LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-15-2008, 09:41 AM   #1
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Rep: Reputation: 30
how would you secure slackware ?


i use pf and http://www.linuxquestions.org/questi...72#post3062672

to help secure my BSD box, would that also work for slackware??

and does anyone know how to convert

ext_if = "re0"
int_if = "em0"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
table <dns:names> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <dns:names> to { 80, 443, 2010, 9000:9200 }

to iptable rules ?

Thanks
 
Old 03-16-2008, 05:46 AM   #2
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 36
Code:
ext_if=eth0
int_if=eth1
accept_port="80 443 2010 9000:9000"
names="some.dns.name1 some.dns.name2 some.dns.name3 some.dns.name4"

iptables -A INPUT -i $ext_if -j DROP
iptables -A INPUT -i $int_if -s 164.168.1.1/24 -j ACCEPT
iptables -A INPUT -i $ext_if -s 192.168.1.1/24 -j ACCEPT
for ip in $names
do
        for port in $accept_ports
        do
                iptables -A INPUT -i $ext_if -s $ip --dport $ip --syn -m state --state NEW -j ACCEPT
        done
done
If those names are destination not sources change the -s to -d and you should be good.
 
Old 03-16-2008, 08:28 AM   #3
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Original Poster
Rep: Reputation: 30
thanks a lot
 
Old 03-18-2008, 06:15 AM   #4
SlackWareWolf
Member
 
Registered: Feb 2008
Location: Michigan
Distribution: Slackware, SUSE, Debian, FreeBSD
Posts: 46

Rep: Reputation: 17
Ummmm if you think THAT is going to secure anything but packets you're out of your mind.

How about turning off every service you don't need? Or making sure passwords aren't guessable by cracking them?

Run Nmap on yourself, see what your box is telling the net it can be opened with.

Run a password cracker (do it before bed, it takes a while) and see if it can spank root or not.

Install patches!

And just because you have Linux doesn't make it OK to open any attachment or go to any website, you're still vulnerable.

Download Hydra and IPSorcery and Hping and mess with those. You can probably get passed any firewall with one of them.
 
Old 03-20-2008, 12:48 PM   #5
shadowsnipes
Senior Member
 
Registered: Sep 2005
Distribution: Slackware
Posts: 1,441

Rep: Reputation: 70
To add to what SlackWareWolf said, you should also check file perms- namely if there are any world writable SUID/GUID files. You could also make an ISO of all your binaries and use it with tripwire to ensure your files haven't been modified.

For installing patches: I suggest subscribing to the Slackware security mailing list.
Check your logs often. I tail mine in a screen session whenever my machine up.

You could also increase security by having separate partitions for /home and /tmp and setting flags like noexec. If you have multiple users on the machine the separate partitions will also prevent them from making hard links to software, filling up your root partition so it crashes, etc. For similar reasons it may be a good idea to have a separate partition for /var

Back to network security- you might want some sort of measure that takes action if someone is scanning your machine a lot/attempting to login, etc. Stuff like snot or fail2ban might be worth looking into. If you do have sshd running I suggest not allowing root logins and setting it up for public key authentication.

As SlackWareWolf eluded to, security is a multi-layered beast. Just always remember, no matter how much you secure a box, there is always a way someone can break in if they try hard enough- Security measures just determines how long it will take them to crack you and how much noise they make in the process.
 
Old 03-20-2008, 01:48 PM   #6
SlackWareWolf
Member
 
Registered: Feb 2008
Location: Michigan
Distribution: Slackware, SUSE, Debian, FreeBSD
Posts: 46

Rep: Reputation: 17
Also:

vim /etc/securetty

Comment out everything EXCEPT maybe TTY1 and TTY6 since if you run X you'll need that one as for some reason the others don't really work when X is loaded in Slackware.

Basically this is the file that tells the machine where root can log in from. If you only allow on two physical ttys, it's a bit harder for someone to do it from somewhere else if they guess your password.

Slackware 12 by default doesn't allow root to log into anything but the first few there. However running SSH opens a port on your machine someone can access, and then they can usually still log in as root.

