LinuxQuestions.org - Slackware install, no Firewall out of the box? Suggestions on what to do?

Basic Slackware Security by Chess Griffin

http://chessgriffin.com/files/docs/slack_sec.txt
Code:
Post-Install Security

---------------------

You're booted up.  The first thing to do is to configure tcpwrappers by

editing /etc/hosts.deny and hosts.allow.  Add the following line to

hosts.deny to disallow access by any host to your box.



        ALL: ALL



Once this is in place, you can reinforce host denial in hosts.allow with



        ALL: ALL: DENY



or you can poke holes to allow access by certain hosts, or ranges of hosts,

to certain services.  A common entry would be to allow ssh connections:



        # ALL: ALL: DENY

        sshd: ALL: ALLOW



Firewalls are not a panacea for security.  But they are an imperative

beginning step.  iptables provides the packet filtering, or firewalling, for

the 2.4.x and 2.6.x kernels.  And if setting up an iptables firewall is not

your first step in securing your Slack box, it better be your second.



Below is an example of a basic iptables script.  The comments included

explain what the rules are doing.  Name the script rc.firewall, chmod 755

rc.firewall and mv rc.firewall /etc/rc.d.



        #!/bin/bash



        # rc.firewall for

        # Basic Slackware Security



        # These two rules set the default policies, i.e. what to do if a

        # packet doesn't match any other rule, to drop any packet coming

        # into (INPUT) or routing through (FORWARD) the box.

        iptables -P INPUT DROP

        iptables -P FORWARD DROP



        # These rules are added (-A) to the INPUT chain.  They allow packets

        # from any previously established connections and accept anything

        # from the loopback interface.

        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

        iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT



        # This rule added to the INPUT chain accepts any ssh connections.

        iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT



With a basic firewall in place, it's time to edit /etc/inetd.conf to remove

unneeded services.  Now unless you absolutely know you need a service

mentioned in inetd.conf, comment it out with #.  You will probably find

that, at least initially,  you'll comment out the entire file.  Here's a

Perl script that will do it for you.



        #!/usr/bin/perl



        $conf = "/etc/inetd.conf";



        system("cp $conf $conf.bak");



        open FILE, "$conf" or die "Can't open $conf: $!";

        open TEMP, ">temp" or die "Can't create temp file: $!";



        while (<FILE>) {

                s/^/#/ if ($_ !~ /^#/);

                print TEMP;

        }



        close FILE;

        close TEMP;



        unlink "$conf";

        system("mv temp $conf");



If there's a service that you want shut down that you didn't choose to

during the install, stay in /etc and head to rc.d.  You can edit rc.M (M

for multi-user) and comment out the respective section that starts the

daemon, and/or you can chmod 644 rc.<service> to keep it from starting, as

rc.M starts a service based on the file test, -x.



It's safe to say that the major steps to securing your box are complete.

There are many things left to do, including advancing the above topics,

that can tighten up security.  Configuring individual services should weigh

heavily in this advancement.  Staying in line with the above examples, we

will go through some important settings for sshd.



The configuration file for sshd is /etc/ssh/sshd_config.  Edit the file and

consider making the following changes.



        # Force the more secure Protocol 2

        Protocol 2



        # Do not let root login remotely

        PermitRootLogin no



        # Watch out for world writables

        StrictModes yes



        # Require passwords

        PasswordAuthentication yes



        # Don't allow null passwords

        PermitEmptyPasswords no



        # What do you need X for anyway?

        X11Forwarding no



        # No extraneous info

        PrintMotd no



Now run kill -s 1 `cat /var/run/sshd.pid` to force sshd to reload its

configuration.



To be sure, there is no security through obscurity.  Then again, there's no

reason to give an attacker any more information than you have to.  Turn off

or change any banner or motd, and edit /etc/issue and issue.net to your

liking.  (bland's is set to "Welcome to Windows Server 2003.")



suid, or Set User ID, programs are usually plentiful in any distro and their

root interaciton with regular users should be controlled.  Going through

your suid programs and removing the s bit can significantly reduce

vulnerability.  A Perl script has been provided that can simplify this

process.



Save the below Perl script as sup.pl and run it.  Then go through the

resulting suid.txt text file and comment out, with #, the programs that

do not need suid permission.  Save it and then run sup.pl with the -u

switch.  Commented programs will no longer be suid, and you'll have a

record of what was done.



        #!/usr/bin/perl



        if ($#ARGV < 0) {

                system("find / -perm +4000 2>/dev/null > suid.txt");

                exit;

        }

                                                                                                                              

        if ($ARGV[0] =~ /-u/) {

                open(UPDATE, "<suid.txt") or die "Can't read file: $!";

                                                                                                                              

                while (<UPDATE>) {

                        if (/^#/) {

                                s/#//;

                                system("chmod -s $_");

                        }

                }

                close(UPDATE);

        }

        else {

                print "Usage: perl sup.pl <-u>\n";

                exit;

        }



There are a couple of final touches before moving on to third party

applications.  Edit /etc/securetty, which controls which devices root can

login to, and comment out, well, everything for more security.  And change

your umask to a more restrictive 077.