.XXX.XXX.XXX"
EXT_IF="eth0"
EXT_BC="XXX.XXX.XXX.255"

# Settings for device on LAN side
INT_IP="10.0.0.1"
INT_IF="eth1"
INT_IR="10.0.0.0/24"

# Settings for lo device
LO_IF="lo"
LO_IP="127.0.0.1"

# Input information
WHITELIST=/usr/local/etc/whitelist.txt
BLACKLIST=/usr/local/etc/blacklist.txt
BLACKREQ=/usr/local/etc/blackreq.txt
TCPACC="21 22 25 80 110 143 443 993 994"
UDPACC=""

# Load modules here when required

# sysctls
echo "1" > /proc/sys/net/ipv4/ip_forward # masq enable
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter # anti-spoof

# Cleanup
iptables -F

# Start with max. security
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Custom chains
iptables -N mall_tcp # Malicious TCP packets chain
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

# Malicious TCP stuff chain
iptables -A mall_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK \
         -m state --state NEW -j REJECT --reject-with tcp-reset # Block if no co
nn
iptables -A mall_tcp -p tcp ! --syn -m state --state NEW -j LOG \
         --log-level INFO --log-prefix "New not syn: " # Log this scriptkid
iptables -A mall_tcp -p tcp ! --syn -m state --state NEW -j DROP # Drop it

# Allow chain
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# TCP packet chain
for port in $TCPACC; do
        iptables -A allowed -p TCP -s 0/0 --dport $port -j ACCEPT
done
# Deal with the rest
iptables -A allowed -p TCP -j DROP
iptables -A allowed -p UDP -j DROP

# TCP packet chain
for port in $TCPACC; do
        iptables -A tcp_packets -p TCP -s 0/0 --dport $port -j ACCEPT
done

# UDP packet chain
for port in $UDPACC; do
        iptables -A udp_packets -p UDP -s 0/0 --dport $port -j ACCEPT
done

# Drop anything else!
iptables -A allowed -p tcp --syn -j DROP

# Setup the ICMP chain
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Kill malicious packets silently
iptables -A INPUT -p tcp -j mall_tcp

# Special nets
iptables -A INPUT -p ALL -i $INT_IF -s $INT_IR -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IF -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IF -s $INT_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IF -s $EXT_IP -j ACCEPT

# Use custom chains
iptables -A INPUT -p ALL -d $EXT_IP -m state --state ESTABLISHED,RELATED \
         -j ACCEPT
iptables -A INPUT -p TCP -i $EXT_IF -j tcp_packets
iptables -A INPUT -p UDP -i $EXT_IF -j udp_packets
iptables -A INPUT -p ICMP -i $EXT_IF -j icmp_packets

# Stop microsoft snobs on this net // don't log this garbage
iptables -A INPUT -i $EXT_IF -d 224.0.0.0/8 -j DROP

# Log ugly packets
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
         --log-level INFO --log-prefix "IP: UGLY PACKET killed: "

# Masquerading

# Kill malicious packets
iptables -A FORWARD -p tcp -j mall_tcp
# Forward these
iptables -A FORWARD -i $INT_IF -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log ugly packets
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
         --log-level INFO --log-prefix "FW: UGLY PACKET killed: "

# Output

# Output these
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INT_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT

# Log ugly packets
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
         --log-level INFO --log-prefix "OP: UGLY PACKET killed: "

# NAT
iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP
That includes forwarding traffic from a local network connected to eth1 and firewalling.
 
Old 05-10-2004, 08:17 AM   #7
archish
Member
 
Registered: Apr 2003
Location: India
Distribution: Slackware 9.1
Posts: 94

Original Poster
Rep: Reputation: 15
I am on dial up so I require to modify the file right
 
Old 05-11-2004, 01:33 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
# Stop microsoft snobs on this net // don't log this garbage
iptables -A INPUT -i $EXT_IF -d 224.0.0.0/8 -j DROP
/boggle that has nothing to do with Microsoft, that's multicast. *shakes head sadly*. Lots of non-Microsoft things use multicast, and in fact off the top of my head I'm not aware of any Microsoft protocols that do use multicast.
 
Old 05-11-2004, 02:29 AM   #9
robkg
LQ Newbie
 
Registered: May 2004
Posts: 18

Rep: Reputation: 0
dunno, it would surprise me aswell.. much of that script has been ripped from other places, i don't recall that i thought up this rule myself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Making Linux box a router eonblue4309 Linux - Networking 4 03-18-2004 05:17 PM
Want to secure your linux box..then read this? blessen Linux - Security 6 03-15-2004 11:50 PM
HOWTO: Secure and stealth your Linux Box! techchiq Linux - Security 23 01-11-2004 08:31 AM
how do you set up your Linux box to route secure wifi? richard3403 Linux - Wireless Networking 0 11-15-2003 02:40 PM
Making coffee with your Linux box isolationist Linux - General 10 07-29-2003 03:22 PM


All times are GMT -5. The time now is 02:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration