SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
it is when you dont have the first clue of iptables, and that's why im asking how the hell would i make a sh script to configure iptables, the lan ips are my other pc(s) and the xbox360 so really only i use them, im more interested in stopping people getting in not so much getting out
So if they've already gotten in and back doored the Kernel to let them keep coming you're OK with that as long as no one else get's in? Are you kidding me? Getting out can allow traffic back to people who've already broken in.
no if you all read i want to stop everything getting in - if they cant get in they cant get out - and the only out traffic is from me, system is kept up to date and i have chkrootkit and rkhunter, im told AV is not required on linux
I'm not going to bore you on why or why not it's good or bad, I'll just give you something that few would disagree with:
Linux has Viruses, Worms, Trojans and backdoors just like Windows. However, the chance you'll EVER see one is VERY small. I personally DO have AV for Linux on a few things, but not many. The reason is, a basic home used network with nothing REALLY big on it, isn't exactly a huge "come get me" sign to people who do that.
so really, if you're careful about where you go online, and don't piss off someone who seems to know a bit to much about packets, you should be fine without any problems at all.
If you aren't careful online and go to public forums saying hackers are all skinny nerds (I'm living proof that's crap I can bench 300 pounds) and you don't publicly flame people or act annoying on a mailing list, you shouldn't need to worry at all.
Don't be lax in any way though. Keep your guard up when you visit sites online, and also make sure security patches are installed and that you don't have "auto login" going too.
Regardless of the packets that you don't let in, someone can usually find a way in pretty easily. So don't give yourself a false sense of security either.
Linux has Viruses, Worms, Trojans and backdoors just like Windows. However, the chance you'll EVER see one is VERY small. I personally DO have AV for Linux on a few things, but not many. The reason is, a basic home used network with nothing REALLY big on it, isn't exactly a huge "come get me" sign to people who do that.
Well I have ClamAV installed on my mail server, but only for mail checkups, and not because my Linux boxes behind the mail server but because at home some use Windows still.
Aren't all Linux AVs scanning only for "Windows viruses"?
Here is a script that I run on my workstations and servers, I have to edit depending on what I use the machine for, but it may give you some ideas. Don't just blindly run it without going over it first.
It's not the be all, end all of scripts either, I also use it in conjunction with other things like iptables, email alerts (I left them in the script so you can see how they can work). Also you need to add a users to the sudo file or to the wheel group, do that first and check that you can execute commands, otherwise you can lock yourself out of the machine, maybe try on thing at a time and see how you go
Code:
###############################################################################################
# security enhancements
# remove or comment out this after you have adjusted the scipt to suit your needs, this is a safety precaution
# since this script will kill your system if you have not adjusted or atleast checked the script out
# first
#exit 0
EXTIP="`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
MASK="`ifconfig eth0 | grep Mask | cut -d : -f 4`"
NETID=$EXTIP'/'$MASK
## Create/remove some files in root folder and change permissions so no one else can create them
rm -rf /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv
# blank out the securetty file so root cannot login through any console
echo "" > /etc/securetty
chmod 0 /etc/securetty
rm -rf /etc/issue /etc/issue.net
#change root login shell
sed -i "s|root:x:0:0::/root:/bin/bash|root:x:0:0::/root:/sbin/nologin|g" /etc/passwd
# limits the amount of processes a user can run, stops process bomb attacks
if [ ! -d /etc/security ]; then
mkdir -p /etc/security
fi
cat > /etc/security/limits.conf <<EOF
@users soft nproc 100
@users hard nproc 150
EOF
