v1.0 - Security

In starting this I want people to realize that this thread is an experimentation of things to come. I wanted to start writing simple text files for newbies to read and did. I did one on successfully mounting fat32 drives under linux, and the other was getting sound to work in slackware. Both are written well and very easy to follow. So as I sit here on this boring Wednesday night I figured I would post a few security tips that I hope will be helpful. Feel free to contrib to this thread in any thoughts you may have.

1. The first thing to remember when securing any computer system (including operating system) is that it will never been completely secure. It's just impossible to have it totally secure unless the power is off. There are though many steps to help one be essentially secure and in atleast the secure state of mind.

2. Know the applications that are running on your machine. Particularly the ones that access the internet and are running all the time. Say for example you just installed a new cool linux distribution by the commen "full" install. This runs great and you know that everything possible on that cd is installed so this time you might be able to keep just linux on it without windows.. you hope. Well, the truth of the matter is, you probably installed Apache, SendMail, FTP, along with many other processes running and accessing the internet. Out of the package these have problems that need to be patched. The main key is to remove the packages that you dont use. Remove apache if you're not planning on running a web server, sendmail if you dont want a mail server, ftp if you dont want people trying to ftp to your box, etc.

3. Many people ask me about firewalls in linux. They bring up the point they are used to the ease of use of ZoneAlarm, or Sygate, etc and why don't they have a ZoneAlarm ported to Linux???? I always tell them the same thing though. There is plenty of applications available for a *nix system to block certain ports from being accessed, fragmented packets being sent to you, and general breaching of various applicatoins. Of course like anything though, the best are the ones that by default require the most configuring from the user. The first thing I do is direct them to a good text file, particularly on firewalling linux. IPTables is great but if you dont know how to properly configure it than well, its not so great.

4. Routinely check the security of your system to your best knowledge. Monitor open ports, check for patches, software updates, etc. Most of the time a simple software update from the maker of the software you use fixes a lot of problems. Don't download email attachments from a person that you don't know / trust.

in regards to point no. 3.......

i have to agree that there is no better way to do the firewall within linux and to have the greatest control over it than to learn to write an IPtables script for yourself. it gives you the greatest understanding of what is happening and allows the most configuration. with that said.....

if you just want a simple firewall setup there are a number GUI frontends to help you set up the firewall.......two of which that come to mind are Guarddog and Shorewall. Both do a decent job of getting things set up for you but nothing near what you can do by yourself. Take a look at tucows linux for GUI Front-Ends.......and Sourceforge......also a search of google could help as well.

lastly.......(but definitely not least) EXCELLENT POST

2. Ideally the stance would be to install *what you need* and only add stuff when you need it. Problem is many ppl trying out Linux for the first time have no idea what's needed, and with all these dependancies still not being handled well, without much attention to education about administering and securing boxen and without ongoing reminders to scan, check & update, yes that will always be a problem. Newbies usually arrive from a one-user system and aren't aware the (can't find another good word) *responsability* for properly maintaining a multi-user capable Linux box is somewhat larger than running some Ms update app.

4. I don't think it's in the downloading (unless you're on Wintendo ofcourse) but in the handling. I thought I saw some project somewhere that will have Gnome apps run stuff by determining extension alone. Hmm.

Anyway, I applaud your efforts, post some more. Always good for a discussion.

For a first-time firewall installation with even more power than ZoneAlarm, I'd recommend Bastille. It's a standard part of the Mandrake distribution (where I met it) but you can google for it and find versions for other distributions.

If you run its configuration utility you get a quick education about firewall techniques, which is a bonus. After using it for a while, I got bold and did some editing to my IpTables rule file, but it's still based on the rule set that Bastille created for me...

Yes, this is def. the best place to start. Is there a resource list on the internet for newbies describing what packakges do / are used for? Atleast the main packages that access the internet?

This 'resource' brings to mind a comment I saw in Linux Journal magazine during an review of Webmin...

"it is not for absolute beginners. If you don't know what an A record for DNS is, then Webmin wii not help you. ....... can be a great tool - just don't expect it to summarise the O'Reilly book on BIND for you."

There is SO much a newbie needs to learn about what he is sitting on befor they can be considered "secure" ( a polite way of not saying dangerous to the web)

I think the LDP is a great start, VERY big, VERY practical, but where do you start?
The best way to eat an elephant is one mouthful at a time...
Is there a BEST starting place...?
Or do we recreate this as well?
1st time I loaded MDaemon into a Win98 machine, I got a serious shock.
A serious programme asking serious config questions...

So maybe a start would be to teach/explain PROCESSES 1st, (email, http, ftp, ppp, etc)
the programmes next
then operating system etc.

My penny's worth.
Peter

There are a lot of faces to system security and a lot to learn in the field, but if you have a system up and running and you are curious about your vulnerability, and want to learn something at the same time, here is a suggestion.

There are several websites that do security scans of the IP address of the browser that is connected. You can browse these sites and they will determine your IP address and display a page that will show your open ports. If a port is open and accepting connections, you are vulnerable to some exent, depending on the program using that port. The port scanners at the URLs below are free. These scanners use the same techniques that the black hats use to detect vulnerable systems but they don't attack.

http://grc.com and go to the "ShieldsUP" page and follow the directions. This site is really geared to Windows users, but will expose vulnerabilities if you are running Samba as well as check common internet ports (ftp, telnet, etc.).

http://www.sygatetech.com and follow the directions. They have several different scans that take varying amounts of time. This place makes a good firewall product for Windows, but the port scans are definitely thorough.