Also remember there IS a difference between a firewall and a packet filter.

Also remember:

upgradepkg SomePackage.tgz

That will change the package so tripwire may report that. Be cautious.

Install Nmap and scan yourself. See what your machine is tellign everyone else who asks.

Download Hping and IPSorcery, compile it and install it. See what you can do to custom apps.

Download, compile and use Hydra.

Some people say these tools are only used by bad boy hackers. That's crap. It's better to find out you have a port open because YOU scanned it than find out because your box got rooted by someone using those exact tools.
 
Old 03-20-2008, 05:05 PM   #7
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 36
Quote:
Originally Posted by SlackWareWolf View Post
And just because you have Linux doesn't make it OK to open any attachment or go to any website, you're still vulnerable.
I don't quite get this part.
I've opened every attachment, went to every web site that I knew it had viruses/trojans/spam etc. and nothing happened? Was it just luck? As a matter of fact I've been running stock Slackware installations for ages now, only upgrading when a new version came out, never compiled a custom kernel on this one and never had problems. And its not just a box that's lying in the corner of the room it's a regulary used computer for browsing, mailing and compiling my own software. Ok I did install some video players like Kaffeine and some other software, because I also use this box as a "DVD" player and have it connected to the TV and sound system, it runs almost 24/7, although all services are disabled, no ports opened, even the router(which is another Slackware box) doesn't route any traffic to it unless it is ESTABLISHED,RELATED. And I never had problems with it, I didn't even yet patch the vmsplice bug...
I do regulary inspect the machine for any odd stuff, run a few MD5 test on the whole thing and it's still clean.

While the server is a little bit more exposed, numerous break in attempts, most were brute-force attacks but got it protected from that as well and much more.

But I agree that this little script wont secure it much, but hey, all he did really ask was to "translate" the BSD script into a Linux script.
 
Old 03-20-2008, 10:39 PM   #8
SlackWareWolf
Member
 
Registered: Feb 2008
Location: Michigan
Distribution: Slackware, SUSE, Debian, FreeBSD
Posts: 46

Rep: Reputation: 17
Quote:
Originally Posted by Tux-Slack View Post
I don't quite get this part.
I've opened every attachment, went to every web site that I knew it had viruses/trojans/spam etc. and nothing happened? Was it just luck?
Yes. To put it simply.

One thing most people forget is that some exploits for specific pieces of software, aren't always Windows only. also, Worms do exist on Linux. Not many, but they do exist.

Also, wine, works very well with viruses and malware.

Linux has an easier task in locking a machine down, because by default it's not kissing ass for users like Windows does, however, it DOES have problems like EVERY other OS on the market.

I use Slackware, SUSE, FreeBSD and Windows XP and 2000 because I like them. All of these have exploits available.

The reason people probably think a Linux box can surf anywhere without any problems is because AvtiveX was the biggest target for a while. However as I was saying, not only are there worms for Linux, there are viruses

Want to know why it's harder to infect yourself web browsing on Linux? Because only a small percent of desktops run it. windows has over 90& market on Desktops, if you're writing something where someone clicks on a Link and they get infected or an exploit pops out of it, would you do it for Linux or Windows?

this is because they want to get the most people, so they go with what most people use.

I'll see if I can dig up a link or two for the viruses, worms, and malware that works on Linux later on.


Quote:
As a matter of fact I've been running stock Slackware installations for ages now, only upgrading when a new version came out, never compiled a custom kernel on this one and never had problems.
So have I. I know how to do a Kernel, and have before, but I rarely do that for most machines. Don't need to really. And I don't upgrade either. I just format the drives and install fresh. I have an FTP server and a USB HD with back ups of everything I don't want to configure again and files I need, so I grab them over my network.



Quote:
And its not just a box that's lying in the corner of the room it's a regulary used computer for browsing, mailing and compiling my own software. Ok I did install some video players like Kaffeine and some other software, because I also use this box as a "DVD" player and have it connected to the TV and sound system, it runs almost 24/7,
The last time I rebooted was about 2 months ago. I use my machines for desktops, web servers, FTP servers and even mail.