# I recommend using the sudoers file instead of the wheel group
# sudoers keeps a log of all users and the commands they issue
# so there will be a trail to lead to someone with it all goes wrong
# only wheel group can su
# chgrp wheel /bin/su
# chmod 4750 /bin/su
# chmod +s /bin/su
# only users of the wheel group can su to root
# this is an added security measure while changing
# the permissions on the su binary as well
cat > /etc/suauth << EOF
# ALL:ALL EXCEPT GROUP wheel:DENY
ALL: ALL :DENY
EOF
# The following removes the SUID and the SGID bits from these programs
chmod a-s /usr/bin/chage 2>&1 /dev/null
chmod a-s /usr/bin/gpasswd 2>&1 /dev/null
chmod a-s /usr/bin/chfn 2>&1 /dev/null
chmod a-s /usr/bin/chsh 2>&1 /dev/null
chmod a-s /usr/bin/newgrp 2>&1 /dev/null
chmod a-s /usr/sbin/usernetctl 2>&1 /dev/null
chmod a-s /usr/sbin/traceroute 2>&1 /dev/null
chmod a-s /bin/mount 2>&1 /dev/null
chmod a-s /bin/umount 2>&1 /dev/null
chmod a-s /bin/ping 2>&1 /dev/null
chmod a-s /sbin/netreport 2>&1 /dev/null
chmod a-s /usr/bin/at 2>&1 /dev/null
chmod a-s /usr/bin/rcp 2>&1 /dev/null
chmod a-s /usr/bin/rlogin 2>&1 /dev/null
chmod a-s /usr/bin/rsh 2>&1 /dev/null
chmod a-s /usr/bin/ssh-keysign 2>&1 /dev/null
chmod a-s /usr/libexec/pt_chown 2>&1 /dev/null
chmod a-s /usr/sbin/ping6 2>&1 /dev/null
chmod a-s /usr/sbin/usernetctl 2>&1 /dev/null
chmod a-s /usr/sbin/traceroute 2>&1 /dev/null
chmod ug-s /usr/bin/wall 2>&1 /dev/null
chmod ug-s /usr/bin/write 2>&1 /dev/null
chmod ug-s /usr/bin/lockfile 2>&1 /dev/null
chmod ug-s /usr/bin/slocate 2>&1 /dev/null
chmod ug-s /usr/sbin/utempter 2>&1 /dev/null
chmod ug-s /usr/sbin/gnome-pty-helper 2>&1 /dev/null
chmod ug-s /usr/sbin/lockdev 2>&1 /dev/null
chmod ug-s /usr/sbin/sendmail.sendmail 2>&1 /dev/null
chmod ug-s /sbin/netreport 2>&1 /dev/null
##########################################################
# Deny certain users from using cron to automate the running of tasks.
# this will take everyone in the /etc/passwd file, except for root, and add them
# to the /etc/cron.deny file
##########################################################
USERS=`cat /etc/passwd | cut -d : -f1`
for x in $USERS; do
if [ ! "$x" = "root" ]; then
echo "$x" >> /etc/cron.deny
fi
done
# Allow only root to run "at" and "cron"
rm -rf /etc/at.deny
echo "root" > /etc/cron.allow
echo "root" > /etc/at.allow
##########################################################
## Lets add a secure sshd_config file
## Rename the old file first
##########################################################
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.org
cat > /etc/ssh/sshd_config <<EOF
Port 4000
Protocol 2
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
KeyRegenerationInterval 1h
ServerKeyBits 1024
KeepAlive yes
# Uncomment if you want to enable sftp
Subsystem sftp /usr/libexec/sftp-server
#MaxStartups 10:30:60
SyslogFacility AUTHPRIV
LogLevel INFO
#RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Banner /etc/ssh/banner
PrintMotd yes
PasswordAuthentication yes
PermitEmptyPasswords no
# Explicitly set who can and who can not login by way of ssh
#AllowGroups users everyone
AllowUsers billy
# Everything that isn't above
DenyGroups wheel root bin daemon sys adm tty disk lp mem kmem floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun http
EOF
##########################################################
## Now lets create a ssh banner to warn people when they connect. this may help if
## you need to take legal action. First letting them know they must be authorized to
## connect.
##########################################################
cat > /etc/ssh/banner <<EOF
#===============================#
WARNING!!!!
Only authorized access allowed
#===============================#
Any or all uses of this computer and all files/data on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to law enforcement personel, as well as authorized
officials of other agencies, both domestic and foreign. By using
this system, the user consents to such interception, monitoring
recording, copying, auditing, inspection, and disclosure at the
discretion of authorized site administrator or other personnel.
Unauthorized or improper use of this system may result in civil and/or
criminal penalties. By using this system you indicate your
awareness of and consent to these terms and conditions of use.
DO NOT LOGIN TO THIS COMPUTER
If you do not agree to the conditions stated in this warning or you are
not an authorised user of THIS SYSTEM.
#==============#
EOF
# Lets create a motd file, this is a file which is read when some logs on through the console (runlevel 3)
cat > /etc/motd <<EOF
* * * * * * * * * * *
NOTICE TO USERS
Only authorized access allowed
Any or all uses of this computer and all files/data on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to law enforcement personnel, as well as authorized
officials of other agencies, both domestic and foreign. By using
this system, the user consents to such interception, monitoring
recording, copying, auditing, inspection, and disclosure at the
discretion of authorized site administrator or other personnel
Unauthorized or improper use of this system may result in administrative
disciplinary action and/or civil and criminal penalties. By continuing to
use this system you indicate your awareness of and consent to these
terms and conditions of use.
LOG OFF IMMEDIATELY
if you do not agree to the conditions stated in this warning or you are
not an authorised user of THIS SYSTEM.
EOF
##########################################################
# restrict login access to the @users group only, you will need to create a normal user
# to access this computer from a remote location, then "su" to root, as long as the user is part of
# the @wheel group
##########################################################
cat >> /etc/login.access <<EOF
-:ALL EXCEPT users :ALL
EOF
##########################################################
#
# Send email alerts
#
#
#
##########################################################
## To send an email when someone logs in through ssh, place in the /etc/hosts.allow
cat > /etc/hosts.allow << EOF
ALL: 127.0.0.1/255.0.0.0
sshd: $NETID: spawn /var/admin/emailLocalConnection %a %u
EOF
# mail someone when a connections is refused by /etc/hosts.deny
cat > /etc/hosts.deny << EOF
ALL: /etc/ipblock: deny
ALL: ALL: spawn /var/admin/emailDetection %a %u
EOF
# let someone know when a new account is created
# cat >> /etc/profile <<'EOF'
#
# # let someone know when a new account is created
# if [ "$USER" = "root" -o "$UID" > "-1" -o "$GID" > "-1" ]; then
# /var/admin/newAccount
# fi
#
# EOF
##########################################################
# These are specific to the root account
#
#
##########################################################
# this file will send an alert if the root user logs in via ssh
if [ ! -d /root/.ssh ]; then
mkdir /root/.ssh
fi
cat > /root/.ssh/rc << EOF
/var/admin/emailRootLogin
EOF
# if a user logins in that is part of the root group, send someone an alert email
#cat > /etc/ssh/sshrc << EOF
#if [ "$USER" = "root" -o "$UID" = "0" -o "$GID" = "0" ]; then
# /var/admin/emailSSHLogin &
#fi
#EOF
chmod 700 /root/.ssh/rc
##########################################################
# limit the command line history to ten remember command lines and blank out the
# users bash_history file when logout occurs, just incase users has made a mistake
# and enetered their password where it should not be, it can them be read from the bash_history file.
# This can pose a security threat
##########################################################
cat >> /etc/profile << 'EOF'
HISTSIZE=10
HISTFILESIZE=0
# log root out after certain amount of time
if [ "$UID" = "0" ]; then
TMOUT=3600 # 1 hour
fi
EOF
# log all syslog files to one location
cat > /etc/syslog.conf << EOF
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux.