Once you have found some open ports, find out what they are by looking in the /etc/services file or go to http://www.iana.org/numbers.html and look under P for port numbers. This is the official list of assigned port numbers which your /etc/services should mirror.

Once you know an open port and the application behind it, decide if you really want this app to be "online" and if not, shut it down. If you do want it to run, look for the type of attacks that have been exploited on this application (hint - google:"port xx vulnerability").

Check your distribution and do updates for the application if necessary.

Check out http://www.linuxguruz.org/iptables for a script that will fit your environment for a firewall.

As you close and protect ports, go back to the port scanners and check your results.

If you get this far, and have closed down uneeded ports and put up-to-date applications behind the open ports, you have a good chance of not being a victim by malicious (oops, that's me) black hats.

I do this stuff for a living and the steps I have described are where I spend 75% of my time (except that I do use my own scanners) and I learn at least one new trick every time.

Anyway, hope this helps someone...

One other site that is interesting, more for privacy than security is http://privacy.net. Go here and see just how much info about you and your system is being sent up the pipe by your browser. I think you will be surprised.

Check the info at the top of the page and do the "full analysis". It takes a while, so be patient.

While you are at this site or the others I listed, take some time and read a bit. :-)

If you get this far, and have closed down uneeded ports and put up-to-date applications behind the open ports, you have a good chance of not being a victim by malicious (oops, that's me) black hats.
Oops. Forgot to check the *real* risk for malicious intent/activity.
Even tho closing ports is a good thing, it isn't what you should focus on solely. Stepping up security by securing the system itself and networked daemons is better. Why? For the simple reason the vulnerabilities to exploit *don't exist* in the firewall (heh, usually), but in the system and daemons running behind it. Also something like a configuration error could leave services unprotected, and when that happens and you didn't secure them, well...
If you think this ain't gonna happen, try thinking of Murphy some more.

I do this stuff for a living and the steps I have described are where I spend 75% of my time (except that I do use my own scanners) and I learn at least one new trick every time.
If you use your GPLed/own scanners, why not recommend those vulnerability/port scanners to the ppl ? If your own stuff is GPLed, posting some URI's would be appreciated.

*IMNSHO advertising your side of the force doesn't matter in this forum, it's skill that matters.

Too true. I guess my post did kind of stop at closing ports and did not put much emphasis on the system and applications behind the ports. Without really making it clear, I was also looking at a single system connected to the internet as opposed to system(s) behind a separate firewall.

Like you say, the system and the daemons are critical in terms of security and closing ports that don't need to be open is really just a first step, no matter what.

Regardless of the end result of an attack (virus, trojan, etc.), the first target is root access. Open ports that only have password protectection and offer up a shell prompt used to be prime targets, but seems that scripted attacks on application buffer overflows have become the vogue these days. Amateur tactics, if you ask me. But, I digress...

When I said I use "my own scanners", I should have said that I use "scanners on my system" as opposed to the websites that I listed. I do use GPL or OS scanners because that solution works best for me. I have modified them in the past, but recently I use them out of the box (compiled from source). The workhorse scanner is nmap with a toolbox of shell, awk, grep, and sed scripts with a couple of lex/yacc parsers thrown in for good measure.

The system that I use for scanning is an old WinBook XL (PII/233/64mb) with a mishmash of stuff that started out as SuSE 7.1. This system is secured from network attack by having no open ports. Until I know about some vulnerability in the scanner, I feel pretty safe, network wise. Since the laptop is sometimes left unattended while the scans are running, I have tried to secure it to the point that it is useless to anyone but me, even if it is stolen, within reason. BIOS password on power-up, GRUB password on boot, one user (not root) with a strong password that I change frequently, and even some security through obscurity. Even all this has vulnerabilities, but hopefully the effort required to break in will be enough to discourage 98% of the people that want to. It is mostly a conversation piece anyway since there is no valuable data on the system except my scripts, and that value is questionable.

What tools do I use? Keep in mind that I do scans from a system that doesn't run X and everything runs from a console. For a good list and description of available tools, see http://www.insecure.org/tools.html. Site lists both commercial and OS tools, including scanners and sniffers.

For port scans, I use nmap exclusively. Find at http://www.insecure.org/nmap. It has both command line and GUI. Lots of options, lots of flexibility. I use all sorts of scripts to analyse the output and summarize vulnerablities of the systems being scanned. By the way, as a point of ethics, I never scan a system that I am not being paid to scan and have written permission from the owner or a company executive.

I also do system checks for trojans or rootkits. Mostly I use "ckrootkit" from http://www.chkrootkit.org. This package checks a system for tracks left by several different rootkits. I'm not sure it finds all, but it does cover the most common rootkits.

For intrusion detection, I use snort because it has real-time alerts. Find at http://www.snort.org. I also use ethereal http://www.ethereal.com if I am on a machine that has X running.

I make no claim that these are the best tools or that you should use them. They do the job for me because I know how to use them. However, that does not keep me from experimenting with other tools and making a change at some point. YMMV. At any rate, this is just the way I do things.

One other toolkit that I play with is the deception toolkit (DTK) from http://all.net/dtk This little gem is a set of programs and scripts that can decieve an attacker about the OS and applications running on the sysytem. The fake applications provided show the attacker a phony signature for the application or OS. There may be a real use for this somewhere, but it is also a good place to learn how things work.

Those programs are a good start malicious

v2.0 should be out soon

v2.0 of what?
[edit] Nevermind, I'ven't noticed the version you have put on your document[/edit]