How can i make Fedora an "undistructible system " ?

DOTT.EVARISTI · 09-24-2007, 09:09 AM

..
...ok..neither linux is perfect..but it should be anyway the most stable and secure os..and solaris too..anyway,i'm using fedora as a server for downloading stuff and as a desktop too...i'm using SElinux,installed chrootkit and rootkit hunter and some other ids,installed clamav,un-installed firestarter 'cos it considerably slowed down my download speed..what else could i do for achieving an "undistructible system " ?

maybe thousands of things....

..if i'm not wrong-if not in other way specified,linux has no ports automatically opened to internet

maybe thousands of things....

and maybe this thread will become very long..anyway,i think it's the most fundamental thing applied and a MUST known by any user

any ideas ?

cheers a lot

ilikejam · 09-24-2007, 10:49 AM

Hi.

Here's my high level new install checklist:

1) Do a bare minimum install.
2) Strip out any packages that you don't need.
3) Add any packages you do need.
4) Do: 'yum update'.
5) Do: 'chkconfig --list' and switch off any services you're not using.
6) Do: 'netstat -plntu' and switch off any listening services that you don't need.
7) Check /etc/passwd for accounts which have login shells, but which shouldn't log in, and change the shell to /sbin/nologin .
8) Check the user lists for any needed network services (FTP, SSH etc) and lock down accordingly.

I'll probably get shot down for this, but I don't use SELinux, any AV software, or software firewalls. The only security device on my network is the NAT router hooked up to the ADSL.

Dave

DOTT.EVARISTI · 09-24-2007, 11:10 AM

Good ideas...Cheers !

is chkconfig --list' like microsoft ms-config ?

ilikejam · 09-24-2007, 11:14 AM

Hi.

chkconfig basically just looks in /etc/init.d for scripts and links them in the /etc/rcX.d directories to switch the services on and off.

Dave

DOTT.EVARISTI · 09-24-2007, 11:15 AM

Thank you !

And I was wondering too..in deb distros i've always used apt-get check to check if there were broken deps in the system..is there a switch for yum to check if there are broken deps too ?

I could'nt find it in in man pages

Cheers Dave !

DOTT.EVARISTI · 09-24-2007, 11:20 AM

IlikeJam..how do you fell with SOLARIS 10 ? i see you use it..i have some free space,about 30 gb unused,so i downloaded the SOLARIS 10 64 bit and was half going to install it but was still unsure for compatibility issue with solaris

What do you suggest me ?

Thank you !

SlowCoder · 09-24-2007, 11:21 AM

You really can't have an indestructible system. There will always be ways for something to get in.

But you can use the "Defense in Depth" approach, and place multiple layers of protection between you and your attackers. Firewalls, minimal services, hardened services, strong passwords, appropriate file system permissions, running in limited user environment, spelling "indestructible" right, etc.

DOTT.EVARISTI · 09-24-2007, 11:27 AM

..Uhm..ok,of course,sorry,ok,i'm a Doctor in Medicine But not a so good Linux User as i would like to be..so..please speak to me as i would be a two years always crying baby..in easier words..?

ilikejam · 09-24-2007, 11:48 AM

The hardware support on Solaris 10 isn't quite as good as for Linux, but you should be able to get it bootable, and get X running on any generic PC. Solaris is a quite different Unix to Linux under the hood, but if you're just using the GUI, it should all feel quite familiar.

Try running 'yum deplist <package>' to see all the dependencies for a package and which other packages provide them. I don't know what it would look like if there's a broken dep, though. As long as you haven't installed any packages with --force or --nodeps, then there shouldn't be any broken deps in the first place. As long as you're using yum to install and remove, you should be fine.

Dave

DOTT.EVARISTI · 09-24-2007, 12:02 PM

I have always used yum,sometimes compiled from source but,of course,if the compilation went well,there were no deps problems..i've said it because i've seen in Kubuntu 7.04 that,even if i always used the packet manager,the apt-get check sometimes talked of broken deps and corrected them by this way..strange..anyway,it happened !

cheers and good day ilikejam

DOTT.EVARISTI · 09-24-2007, 12:07 PM

Sorry..

"Try running 'yum deplist <package>' to see all the dependencies for a package and which other packages provide them"

and here how should i type to control everything ? i can't type the names of all the packages

Thanks

ilikejam · 09-24-2007, 12:40 PM

There is no command to check everything. I wouldn't worry about it, though - I've never seen any dependency problems on Fedora systems.

Dave

SlowCoder · 09-24-2007, 01:26 PM

Quote:

Originally Posted by DOTT.EVARISTI

..Uhm..ok,of course,sorry,ok,i'm a Doctor in Medicine But not a so good Linux User as i would like to be..so..please speak to me as i would be a two years always crying baby..in easier words..?

May I guess this is a response to my previous post?

"Defense in Depth" is like a buttleproof vest. A vest is made of a number of layers of cloth, each layer made of a different cloth and weave. Each layer has its own strengths and weaknesses. Each layer itself cannot stop the bullet, but all layers together form a very protective vest that can stop most bullets.

DOTT.EVARISTI · 09-25-2007, 10:03 AM

Hi slowCoder,you're right,it was an answer to your post...
now i understand better the meanings...i always do normal os installation,then add many graphic and office tools,install some ids and then update all..thanks,you gave me good and clear suggestions,now i'll try to follow them all..

Cheers and see ya !

DOTT.EVARISTI · 09-25-2007, 10:15 AM

Hi !

I'm following ALL your suggestions too..and they all seem to be very good !

I've never thought about them all before...but that's just the Linux Way to the Knowledge :learning more and more from all the rest of the community day by day,isn't it ?

Cheers and good day !