LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 08-17-2013, 04:44 PM   #1
NaTTaN
LQ Newbie
 
Registered: Jun 2011
Location: user land
Distribution: Slackware 14
Posts: 28

Rep: Reputation: Disabled
Trying to harden my Slackware 14...


Hi, had a lot of time without coming to the forum, now I think it's time to harden the security of my Slackware 14, I looked around on google but didn't find a guide applied to Slackware 14 and the ones I found are old..

Can somebody tell me if there's a paper or a guide applied to Slackware 14? and where can I find it?



greetings
NattaN
 
Old 08-17-2013, 04:46 PM   #2
Darth Vader
Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 553

Rep: Reputation: 103Reputation: 103
Quote:
Originally Posted by NaTTaN View Post
Hi, had a lot of time without coming to the forum, now I think it's time to harden the security of my Slackware 14, I looked around on google but didn't find a guide applied to Slackware 14 and the ones I found are old..

Can somebody tell me if there's a paper or a guide applied to Slackware 14? and where can I find it?



greetings
NattaN
No paper is there. Because Slackware is hardened by default...
 
1 members found this post helpful.
Old 08-17-2013, 06:17 PM   #3
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 144

Rep: Reputation: 21
Quote:
Originally Posted by NaTTaN View Post
Hi, had a lot of time without coming to the forum, now I think it's time to harden the security of my Slackware 14, I looked around on google but didn't find a guide applied to Slackware 14 and the ones I found are old..

Can somebody tell me if there's a paper or a guide applied to Slackware 14? and where can I find it?
It depends how much do you want to harden slack, but I'd start with hardened (grsecurity) kernel. See this guide - http://mrejata.us/articles.php?article_id=84. If you want to try SElinux, well, go ahead. Although I'm afraid that it might depend on PAM, which isn't shipped in Slackware, but nothing stops you from compiling it yourself.
 
Old 08-17-2013, 06:34 PM   #4
PenguinWearsFedora
Member
 
Registered: Jul 2009
Distribution: Slackware-14
Posts: 52

Rep: Reputation: 1
Look at this thread.
 
Old 08-18-2013, 07:16 AM   #5
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,383
Blog Entries: 14

Rep: Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582
Slackware technically doesn't require Hardening with SELinux to be secure as it's very secure by default. The only real thing it lacks is a preset Firewall script of which instructions are available as well as AlienBOB's Easy Firewall script generator for IPTables.

SELinux also requires several packages to be rebuilt also which currently there are no SELinux packages available for Slackware, and the available build scripts would require a good bit of editing.

You can add additional Hardening to Slackware, but it doesn't really add much to the security layers, if anything worth significance.

The only thing I recommend is you add possibly a Firewall script for IPTables, and add also maybe, from SlackBuilds.org, ClamAV, RKHunter, and Snort if you really feel something isn't up to par.

If you are absolute you need a SELinux Hardened system or similar UNIX-like OS, I recommend you look into Hardened Gentoo, or maybe even OpenBSD.

Last edited by ReaperX7; 08-18-2013 at 07:18 AM.
 
Old 08-18-2013, 08:38 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,769
Blog Entries: 1

Rep: Reputation: 410Reputation: 410Reputation: 410Reputation: 410Reputation: 410
I'll chime in with a slightly different viewpoint. Security is a process, not a specific program or single script. While Slackware is fairly secure out of the box, it is also just as vulnerable to threats from 3rd party software as any other Linux distro. So maybe a few things to think about are:

- Do you have a process for keeping Slackware updated?
- Do you have a process for keeping 3rd party software updated?
- Have you figured out what servers will be public facing and eliminated everything else?
- Do you have some sort of monitoring system in place that can tell you you've been compromised?
- Do you have an understanding of what to do if you get compromised?
- Do you have a backup/recovery plan?
 
3 members found this post helpful.
Old 08-18-2013, 12:10 PM   #7
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 144

Rep: Reputation: 21
Quote:
Originally Posted by ReaperX7 View Post
You can add additional Hardening to Slackware, but it doesn't really add much to the security layers, if anything worth significance.
If you use a lot of 3rd party software, PaX could help against intentional or unintentional low level exploits (buffer overflow, etc.).

On the other hand, PaX hardened kernel might break few things. Alfresco binary installer for instance (but maybe it's doing bad things and PaX actually helps). And also it could lower security a little bit, when monitoring software (zabbix, nagios, etc.) needs access to certain files in /proc and kernel denies access to these process. Workaround is to add these particular users to privileged group (wheel by default), which doesn't seem to me as much secure.

These are just my observations from using hardened Gentoo (without SElinux) and I agree that you won't need such hardening unless you are running some mission-critical setup with very strict security policy.
 
1 members found this post helpful.
Old 08-18-2013, 04:13 PM   #8
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,383
Blog Entries: 14

Rep: Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582Reputation: 582
Even then, I think, if I'm not mistaken, most modern 3.x+ Linux kernels and software now take advantage of the AMD/Intel NX-Bit technology built into CPUs which is similar to Data Execution Prevention on Windows to stop things like buffer overflows and illegal addressing of memory space before they even start.
 
Old 08-19-2013, 12:13 AM   #9
jon lee
Member
 
Registered: Jul 2013
Posts: 81

Rep: Reputation: Disabled
There's a bunch of small things one can do to harden security. I think PAM and Policy-kit to be one of the first and most beneficial (but are a major PITA to install). Limit access to inetd or sshd (or uninstall altogether). I used firewall builder to build a simple script. BTW, you'll get iptables errors unless you build a kernel with iptables logging enabled. I don't like mysql. Remove it. It will break akonadi. So what. Same with NFS (at the kernel level, too... I'm guessing the same with fhandles).

I don't trust grsecurity or selinux (just my opinion). A full install of selinux requires systemd compiled against selinux and selinux PAM modules (both of which Slackware does not include by default). If you're a fan of these perhaps ubuntu would be a better solution.
 
Old 08-19-2013, 05:08 AM   #10
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
I wrote some basic security tips here:
http://docs.slackware.com/howtos:sec...basic_security
However, you should be a bit more specific as to your needs.

Also remember who develops SELinux.
 
1 members found this post helpful.
Old 08-29-2013, 07:25 PM   #11
NaTTaN
LQ Newbie
 
Registered: Jun 2011
Location: user land
Distribution: Slackware 14
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Hangdog42 View Post
I'll chime in with a slightly different viewpoint. Security is a process, not a specific program or single script. While Slackware is fairly secure out of the box, it is also just as vulnerable to threats from 3rd party software as any other Linux distro. So maybe a few things to think about are:

- Do you have a process for keeping Slackware updated?
- Do you have a process for keeping 3rd party software updated?
- Have you figured out what servers will be public facing and eliminated everything else?
- Do you have some sort of monitoring system in place that can tell you you've been compromised?
- Do you have an understanding of what to do if you get compromised?
- Do you have a backup/recovery plan?

- Do you have a process for keeping Slackware updated?
*yes, I usually check for updates using the slackpkg tool.

- Do you have a process for keeping 3rd party software updated?
*If you mean upgrading packages like seamonkey, audacious, etc, I think slackpkg would do that :/.

- Have you figured out what servers will be public facing and eliminated everything else?
*This is just a laptop, but the only service I have active that permits remote acces is ssh.

- Do you have some sort of monitoring system in place that can tell you you've been compromised?
*Nope, I tried to install Snort but couldn't do it am missing some lybraries.
- Do you have an understanding of what to do if you get compromised?
Nope, now that you mention it I don't have such a plan.
- Do you have a backup/recovery plan?
*No, I don't have it.


greetings
nattan
 
Old 09-06-2013, 02:49 PM   #12
jon lee
Member
 
Registered: Jul 2013
Posts: 81

Rep: Reputation: Disabled
Another area to harden is dhclient. I found mine listening on some extra ports (not real sure what triggered it either).

Anyway if you turn off NSUPDATE in site.h and recompile, this will take care of that.
I followed the instructions here:
http://forums.debian.net/viewtopic.php?t=95273
 
Old 04-07-2014, 08:16 AM   #13
Sigg3.net
Member
 
Registered: Mar 2008
Location: Oslo, Norway
Distribution: Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 161

Rep: Reputation: 22
Quote:
Originally Posted by Darth Vader View Post
No paper is there. Because Slackware is hardened by default...
I don't want to sound discouraging, but Linux's security by default _is a myth_ .

Slackware may be more secure than Windows, but it was easier to gain outside access to it than e.g. my Fedora 17 box. Slackware allows root and password logins _by default_, which leaves a lot of security up to the external infrastructure.

For most users on laptops, that external infrastructure is a SOHO router, which may even have remote admin and upnp enabled by default (both insecure) not to mention default (/ISP) passwords..

X is also insecure on multi user systems.

Slackware is a good starting point, but it isn't more secure than its user's knowledge and practice. This goes for all Linux distros, and to some extent FreeBSD as well, which is even more conservative.

Security is a multi-faced approach to putting yourself in the attacker's place and making the appropriate counter measures. Methods and measures change continuously, so it's really a mindset; and _not_ "what you get" out of the box.
 
Old 04-07-2014, 09:14 AM   #14
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,281

Rep: Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802
Quote:
I don't want to sound discouraging, but Linux's security by default _is a myth_ .
Evidence?
Quote:
Slackware may be more secure than Windows, but it was easier to gain outside access to it than e.g. my Fedora 17 box. Slackware allows root and password logins _by default_, which leaves a lot of security up to the external infrastructure.
Evidence?
Quote:
For most users on laptops, that external infrastructure is a SOHO router, which may even have remote admin and upnp enabled by default (both insecure) not to mention default (/ISP) passwords..
What has that to do with Slackware?
Quote:
X is also insecure on multi user systems.
Have you tried an exploit on a default Slackware install?
Quote:
Slackware is a good starting point, but it isn't more secure than its user's knowledge and practice. This goes for all Linux distros, and to some extent FreeBSD as well, which is even more conservative.
Motherhood statement.
Quote:
Security is a multi-faced approach to putting yourself in the attacker's place and making the appropriate counter measures. Methods and measures change continuously, so it's really a mindset; and _not_ "what you get" out of the box.
Motherhood statement.

This post is as vacuous as your kitchen window.
 
Old 04-07-2014, 09:41 AM   #15
folkenfanel
Member
 
Registered: Sep 2004
Location: formerly Fanelia and Zaibach
Distribution: Slackware-current with KDE 4.8.5
Posts: 299

Rep: Reputation: 35
Wink hosts

As said in http://slackwiki.com/Basic_Security_Fixes , editing your hosts.deny makes some difference.

Looking at attack attempt logs from intentionally unsecured honeypots, it does make some difference.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to harden Jboss? szboardstretcher Linux - Software 1 08-01-2011 08:19 PM
How to harden centos 5.4 fw12 Linux - Security 14 12-22-2009 06:13 PM
LXer: How To Harden PHP5 With Suhosin On CentOS 5.3 LXer Syndicated Linux News 0 05-22-2009 04:42 PM
Harden file system protections AssimovT Linux - Security 3 03-16-2006 04:27 AM
Harden RedHat danieltkh Linux - Security 3 08-12-2004 04:00 AM


All times are GMT -5. The time now is 01:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration