dear sir can you tell me the best way to secure the linux system....
The #nmap command tells the open ports....
The unwanted services and ports can be blocked by the firewall....

But which are the services that can be a potential danger to the system?? like telnet....shh...etc??

I am using Fedora core 6

regards,
kanishk

There is a book on Securing and Optimizing Linux on the www.tldp.org website. There are many things to do, and a lot depends on whether you are talking about a workstation or a server on the internet. For example, for a server, you wouldn't just not run telnet, you would remove it and all unnecessary software. You would search for suid binaries and see what you can do without. If this isn't a personal computer with one user, you need to setup limits, so a single user can't exaust the resources. For both, you need to secure ssh if you need to use it only allowing connections from authorized users. If it is a server with mysql, the mysql manual has a chapter on securing the server. Lest I forget, Fedora Core uses SELinux as well.

I would suggest going to a book store and finding a book on securing linux. Fedora Core also comes with a lot of documentation, as well as documentation on the website.

The best way to secure the system. I mean, really the best one, is to let it off

any and all open ports can be and are vulnerable. Remember a vulnerability is already exploited before it is announced. I could be looking at your /etc/shadow file right now, and if I discovered a vulnerability/hole, no one will know about it unless someone using that technique screws up and doesn't cover their tracks. Or an ethical hacker finds it also.

- The best way to secure your system first of all is to use passwords.

- The next best way I can think of is to be behind a router.

- Close or turn off services you don't want running. If you want to use it, you can always enable it by hand later.

- Check the log files.

- Someone the other day recommended a security program called tripwire.

- Enter this on the command line:

ifconfig -a | grep PROMISC

If the return value is not empty, an interface is running in promiscuous mode. It would be a good idea to put this in a cron job that runs every few hours or whatever to alert you if one is found.

- Try to stay up to date with versions of important software/services.

- Check recently published vulnerabilities found here:

Common Vulnerabilities and Exposures
cve.mitre.org/cve

CERT/CC Vulnerability Notes Database
http://www.kb.cert.org/vuls

NIST ICAT Metabase
icat.nist.gov/icat.cfm

And many other things.

Basically if you want to be safe from your enemies, you must know your enemy. Study and learn about hackers and their mannerisms. There is no such thing as security. All you can really do is limit the choices a hacker has. Maintaining security is a perpetual thing.

Oh I forgot a really important one. Open up a bash window or whatever terminal program you want to use. I use bash.

go to the /home directory:
do
make sure your home directory looks like this:
if not, make it so nobody else has read (OR WRITE!!!) access to this directory except for you. I like to set my directory to this:
You don't want other people having access to your important and personal files. If there are other users on this system, it would be a good idea to execute that chmod command for each directory. This ensures that only YOU (the owner) has full access, and nobody else has any access to your home directory.

Buy a Linux book or 2 or 3. Buy security books, and it can't hurt to buy books on networking and hacking. Also it may sound funny, but to go textfiles.com and read their files on hacking. Alot of the stuff mentioned there still applies today, as far as basic Linux/UNIX security and tricks.

Hope my advice helped point you in the right direction.

otacon

Enable the default firewall using "service iptables start". The default Redhat firewall is by no means comprehensive but it does a decent job.

As stated above, the more services you run the great the risk profile you present to the internet, so only run what you need. Use chkconfig --list to get a list of default running services and turn off anything unnecessary. You should not ever run telnet except under very limited circumstances like an internal network that is physically isolated from the internet. Use SSH instead and do not allow direct root logins (uncomment and set PermitRootLogin to 'no').

One of *the* best measures you can take is to keep your system updated with security patches. So make sure that automatic updates are enabled. See the Security References thread for more Security guides and HOWTOs

On the host, a front end for iptables like guarddog or shorewall is a must.

And I consider being behind a hardware firewall to be a must as well. I am behind two, one a "smoothwall," (very highly recommended: www.smoothwall.org) and the second a Mandriva machine doing connection sharing. Requires a bit more hardware, but the main target, my primary machine right here under my fingers, has never been touched from the outside. My LAN is dead silent except for my traffic.

Routers are OK, but they are more easily hacked, and not as secure by design. NAT is not a security feature, it's merely a way to share one valid IP.

I tell everyone I can lay hands on they NEED a smoothwall. Security just doesn't get much better that that without shelling out money.

cat

If you need ssh, I advise setting the AllowUsers option in the config file /etc/ssh/sshd_config, which lists the users who are allowed to login via ssh. You should probably also install something such as DenyHosts to prevent brute force attacks. I'm pretty sure that there will be a Fedora package for it available via yum.

I've not messed with smoothwall much...I prefer to build OpenBSD minimal systems with pf handling all of the filtering. Just my preference, I guess...

I agree, though, that you should run a hardware firewall such as smoothwall or pf or IpCop, and "personal" firewalls on the systems within your network...especially on a Windows dominant network. This way, if one jerk downloads a virus or whatnot, you don't have quite as much to worry about =)

If you're overly paranoid about security, then building a dual homed bastion host firewall system with two OpenBSD machines sandwiching whatever proxy server system you're comfortable with is a must.

Hey, rocket...

Just started playing with OpenBSD, not really comfy w/it yet. Cab you point to a good tutorial you'd endorse on your comment above?

I have every reason to be "overly paranoid" by most people's standards. I call it "being smart." I even had a smoothwall hacked on me once... good thing all it could do is portscan the second HWFW, which triggered an alert.

OpenBSD does look like the way to go, ultimately.

what is the tproxy service which uses the 8081 port??
Is it potentially dangerous to the system??

and what port is ued for VPN??

regards,
kanishk

The best manual I've seen yet is this:

http://www.openbsd.org/faq/pf/

But, if you can find an e-book called "Building secure firewalls with OpenBSD and pf" (or similar, can't recall the exact name off the top of my head), that might be a more "hands-on" or "step-by-step" approach compared to a manual that's designed to show off pf's capabilities. The book, mind you, is a bit dated, so you might read it to get a good grasp of the overall concept, then read the link above to see what's changed and what's been added.

Please have a look at "CIS-Tool" to check how secure is your system:

http://www.cisecurity.org/

This tool will check your system, will show you the unsecure files and will score your box.