# Log everything to a file
*.* -/var/log/messages
# Log everything to a tty (Ctrl-Alt-F12)
*.* /dev/tty12
# Log everything to a log host
#*.* @192.168.1.2
# Display emergencies to everyone using wall
*.=emerg *
# Send alerts directly to the user's terminals
*.=alert root
EOF
# restart syslog daemon
/etc/rc.d/rc.syslog restart
# log rotation
cat > /etc/logrotate.conf << EOF
weekly
rotate 26
compress
EOF
cat > /etc/logrotate.d/syslog << EOF
/var/log/cron /var/log/debug /var/log/maillog /var/log/messages
/var/log/secure /var/log/spooler /var/log/sulog /var/log/syslog
{
create 0640 root root
#mail someone@somewhere.com
mail root
mailfirst
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null || true`
endscript
}
EOF
# log icmp packets recieved by this host to syslog
cat >> /etc/rc.d/rc.local << EOF
# Log icmp packets to syslog
/usr/sbin/icmpinfo -vvv -s -l
EOF
# Account processing is turned on by /etc/rc.d/rc.M. However, the log file doesn't exist.
touch /var/log/pacct
# /var/log/btmp:
# The btmp log file contains all of the failed login attempts. The command lastb lists the contents of the log file.
touch /var/log/btmp
chmod --reference=/var/log/wtmp /var/log/btmp
chown --reference=/var/log/wtmp /var/log/btmp
if [ -e /usr/bin/lastb ]; then
rm -rf /usr/bin/lastb
fi
ln -s /usr/bin/last /usr/bin/lastb
lastb
# Prevents users for looking at the contents of these directories. It still
# allows them to create, access, and modify files in those directories if
# they know the actual file name. This does not stop users from running
# executables in /tmp.
cat >> /etc/rc.d/rc.S << EOF
chmod 1733 /tmp/.ICE-unix
chmod 1733 /tmp/.X11-unix
# Don't let everyone have read access to utmp:
chmod 660 /var/run/utmp
EOF
# remove any other shells that maybe able to bypass security measures
cat > /etc/shells << EOF
/bin/bash
EOF
# remove the shell packages if the exist on the system
removepkg ash
removepkg ksh93
removepkg tcsh
removepkg zsh
#######################################################
# find accounts with blank passwords in /etc/passwd and /etc/shadow.
# Blank /etc/passwd files will place an x to point to the /etc/shadow file
# Blank /etc/shadow will be locked with an ! character
# This will affectively lock the accounts
#######################################################
# sed -i "s|::|:x:|" /etc/passwd
sed 's/^\([^:]*\):[^:]:/\1:x:/' </etc/passwd >/etc/password
for x in `grep -v --fixed-strings ':*:' /etc/shadow | grep -v --fixed-strings ':$' | grep -v --fixed-string ':!:' | grep -v --fixed-string ':!!:' | cut -d : -f1`; do passwd -l $x; done
#######################################################
# deny all users to access this host by ftp
# comment out ftp in the /etc/ftpusers file if you want anonymous ftp access to this host
cat /etc/passwd | cut -d : -f1 > /etc/ftpusers
#
cat > /etc/host.conf << EOF
nospoof on
spoofalert on
spoof warn
EOF
# set default permissions on newly created files by setting the umask
cat >> /etc/profile << EOF
# set default permissions on newly created files by setting the umask
umask 077
EOF
# remove access to these files/directories by removing world readable
chown root.root /etc/cron.* /var/spool/cron /etc/rc.d /root
chmod 700 /etc/cron.* /var/spool/cron /etc/rc.d /root
# Limit access to logs:
#chmod -R o-rwx /var/log
#chmod 640 /etc/syslog.conf /etc/logrotate.conf
#chmod 751 /var/log /etc/logrotate.d
# Find and delete dead symlinks
find / -type l -print | perl -nle '-e || print'
# Stop arp spoofing used to sniff switched networks
# Set a static ARP entry for the default gateway
#EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
#MAC=`arp -a | awk '{print $4}'`
#arp -s $EXTGW $MAC
# Stuff to remove
removepkg nn
removepkg slrn
removepkg uucp
removepkg strace
removepkg gdb
removepkg nc
removepkg nmap
removepkg at
BINARIES='
/bin/date
/bin/du
/bin/echo
/bin/grep
/bin/kill
/bin/killall
/bin/login
/bin/ls
/bin/netstat
/bin/ps
/bin/su
/bin/tar
/sbin/agetty
/sbin/explodepkg
/sbin/getty
/sbin/ifconfig
/sbin/installpkg
/sbin/makepkg
/sbin/pidof
/sbin/removepkg
/sbin/upgradepkg
/usr/bin/basename
/usr/bin/biff
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/dirname
/usr/bin/env
/usr/bin/find
/usr/bin/lsattr
/usr/bin/nail
/usr/bin/passwd
/usr/bin/pstree
/usr/bin/ssh
/usr/bin/top
/usr/bin/traceroute
/usr/bin/write
/usr/sbin/gpm
/usr/sbin/hdparm
/usr/sbin/in.fingerd
/usr/sbin/in.identd
/usr/sbin/in.rlogind
/usr/sbin/in.rshd
/usr/sbin/in.telnetd
/usr/sbin/in.timed
/usr/sbin/inetd
/usr/sbin/ipop3d
/usr/sbin/named
/usr/sbin/rpcinfo
/usr/sbin/sendmail
/usr/sbin/sshd
/usr/sbin/syslogd
/usr/sbin/tcpd
'