Quote:
although all services are disabled, no ports opened, even the router(which is another Slackware box) doesn't route any traffic to it unless it is ESTABLISHED,RELATED. And I never had problems with it, I didn't even yet patch the vmsplice bug...
If you had something valuable enough, someone could still get through all that. However, shutting ALL ports, generally does make it harder

Quote:
I do regulary inspect the machine for any odd stuff, run a few MD5 test on the whole thing and it's still clean.
I personally don't use MD5 much. It's crackable anyway, but also to much hassle for me when I really don't need it.

Quote:
While the server is a little bit more exposed, numerous break in attempts, most were brute-force attacks but got it protected from that as well and much more.
Of course they didn't get in; Brute force is a true sign of an amateur and only works on other amateurs (That might sound arrogant, so just so we're clear and on the same page, it wasn't meant to)

Quote:
But I agree that this little script wont secure it much, but hey, all he did really ask was to "translate" the BSD script into a Linux script.
Thanks. And I think the main thing with what I said before was because it said "Securing Slackware" not "translate this from BSD".
 
Old 03-20-2008, 10:57 PM   #9
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,249

Rep: Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627
The "90% market share of PCs run Windows" argument isn't all that valid when you think about it. Web servers are HUGE targets for attacks, and many web servers run Linux. Think about banks etc. Those are HUGE, HUGE, HUGE targets for exploits, and yet you don't hear of as many worms/viruses/whatnot for Linux than Windows. Your argument DOES have merit, however -- there would be many MORE exploits for Linux if it was the desktop of choice, but I still don't think it is quite as vulnerable as Windows, if for no other reason than for the design of root vs user (although there are other reasons). By blurring the line between CLI and GUI, Windows has produced an OS that is very difficult to keep track of let alone make secure, and requires a huge task force to attempt to add security features (re: Vista). Linux, BSD, Mac OS X, Unix, etc. still have a fundamental difference between CLI and GUI, where the GUI is really just a complicated program running on top of a CLI. This is an important distinction and allows security to be implemented easier. That's not to say that a 100% GUI OS cannot be very secure, it just requires a lot more work. I am also not saying that a CLI/GUI OS can't be incredibly insecure -- it can, it's just EASIER to make it MORE secure.

So basically, I agree and completely disagree with you at the same time.
 
Old 03-21-2008, 12:04 AM   #10
SlackWareWolf
Member
 
Registered: Feb 2008
Location: Michigan
Distribution: Slackware, SUSE, Debian, FreeBSD
Posts: 46

Rep: Reputation: 17
Oh really?

http://www.zone-h.org/content/view/14928/30/

Looks like Linux is being defaced more than Windows now. Why? Because Apache runs more web servers than any other and it's fairly common to put it on Linux.

Therefore, more market share = more attacks.

I'm not saying I don't agree with some of what you said, I agree with quite a bit. However, I'm pointing this out from the standpoint of someone who has actually rooted a server before.

To fully understand this stuff, sometimes you have to play on the other side of the tree.
 
Old 03-21-2008, 05:48 AM   #11
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 36
Sure I've rooted machines before too, but all those that I rooted we're old and running really old software, like Slackware 9 when there was already Slackware 11 available and other really old machines, like some Red Hats I don't remember the version but some were around 4-5 or something like it, when there was already Red Hat 8 or 9 available. I never could get a machine with never versions.

I do agree with you though, I know there is some certain % of viruses available for Linux, but Linux has a design which makes it harder to viruses to get through, mainly because no one actually uses root for daily operations, so you infect only your home directory, the system stays stable. And another thing, Linux does have less % of people who use it, but most of all its users are more advanced, more elite if you like it that way. But as Linux becomes more user friendly more "click-click" users migrate from windows to Linux.

And I do realize that just closing down all ports doesn't make it "un-crackable", but it sure makes it harder.
Oh and brute-force is actually really stupid, I had a couple of laughs when I went through the logs, what kind of usernames it's trying to crack etc. I've applied a protection against it only because it was making log reading so much harder(I don't use any special tools for log checkup, plain VIM), so I've applied blockhosts or what's it called to stop them a little bit. I also disabled root login through SSH, and in /etc/shadow I changed roots password with a *, and configured sudo for my self and my other server admin. I've tried a local brute-force on /etc/shadow to see if I can crack some passwords, left it running for like 5 days or so, none could be cracked. I even control my outbound traffic on the server so I think my box is pretty secure, not un-crackable though, which I think none is.
 
