Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
General steps for securely installing an OS
Given the recent "this OS vs. that OS" banter going on, I thought I would repost this general information. It's a loose guide to follow for installing ANY OS (although the references are mostly to UNIX-like services).
No matter what OS you have, you should always follow these general rules after installing:
1.) Keep the box unplug from the Internet if at all possible (install from CD-ROM), if you must have an Internet connection to install packages, then make sure it's behind a firewall and nothing can make inbound connections to it, yet.
2.) Remove all packages and users that are not needed
3.) Shutdown and disable any services that remain, but aren't required, and make sure that any services that you leave running are doing so with the least privilages, i.e. only bound to loopback if they don't need to be accessible from outside.
4.) Substitute secure services and daemons in the place of insecure ones, such as SSH instead of telnet, sftp instead of ftp (if possible), Postfix instead of Sendmail, vsftp or Pure-ftpd instead of wu-ftpd, etc
5.) Install a Host Intrusion Detection System (HIDS) and have it take a snapshot of your system. It should be configured to generate a warning if any files change. Regenerate your checksums after each step that involves changing files (adding, removing, or editing)
6.) Install a host firewall and configure it (this should deny all inbound connections at the very least, and possibly deny outbound connections except for those needed to function)
7.) Install a Network IDS (NIDS) and configure it to watch traffic to your host
8.) Install a log monitoring program to do some of the dirty work of going through logs for you. Make sure it generates a periodic report and sends it to you some how, such as by e-mail (and remember to check the reports every day!)
9.) Download and install all security updates from your OS and software application vendors. Preferably, this should be done off-line (have the updates on a different host and either connect via the LAN or burn a CD with them). You're still not safe to plug into the Internet since you are probably running some vulnerable software by default.
10.) Recheck all your configurations to make sure none of them have been modified by updates or other packages. Remember to re-run the checksum generator on your HIDS.
You're still not done! Security is an every day process, not a patch-and-forget-it deal. Keep monitoring your reports and logs every day for suspicious activity and make sure to check with your vendors regularly for security updates.
Distribution: CentOS 3.3-4, OpenBSD 3.3, Fedora Core 4, Ubuntu, Novell Open Enterprise Server
Posts: 213
Rep:
OpenNA's book is AMAZING for anyone wanting to learn how to secure a linux box. They have some pretty good howtos online also. TrinityOS is also a very detailed document on securing any linux system.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Original Poster
Rep:
studpenguin
a) What does the above have to do with installing an OS?
b) If you don't know the pros and cons of a software package, don't preach about it (hint: there are several reasons why BIND is superior to DJBDNS).
Well I at least know that several reputable trustworthy people I've come across have recommended djbdns over BIND.
If you think you know of sucha a good bunch of general steps for securally installing an OS, a lot of people like to know why yours doesn't involve djbdns..
And if anyone else, such as you, can disagree, well there's a link to the evidence.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Original Poster
Rep:
Why are you trying to turn this thread into a flamefest, especially considering you're not the expert and you're just parrotting what your friends say?
I sure don't see any vulnerabilities listed for BIND 9.2.3, which is what I use. I also don't see you saying anything about IPv6, which is going to be a requirement going forward (FreeBSD and OpenBSD already use it by default).
As to why I don't recommend using a BIND replacement, a) when run chroot'd with privsep, there really isn't much difference as far as security and b) there are a lot more abundent examples for configuring BIND, since it's been around a lot longer. Now if BIND was as difficult to configure as Sendmail, I would say the usability of DJBDNS would be a factor, but since BIND is not brain surgery, I see no reason to switch.
By the way, I really don't appreciate your attempt at flaming in a serious discussion. Hopefully the moderators will take the approriate action.
I suggest you stay away from DJBDNS if you want to have a dns server which is compatible to the standards. Bernstain has clearly stated that he will only implement the parts of the dns stuff that HE LIKES, which is breaking standards. PowerDNS is nice and also superior in security, flexibility than BIND if you want an auth only nameserver.
As to why I don't recommend using a BIND replacement, a) when run chroot'd with privsep, there really isn't much difference as far as security and b) there are a lot more abundent examples for configuring BIND, since it's been around a lot longer. Now if BIND was as difficult to configure as Sendmail, I would say the usability of DJBDNS would be a factor, but since BIND is not brain surgery, I see no reason to switch.
By the way, I really don't appreciate your attempt at flaming in a serious discussion. Hopefully the moderators will take the approriate action. [/B]
Feel flamed all you want, be faint of heart, it wasn't meant to be personal attack on you. I'm just a curious novice trying to learn. I learn best when I'm having fun and being entertained rather than wasting money on insane tuition rates sittling in a lecture hall desperately trying to force myself to listen attentively to some old, (and sometimes even young) dork ramble on and on and on.
Dan Bernstein's seems like a pretty entertaining combative show off to me and as such I enjoy and learn best seeing an opposing camp in action.
The clash of differing opinions was what I had hoped to incite --- NOT a flamefest.
Though I suppose, if I ever met Dan in person or attended one of his classes knowing nothing of his brilliant software, I'd lump him into that category of being one of the biggest old arrogant dorks I've ever met -- but hey no one can judge a book by its cover? --- Right?
//moderator.note: removed OT remark. See note.
Last edited by studpenguin; 02-02-2004 at 11:05 PM.
//moderator.note: Studpenguin, right now you're trying to hijack up Chort's discussion for your own "BIND vs DJBDNS" means. While such a discussion is a Good Thing, hijacking threads the way you did isn't. That is not what we like to see at LQ, and especially not at the Linux - Security forum.
- Please do not to be offending or rude towards your fellow LQ members, and
- DO back up claims you make: if you can't, then don't.
- If someone replies stating facts, then doing it off with like "eyes can be deceiving" isn't showing respect towards fellow LQ members: there is no shame in (admitting) having to learn stuff.
- If you have remarks that will not be constructive to this thread or off topic: please set up your own thread to discuss pro's and con's of them if your remarks won't fit in in the current discussion. If you want sensation, R&R or fuel heated debates: please check out the General forum. The Linux - Security forum should be used for discussing security in an factual, openminded, constructive manner.
- If OTOH you're interested in discussing DNS implementations as a part of what Chort is trying to do, try to compare ISC's BIND and DJBDNS on facts, qualities: using DJB's challenge is not an argument that will get you far to discuss ISC BIND security, DJBDNS compatibility or licensing etc, etc.
As moderator I have taken the liberty to remove some of your replies that are off topic or questionable. Please do edit your posts in this thread yourself and
- remove claims you cannot back up (or properly rephrase them),
- remove or rewrite OT responses.
Please think before you post, mind your fellow LQ members, the LQ rules and general netiquette. Please understand I'm not here to limit you in how you want to express yourself or deprive you of necessary discussion, but consider yourself warned continuing on this path will force me to talk to you differently the next time.
Please note my actions are subject to the moderators rules of conduct. If you want to dispute this or any other (of my) moderation actions you're always invited to take it up with me by email. If after discussing you feel your case has not been handled to your satisfaction, then you're invited to take it up with the site owner, Jeremy.
Chort, thanks for posting your steps but *please* do not "threathen" fellow members with moderators to take action before mods reach a decision. If we don't (or disagree on action to take) it'll look bad for all of us.
340,282,856,360,466,376,620,684,388,469,930,214,496 different numbers
which could cause a lot of complications.
IPv4 would only involves only 4,294,967,296 and could be further expanded to meet the needs of growing numbers of computers and servers with CIDR notation Classless addresses.
Is that a fact or not?
Last edited by studpenguin; 02-02-2004 at 11:34 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.