for b in $BINARIES; do
md5sum $b >> /etc/md5sum.bin
done
# To search the entire system for SUID or SGID files, you can run the following command:
find / -path /proc -prune -o -type f -perm +6000 -ls >> /tmp/suid.txt
# find hidden or unusual files
find / -name ".. " -print -xdev >> /tmp/hidden-unusual-files.txt
# World-writable files are a security risk since it allows anyone to modify them. Additionally,
# world-writable directories allow anyone to add or delete files.
# To locate world-writable files and directories, you can use the following command:
find / -path /proc -prune -o -perm -2 ! -type l -ls >> /tmp/worldwriteable.txt
# Files not owned by any user or group might not necessarily be a security problem in itself.
# However, unowned files could pose a security problem in the future. For example,
# if a new user is created and the new users happens to get the same UID as the unowned
# files have, then this new user will automatically become the owner of these files.
find / -path /proc -prune -o -nouser -o -nogroup >> /tmp/nowner.txt
# remove these backup files since the may not have the same strict permissions
rm -rf /etc/*~
rm -rf /etc/*-
rm -rf /etc/*.bak
# change permissions
chmod 750 /bin/mt-st
chmod 600 /etc/at.allow
chmod 600 /etc/cron*
chmod 600 /etc/ftpusers
chmod 600 /etc/hosts.allow
chmod 600 /etc/hosts.deny
chmod 600 /etc/inetd.conf
chmod 600 /etc/inittab
chmod 600 /etc/lilo.conf
chmod 600 /etc/login.defs
chmod 600 /etc/securetty
chmod 600 /etc/suauth
chmod 440 /etc/sudoers
chmod 600 /etc/syslog.conf
chmod 750 /sbin/badblocks
chmod 750 /sbin/debugfs
chmod 750 /sbin/depmod
chmod 750 /sbin/dumpe2fs
chmod 750 /sbin/explodepkg
chmod 750 /sbin/fdisk
chmod 750 /sbin/fsck
chmod 750 /sbin/fsck.ext2
chmod 750 /sbin/fsck.minix
chmod 750 /sbin/ftl_check
chmod 750 /sbin/ftl_format
chmod 750 /sbin/halt
chmod 750 /sbin/hwclock
chmod 750 /sbin/ifconfig
chmod 750 /sbin/ifport
chmod 750 /sbin/ifuser
chmod 750 /sbin/init
chmod 750 /sbin/insmod
chmod 750 /sbin/installpkg
chmod 750 /sbin/isapnp
chmod 750 /sbin/killall5
chmod 750 /sbin/lilo
chmod 750 /sbin/makepkg
chmod 750 /sbin/mke2fs
chmod 750 /sbin/mkfs
chmod 750 /sbin/mkfs.minix
chmod 750 /sbin/mkdosfs
chmod 750 /sbin/mkraid
chmod 750 /sbin/mkswap
chmod 750 /sbin/modinfo
chmod 750 /sbin/pkgtool
chmod 750 /sbin/pnpdump
chmod 750 /sbin/removepkg
chmod 750 /sbin/rpc.portmap
chmod 750 /sbin/quotaon
chmod 750 /sbin/rdev
chmod 750 /sbin/runlevel
chmod 750 /sbin/setserial
chmod 750 /sbin/swapon
chmod 750 /sbin/tune2fs
chmod 750 /sbin/upgradepkg
chmod 750 /sbin/uugetty
chmod 750 /usr/bin/eject
chmod 4750 /usr/bin/gpasswd
chmod 750 /usr/bin/lpq
chmod 750 /usr/bin/lprm
chmod 4750 /usr/bin/lpr
chmod 750 /usr/bin/minicom
chmod 700 /usr/bin/nohup
chmod 700 /usr/bin/script
chmod 500 /usr/bin/wget
chmod 500 /usr/lib/news/bin/inndstart
chmod 500 /usr/lib/news/bin/startinnfeed
chmod 750 /usr/sbin/atd
chmod 750 /usr/sbin/atrun
chmod 750 /usr/sbin/crond
chmod 750 /usr/sbin/ctrlaltdel
chmod 750 /usr/sbin/dhcpd
chmod 750 /usr/sbin/dhcrelay
chmod 750 /usr/sbin/edquota
chmod 750 /usr/sbin/groupadd
chmod 750 /usr/sbin/groupdel
chmod 750 /usr/sbin/groupmod
chmod 750 /usr/sbin/grpck
chmod 750 /usr/sbin/grpconv
chmod 750 /usr/sbin/grpunconv
chmod 750 /usr/sbin/hdparm
chmod 750 /usr/sbin/imapd
chmod 750 /usr/sbin/in.comsat
chmod 755 /usr/sbin/in.fingerd
chmod 755 /usr/sbin/in.identd
chmod 750 /usr/sbin/in.talkd
chmod 000 /usr/sbin/in.rexecd
chmod 000 /usr/sbin/in.rlogind
chmod 000 /usr/sbin/in.rshd
chmod 750 /usr/sbin/in.telnetd
chmod 000 /usr/sbin/in.tftpd
chmod 750 /usr/sbin/in.timed
chmod 750 /usr/sbin/inetd
chmod 750 /usr/sbin/ipop3d
chmod 750 /usr/sbin/klogd
chmod 2750 /usr/sbin/lpc
chmod 740 /usr/sbin/lpd
chmod 550 /usr/sbin/makemap
chmod 750 /usr/sbin/mouseconfig
chmod 750 /usr/sbin/named
chmod 750 /usr/sbin/newusers
chmod 750 /usr/sbin/nmbd
chmod 750 /usr/sbin/ntpdate
chmod 750 /usr/sbin/ntpq
chmod 750 /usr/sbin/ntptime
chmod 750 /usr/sbin/ntptrace
chmod 750 /usr/sbin/pppd
chmod 750 /usr/sbin/pwck
chmod 750 /usr/sbin/pwconv
chmod 750 /usr/sbin/pwunconv
chmod 550 /usr/sbin/quotastats
chmod 750 /usr/sbin/rpc.bootparamd
chmod 750 /usr/sbin/rpc.mountd
chmod 750 /usr/sbin/rpc.nfsd
chmod 750 /usr/sbin/rpc.rusersd
chmod 750 /usr/sbin/rpc.rwalld
chmod 750 /usr/sbin/rpc.yppasswdd
chmod 750 /usr/sbin/rpc.ypxfrd
chmod 750 /usr/sbin/rpcinfo
chmod 750 /usr/sbin/showmount
chmod 750 /usr/sbin/smbd
chmod 750 /usr/sbin/syslogd
chmod 750 /usr/sbin/tcpd
chmod 750 /usr/sbin/tcpdchk
chmod 750 /usr/sbin/tcpdmatch
chmod 750 /usr/sbin/tcpdump
chmod 750 /usr/sbin/timeconfig
chmod 750 /usr/sbin/useradd
chmod 750 /usr/sbin/userdel
chmod 750 /usr/sbin/usermod
chmod 750 /usr/sbin/vipw
chmod 700 /usr/bin/wget
chattr +i /etc/at.deny
chattr +i /etc/exports
chattr +i /etc/ftpusers
chattr +i /etc/host.conf
chattr +i /etc/hosts
chattr +i /etc/hosts.allow
chattr +i /etc/hosts.deny
chattr +i /etc/hosts.equiv
chattr +i /etc/hosts.lpd
chattr +i /etc/inetd.conf
chattr +i /etc/inittab
chattr +i /etc/lilo.conf
chattr +i /etc/login.access
chattr +i /etc/login.defs
chattr +i /etc/named.conf
chattr +i /etc/porttime
chattr +i /etc/profile
chattr +i /etc/protocols
chattr +i /etc/securetty
chattr +i /etc/services
chattr +i /etc/suauth
# allow users in the users group to change their own passwords
chgrp users /usr/bin/passwd
chmod 4710 /usr/bin/passwd
#########################################################
# Secure /tmp /var/tmp/ /dev/shm
# create a tmp directory in each users $HOME directory this is more secure to let users read/write only
# in their home directories
cat >> /etc/profile << 'EOF'
if [ ! -d $HOME/tmp -a $HOME != "/" ]; then
mkdir -p $HOME/tmp
fi
chown $USER $HOME/tmp
chmod 0600 $HOME/tmp
export TMPDIR=$HOME/tmp
export TMP=$TMPDIR
EOF
# add it to /etc/skel for all new users
cat >> /etc/skel/.bash_profile << 'EOF'
if [ ! -d $HOME/tmp -a $HOME != "/" ]; then
mkdir -p $HOME/tmp
fi
chown $USER $HOME/tmp
chmod 0600 $HOME/tmp
export TMPDIR=$HOME/tmp
export TMP=$TMPDIR
EOF
# add to any existing users if they are not reading /etc/profile
for x in /home/*; do
cat >> $x/.bash_profile << 'EOF'
if [ ! -d $HOME/tmp -a $HOME != "/" ]; then
mkdir -p $HOME/tmp
fi
chown $USER $HOME/tmp
chmod 0600 $HOME/tmp
export TMPDIR=$HOME/tmp
export TMP=$TMPDIR
EOF
done
# find bad ssh users ip addresses and how many attempts
grep "sshd" /var/log/messages | grep "Invalid user"| awk '{print $NF}' | sort | uniq -c | sort -n
grep "sshd" /var/log/messages | grep "Failed password for"| awk '{print $13}' | sort | uniq -c | sort -n | grep "\."
# make /tmp a ram-based filesystem
# cat >> /etc/fstab << EOF
# none /tmp tmpfs defaults 0 0
# EOF
# Do the above, but prevent an attacker from doing many things by making /tmp less useful to them.
# Make the /etc/fstab entry say:
FIND_TMP=`grep "/tmp" /etc/fstab`
if [ $? = 0 ]; then
sed -i "s|$FIND_TMP|none /tmp tmpfs rw,noexec,nosuid,nodev,size=100000000 0 0|g" /etc/fstab
else
echo "none /tmp tmpfs rw,noexec,nosuid,nodev,size=100000000 0 0" >> /etc/fstab
fi
FIND_SHM=`grep "/dev/shm" /etc/fstab`
if [ $? = 0 ]; then
sed -i "s|$FIND_SHM|none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0|g" /etc/fstab
else
echo "none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0" >> /etc/fstab
fi
mount -o remount /dev/shm
mount -o remount /tmp
# symlink /var/tmp to /tmp
mv /var/tmp /var/tmpold
ln -s /tmp /var/tmp
cp -a /var/tmpold/* /tmp
rm -rf /var/tmpold
Linux has Viruses, Worms, Trojans and backdoors just like Windows. However, the chance you'll EVER see one is VERY small.
...and I'll say that "very small" is very small indeed. GNU/Linux is AFAIK still targetted with only and *exactly* ten viruses. Nine of them are PoC and I only encounter one ITW. The chance to find that one depends on how and where you look for it. In day to day ops I do receive it occasionally, while handling incidents, as collateral in data from rootkitted machines.
Quote:
Originally Posted by Tux-Slack
Aren't all Linux AVs scanning only for "Windows viruses"?
No, generally speaking, as long as there are heuristics and signatures for them they will search for it.
The whole virus discussion in relation to GNU/Linux is more often than not blown way out of proportion, usually due to the mindset people crossing over from ClippyOS have. "The virus issue" also distracts from problems GNU/Linux faces. Even if I leave out the most obvious things like vulnerabilities in kernel and userland software I still get: ignorance, misconfiguration, lack of discipline (updating), not hardened OS installations, no auditing capabilities. While most of them are not linked to GNU/Linux in a purely technical sense but more due to mindset and attitude, the net effect of a glitch is still greater since, compared to a Windows installation, a GNU/Linux provides the cracker with a way more performant and versatile platform to do dirty deeds on.
Another things is that while getting root admittedly is nice (anyone here doing incident handling: how many rootkit incidents have *you* seen the last three years?) with the appearance of all those nice coding flaws in say (mostly) PHP-based SW, you don't need root to start your scanner, DoS bot or spam flooder.
One final thing would be to mention SELinux, GRSecurity, AppArmor, Snort and Samhain. What they have in common, in contrast with package management tools, Tiger, LSAT (Number9s, not Mixters), Aide, Chkrootkit or Rootkit Hunter, is that they are not passive, post-incident auditing tools but enhance security the active way. To start with the kernel, version 2.6 has made it a bit harder for crackers (find SCT address). In short it resulted in less rootkits for 2.6 (only Adore-NG and Override). SELinux has been proven (pointers needed) to block some vulnerabilities from escalating, GRSecurity (amongst many other things) shields and randomises enough to make things hard for a cracker and Samhain (when so configured) watches the kernel from the inside, being able to alert when wacky stuff happens to say the IDT or your binaries. So while there will always be 0-days you can't defend against there is enough around to help you limit exposure and consequently, damage.
The whole virus discussion in relation to GNU/Linux is more often than not blown way out of proportion, usually due to the mindset people crossing over from ClippyOS have.
Thank's a lot! I already started a few replies on this thread when I came to read your post. Nothing more to be said. Thanks again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
- reading now