Old 03-21-2008, 07:30 AM   #12
General Failure
Member
 
Registered: Jan 2007
Location: Germany
Distribution: Slackware 13.37
Posts: 384

Rep: Reputation: 34
Quote:
Originally Posted by SlackWareWolf View Post
Also, wine, works very well with viruses and malware.
If someone would use iexplore in wine to visit www.penispills-pron-and-warez.com, I'd say it's his own fault.

I, like Tux-Slack, enjoy examining strange attachements and so on a lot.

This whole topic seems quite a lot of FUD to me. Of course you are vulnerable when running httpd, of course you are when running sshd. And so on. But please someone tell me where one is vulnerable not running services like that and not running as root. Read: An average, mildly security-aware desktop user.

Last edited by General Failure; 03-21-2008 at 07:32 AM. Reason: Typo.
 
Old 03-21-2008, 10:56 AM   #13
shadowsnipes
Senior Member
 
Registered: Sep 2005
Distribution: Slackware
Posts: 1,441

Rep: Reputation: 70
Quote:
Originally Posted by General Failure View Post
This whole topic seems quite a lot of FUD to me. Of course you are vulnerable when running httpd, of course you are when running sshd. And so on. But please someone tell me where one is vulnerable not running services like that and not running as root. Read: An average, mildly security-aware desktop user.
It depends on what you mean by mildly security-aware, but if they get lax on an update to one of their browser plugins, for example, there could be trouble. These aren't always included in the slackware security mailing list since some plugins are added by the user, so they might forget about them.

Like I said before, though, if a someone targets you to break in it is possible they will do so. Your security measures just determine how long it takes them to get in and how much noise they make. Of course, you have to balance your security measures with usability. Taking your box off the net may make it more secure, but then you lose a valuable use of your box. It may make no difference anyways if your box is not physically secure.
 
Old 03-21-2008, 01:00 PM   #14
General Failure
Member
 
Registered: Jan 2007
Location: Germany
Distribution: Slackware 13.37
Posts: 384

Rep: Reputation: 34
But even if one managed to get access to someones box via some bad browser plugin or something, he would only have user rights on that machine. This reduces the harm that could possibly done to deleting the users downloads from the aforementioned www.penispills-pron-and-warez.com. Of course it's necessary to apply security updates and have strong passwords, but basically the linux security model is strong by itself. It requires the user to think though. (And that's a good thing )

And, as you already denoted: The only secure box is of course one that is safely locked away in a room without electricity.

Last edited by General Failure; 03-21-2008 at 01:03 PM.
 
Old 03-21-2008, 04:13 PM   #15
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,249

Rep: Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627Reputation: 627
SlackWareWolf, a lot of those attacks you posted are the fault of the web designer and not the OS (SQL injection? That's largely OS-independent and is due to crappy webpage writing). Plus, they don't group the "Attack Methods" by OS, so for all we know most of the Linux stuff is due to poor site creation. I'm not denying your point -- just saying that I can't make any conclusive opinion one way or another with that fractured data. I'd be more than happy to admit Linux is less secure if I found actual evidence, but I don't think that page is it. (I'm also too lazy to go look for more evidence, but if you really want to make your point feel free)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to secure ssh in Ubuntu and Slackware slacksubgenius Linux - Security 7 05-31-2007 07:55 PM
Secure MTA for Slackware cccc828 Slackware 5 02-21-2006 03:49 PM
Help Secure my Slackware 9.1 box Smokey Slackware 6 09-16-2004 09:29 AM
Slackware Secure ??? MichaelHall Slackware - Installation 5 03-01-2004 03:58 PM
How to secure slackware 9 Homzz Slackware 8 05-28-2003 12:23 PM


All times are GMT -5. The time now is 11:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration