LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-26-2003, 07:40 AM   #1
Artimus
Member
 
Registered: Feb 2003
Location: Wisconsin
Distribution: Slackware
Posts: 188

Rep: Reputation: 30
What else can I do to improve my System's Security?


NOTE: I'm running Slackware 8.1 if it makes anything different

I've already implemented a pretty good IPTables firewall. I was wondering if there was anything else I could do to improve my security. I refuse to use that one hardening script that requires me to switch to System V init scripts(I think the program started with a B). Anything else I could do?
 
Old 03-26-2003, 12:24 PM   #2
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Ubuntu, Debian, SuSE, UnSlung, Android
Posts: 1,819

Rep: Reputation: 46
Shut down and/or uninstall any services you don't need/use. The fewer services you run, the fewer venerabilities will exist on your system. Make sure the services you do need have the latest bug/exploit fixes installed. That's about all I can think of. Watch your logs carefully.
 
Old 03-26-2003, 12:44 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
I guess reading the first thread in this forum is out of the question?
 
Old 03-28-2003, 05:04 AM   #4
Paul Johnson
LQ Newbie
 
Registered: Mar 2003
Location: Chelmsford, Essex, UK.
Distribution: Red Hat
Posts: 15

Rep: Reputation: 0
First, some basic security principles:

Security is not a simple issue. You have to start with the question "What am I protecting against?". Answers could include internal users (who may have physical access to your system), external users (e.g. legitimate logins from the net), script kiddies, physical break-ins, social engineering, disaffected employees/family, electronic eavesdropping (aka Tempest) and email snooping. Plus anything else you might think of based on your own situation.

Once you are 0wn3d, what is an intruder going to want to do? Steal your secrets for business or blackmail? Wipe your hard drive? Or just use you as a zombie for DDOS on someone else?

If you are an any kind of company network then you need to co-ordinate your work with your company security people.

Security is also a multi-layer thing. Don't look for a Maginot Line; look for defence in depth. Having a firewall will stop the basic attacks, but some attacks can get through it, or come from behind it anyway. A chain is only as strong as its weakest link. It is futile to re-inforce an already strong link if another link is held together by chewing gum.

Security is an on-going mix of people and process as well as technology. Make sure people know what to do (e.g. non-trivial passwords). Regularly check your logs for suspicious activity.

There is no 100% guarantee. What you need to do is trade off risk of intrusion, cost of security measures and the impact an intrusion will have.

Now on to the practical suggestions:

For home or small business use your main concerns are script kiddies, viruses and worms, trojan web pages, and possibly telecom security for remote links.

* A good firewall will generally keep out the script kiddies.

* Keep up to date with security fixes for your distribution, so that anything that gets through your firewall it won't be able to exploit anything inside.

* If you do remote logins then make sure you use a secure protocol. SSH and secure web pages are good. Telnet and plain FTP are bad. Remember that when you log in from any remote device you have to trust that device to not steal your password or execute other instructions using your session.

* Run Tripwire to detect if anyone or anything changes any important system binaries. This requires extra on-going work to keep the Tripwire database up to date when you update system binaries. The default configuration of tripwire is very noisy, so you will need to spend time deleting parts of the default configuration that don't apply to you.

* Consider installing Snort to detect suspicious activity. Putting Snort on the outside of your firewall is futile unless you are really interested in every script kiddy attack and worm probe (although trend statistics from this information can be useful). Better to put it inside your firewall and configure it to watch for protocols and usage patterns that you know will not occur. For example if you never use SNMP then any SNMP traffic is a good clue that someone is sniffing around your network. Similarly incoming HTTP requests from the firewall if the firewall is set to reject incoming HTTP. And so on. But that is a lot of work, and only worth while if you are protecting a valuable resource.

* Turn off unnecessary services. If you run services (e.g. web server, NTP server, X font server) on your machine then make sure each one has its own account to run under. Never run a service as root unless it really needs root permissions. If you want to take this a step further then consider running these services in a chroot jail or even under a User Mode Linux virtual machine. These steps ensure that a single compromised service cannot spread contagion to the rest of your computer. User Mode Linux is the strongest option here, but is rather resource heavy.

* Review your web browser security settings, especially for active content.

* Review your process for downloading and installing updates. Check MD5 checksums. If your distribution does signed updates then use them.

* Check your email settings for attachments. If necessary set up a "sandbox" account for opening untrusted attachments.

Hope this helps.

Paul.
 
Old 03-28-2003, 07:48 PM   #5
Artimus
Member
 
Registered: Feb 2003
Location: Wisconsin
Distribution: Slackware
Posts: 188

Original Poster
Rep: Reputation: 30
This is for a small webserver/home computer. I'm not worried about people gaining physical access to it. More along the line of script kiddies. I'm a bit paranoid I know. I don't have to worry about opening any thing(Don't run attachements, not that the majority affect linux anyway)

Thanks for reminding me about security updates. I need to do that yet. Tripwire & Snort seem a little far. The only server that I allow internet access to is Apache.
 
Old 04-09-2003, 07:55 PM   #6
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
Also, you may want to install a log watching utility to check for any strange log acitivity, they tend to just email you a daily report on the log files. you should aslo check them manually. a hacker can always kill the log watch deamon.

i also would recomend running a program like chckrootkit on a cron job, it will also help in decting hackers, have the output emailed to you

If the only ports you have open to the real world is http, then you may want to run tcpdump (or snort) just on port 80. save it to a file, you can then write a simple cron scipt to HUP it every once in a whiile, compress that file and put it somewhere on the box. This may be helpful later if you find out that you get hacked, you may be able to gain some information from it. . . or at least give it to some people who can.


also, tripwire really isn't to much, sure if you use the default install script that came with it you will get a million flags the first time you patch the system. but there are a few files that are really important and should be watched. for example. all your startup scripts, profile, password, shadow, ect. maybee the binaries of the services you have running, also, any programs that are commoly uses as root . . ie (ls, cd, ....) this will gave you a good set of basic protections, and will go a good way of determining if you have had any onwanted access on the box.
 
Old 04-13-2003, 11:07 AM   #7
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
Originally posted by tyler_durden
Also, you may want to install a log watching utility to check for any strange log acitivity, they tend to just email you a daily report on the log files. you should aslo check them manually. a hacker can always kill the log watch deamon.
use a tool like monit to monitor critical processes - just like syslog ... also code some scripts yourself that check some /var/log site and maybe even implement a loghost and do remote logging ...
 
Old 04-13-2003, 04:26 PM   #8
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
Have you run some online scanners to verify that your firewall is effective? If not, try www.pcflank.com www.blackcode.com www.computercops.biz www.qualys.com www.securityspace.com www.auditmypc.com scan.sygatetech.com or others.

I recommend against signing on as root, especially since you have some open ports.

When browsing the internet, set it to execute as
su - browserID -c "mozilla"
where browserID is an ID that owns essentially nothing and mozilla could be changed to whatever browser you're using. This is particularly useful if you are logged in as root.

Make sure that any non-used IDs in /etc/passwd have a shell of false or nologin.

Apache has some additional security features but unfortunately, that's not my balliwack.

Generally, running a web-server along with critical systems is a no-no. But I understand that you may have only the one so... I'd at least make sure you follow a backup schedule religously. I'd also refrain from using this system for storing your most sensitive information ( finances, passwords etc... ).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
An idea to improve security, for hacked PC's andrade Linux - Security 12 09-27-2005 01:11 AM
How the system's envionment was build? docterling Linux - Newbie 1 03-10-2005 07:25 AM
Idea on how to improve apache security at www.linuxfanatics.org linuxfanatics Linux - Security 2 03-06-2005 04:45 PM
Help! My system's been compromised.... DaVenom Linux - Security 1 11-12-2004 02:49 PM
File system's properties hotrodowner Linux - General 3 07-04-2002 10:20 AM


All times are GMT -5. The time now is 07:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration