Is the stock Slackware secure enough out of the box?

I'm a typical home user with one computer that connects directly to the internet.

I've read a lot of "How to properly set up Slackware" posts on here, but none of them seem to mention anything about setting up a firewall or anything like that.

Firewalls don't buy a Linux home user anything. Firewalls on a Linux server are useful for filtering out Windows viruses before they reach a Windows machine.

-----------------------
Steve Stites

Quote:

Originally Posted by jailbait Firewalls don't buy a Linux home user anything. Firewalls on a Linux server are useful for filtering out Windows viruses before they reach a Windows machine.

I would strongly disagree with that! It really has nothing to do at all with viruses anyway!

Although, to answer the original question, Slackware is pretty good out of the box, I always add my own iptables rules (ie, firewall).

If you are behind a DSL modem then it is really the first/best line of defense for a home user, if you set it up.

The stock Slackware is not packaged with a default firewall.

The Linux kernel provides the basic firewall used in Slackware and is called iptables. Firewalls provide protection by filtering port requests and allowing passage through those ports based upon a set of rules.

Ports get opened by starting various services. For example, the default port for SSH is port 22. If the SSH daemon is started then port 22 will be open. In such an example, the user depends upon the SSH configuration to provide security. Another example is running dnsmasq as a DNS name cache service. Then port 53 will be open.

If none of these services are needed then do not start them. If no ports are open to the world, which is common for many "typical home users" using Slackware, then no firewall is necessary.

Several years ago when I first started experimenting with Slackware I ran with no firewall because I had no services running that opened ports to the world. I ran tests against various online web sites such as "Shields Up!" and the report was always positive because no ports were open.

Yet having a firewall is prudent because there will come a day when a "typical home user" starts experimenting and opening ports. With that said, you can create a basic set of iptable rules specific for Slackware by visiting http://www.slackware.com/~alien/efg/. Try various configurations with the online tool to learn how the various rules relate to one another.

Basically there are only a few setups: 1) a stand-alone box connected directly to the internet, 2) a box connected to an internal LAN, 3) a box in an internal LAN that serves as a gateway and NAT server connected directly to the internet.

Another good precaution, even for a stand-alone box, is to install a router. The router provides Yet Another Buffer --- between the ISP modem and the user's computer. The router must be configured correctly to something besides the default vendor settings. Many people replace the router firmware with open third party firmware such as DD-WRT, or Tomato.

A basic firewall rules set is a good idea even with no ports open. Bear in mind that later if various services are started the rule set might have to be modified to accomodate the service port.

Quote:

Originally Posted by astrogeek I always add my own iptables rules (ie, firewall). If you are behind a DSL modem then it is really the first/best line of defense for a home user, if you set it up.

Part of what a firewall can do is duplicate the iptables. The duplication buys you nothing.

Another thing that a firewall does is examine traffic for known viruses and filter them out. It does not defend against new viruses until you update its tables of known viruses and put the new viruses in the firewalls table of known viruses. Filtering out the huge number of known Windows viruses takes up a fair bit of machine time and buys a Linux user nothing. If there happens to be a known Linux virus then it is easier to fix the security bug in Linux than to filter out the virus with a firewall.

-------------------------
Steve Stites

Quote:

Originally Posted by Woodsman The stock Slackware is not packaged with a default firewall. The Linux kernel provides the basic firewall used in Slackware and is called iptables. Firewalls provide protection by filtering port requests and allowing passage through those ports based upon a set of rules. Ports get opened by starting various services. For example, the default port for SSH is port 22. If the SSH daemon is started then port 22 will be open. In such an example, the user depends upon the SSH configuration to provide security. Another example is running dnsmasq as a DNS name cache service. Then port 53 will be open. If none of these services are needed then do not start them. If no ports are open to the world, which is common for many "typical home users" using Slackware, then no firewall is necessary. Several years ago when I first started experimenting with Slackware I ran with no firewall because I had no services running that opened ports to the world. I ran tests against various online web sites such as "Shields Up!" and the report was always positive because no ports were open. Yet having a firewall is prudent because there will come a day when a "typical home user" starts experimenting and opening ports. With that said, you can create a basic set of iptable rules specific for Slackware by visiting http://www.slackware.com/~alien/efg/. Try various configurations with the online tool to learn how the various rules relate to one another. Basically there are only a few setups: 1) a stand-alone box connected directly to the internet, 2) a box connected to an internal LAN, 3) a box in an internal LAN that serves as a gateway and NAT server connected directly to the internet. Another good precaution, even for a stand-alone box, is to install a router. The router provides Yet Another Buffer --- between the ISP modem and the user's computer. The router must be configured correctly to something besides the default vendor settings. Many people replace the router firmware with open third party firmware such as DD-WRT, or Tomato. A basic firewall rules set is a good idea even with no ports open. Bear in mind that later if various services are started the rule set might have to be modified to accomodate the service port.

Thanks, Woodsman. This helped a lot
Also thank you to jailbait and astrogeek

Hi jailbait,

While I agree that scanning traffic for viruses is a waste of CPU time, I do not think of that as a 'firewall' function at all. That is, firewall != virus scan.

I guess we may have differing definitions for the term 'firewall'. For myself, a set of iptables rules IS a firewall for most purposes, but I suspect that you are using the term to include a program that has among it's functions the ability to set up those rules, in addition to other functions such as virus scanning.

So, let me rephrase my response...

Iptables is part of the Linux kernel, and setting up rules for it is always beneficial, even for home users. Woodsman's post is a good overview of that. If you use a front-end program to accomplish that, so be it.

Virus scanning functions, on the other hand are a waste of CPU time and other resources on a Linux machine for the most part. (Those resources would be better spent installing Linux anyway, IMO ).

Quote:

Originally Posted by jailbait Firewalls don't buy a Linux home user anything.

I disagree as well. Security requires a multi-layered approach and a host-based firewall is good in terms of auditability (-j LOG) and tangible insurance wrt the obvious ranging from say testing a vulnerable CMS and "forgetting" to disable portmapping to world to in- and egress filtering et cetera. (And IMHO I'd leave the whole general viruses topic out of the debate as it usually only muddies the waters. We all know there's only about 10 GNU/Linux virus PoC's of which there's only one ITW.)


To the OP: the question shouldn't be "Is it secure enough out of the box?" but "What should I check?". There's the distro-agnostic LQ FAQ: Security references (or the cleaned version at http://rkhunter.wiki.sourceforge.net/SECREF) which may be a bit much to read, the way easier to read UNIX Security Checklist v2.0, the 2009 Slackware security advisories you should watch, generic auditing tools like Tiger, chkrootkit and Rootkit Hunter, Aide, Samhain or even tripwire. IMHO the oldest, most comprehensive security doc still is the Securing Debian Manual. Other than that you could search the LQ Slackware forum. It's not like this hasn't been asked before.

Quote:

Originally Posted by Woodsman The Linux kernel provides the basic firewall used in Slackware and is called iptables.

Minor nit: it is the Netfilter framework part of the Linux kernel that provides firewalling capabilities. The userland component to "feed" the kernel the firewall rules is called iptables.

My Slackware boxes sit behind a NAT router. I reliably update my boxes with security fixes when I am alerted by e-mails from Slackware Security Advisories. I regularly update rkhunter and scan my boxes for rootkits. I'll also scan my boxes using chkrootkit.

SlackerSteve, I am a home user with a situation similar to yours. When I install Slackware, I also install a firewall/iptables located at slackware.com, as Woodsman notes above.

http://www.slackware.com/~alien/efg/

Just be sure to read and install according to the directions.

Thanks everyone.

I've been reading about linux security all day and I've learned a lot. I still have a whole lot of reading to do, though.

Thanks for all those links, unspawn

One of the things to look out for IIRC is that it's pretty easy to install Slack with sshd running. At least, I seem to always have it running after an install (YMMV).

That's no matter, but it is important then to either turn it off:

Code:

/etc/rc.d/rc.sshd stop && chmod -x /etc/rc.d/rc.sshd

Or change the default config to add a little security:
vim /etc/ssh/sshd_conf

Code:

# Port 22   -> change to
Port {some high number} 
# This is no actual security against a human, 
# but enough to hide from most automated attacks


# Protocol 1,2   -> change to:
Protocol 2

# PermitRootLogin yes  -> change to:
PermitRootLogin no

Quote:

Originally Posted by Slacker Steve I'm a typical home user with one computer that connects directly to the internet. I've read a lot of "How to properly set up Slackware" posts on here, but none of them seem to mention anything about setting up a firewall or anything like that.

Thanks to Slacker Steve for initiating this helpful discussion!

Close the services you don't use and there won't be a need for firewall.

Actually, Woodsman has already said that. So sorry, disregard this post.

Quote:

Originally Posted by /dev/me One of the things to look out for IIRC is that it's pretty easy to install Slack with sshd running. At least, I seem to always have it running after an install (YMMV). That's no matter, but it is important then to either turn it off: Code: /etc/rc.d/rc.sshd stop && chmod -x /etc/rc.d/rc.sshd Or change the default config to add a little security: vim /etc/ssh/sshd_conf Code: # Port 22 -> change to Port {some high number} # This is no actual security against a human, # but enough to hide from most automated attacks # Protocol 1,2 -> change to: Protocol 2 # PermitRootLogin yes -> change to: PermitRootLogin no

Absolutely! SSH is a great tool. I use it to connect to my desktop computer from my laptop computer and do stuff like check e-mail, run various programs not on the laptop, etc. Changing the defaults in the sshd (the program that "listens" for ssh connections) configuration is a must. I wrote an article about that a while ago.

There's another aspect of Linux security you need to keep in mind (and forgive me if you know this already): it is generally a bad idea to run as the root user. In part because that's easy to mess things up if you make a mistake, but also various nasty internet stuff could do bad things if they get into your computer with root access.

Along those same lines, be sure to safeguard your root password. Sometimes the biggest security problems have more to do with people you may know getting access rather than an anonymous user on the Internet -- although this is more of a problem in a corporate setting than a home setting.

Regards,
-Drew