Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-25-2007, 07:24 PM
|
#1
|
Member
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220
Rep:
|
Hardening FC-6
I installed FC-6 and setup firestarter for a firewall. I was wondering is there a program that will harden FC-6? I had a RH7.3 OS hardened by Bastille and no one ever cracked it! I tried Bastille on FC-6 it let me install it then when I tried to configure it ..it said FC-6 was not supported ... any help here?
|
|
|
06-25-2007, 08:00 PM
|
#2
|
Member
Registered: Dec 2005
Location: Portugal
Distribution: Slackware64 13.0, Slackware64 13.1
Posts: 538
Rep:
|
FC6 ships with SELinux, if thats the kind of thing you are after.
I'm no expert on this kind of thing, but one of the first things you should also do is to disable unused services from starting up.
I'm not in front of an FC6 box at the moment, but if you navigate to the System menu, you will find a service manager. There are actually quite a few things you can disable (if you don't need them), like Avahi, Bluetooth, RCP, NFS, Samba, and a couple of others.
|
|
|
06-25-2007, 08:36 PM
|
#3
|
Member
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220
Original Poster
Rep:
|
I did that....thanks I was looking to someway to set it so you can not login as root ...you can only su
|
|
|
06-25-2007, 09:00 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
The SELinux suggestion is definitely one to give lots of consideration to if you're looking to harden the installation. Or when you said you "did that" did you mean you already have SELinux going? I think the fact Fedora comes with SELinux out-of-the-box is a great advantage to Fedora users. I remember reading somewhere that the newest Fedora version tries to make SELinux a lot more friendly than it has been in previous versions. Anyhow, another project you might wanna check-out is grsecurity, but I'm not sure if you're into the whole kernel patch/recompile thing or not. What kinda security measures do you have on the box currently? Is it just the Firestarter?
Quote:
Originally Posted by tied2
I was looking to someway to set it so you can not login as root ...you can only su
|
Even better yet, why not setup sudo? You can then, for example, set which user(s) can execute commands as root (via sudo) by simply adding them to the admin group. No one will be able to login as root if you have root's password field in /etc/shadow replaced with an exclamation mark. From man shadow on my Ubuntu 7.04 box:
Quote:
If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7).
|
This is what my root account line looks like in my /etc/shadow:
Code:
root:!:13626:0:99999:7:::
This is what my /etc/sudoers looks like:
Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults
Defaults !lecture,tty_tickets,!fqdn
# User privilege specification
root ALL=(ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
Just my
Last edited by win32sux; 06-25-2007 at 09:16 PM.
|
|
|
06-25-2007, 10:12 PM
|
#5
|
Member
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220
Original Poster
Rep:
|
I looked through the package Mgr. I see SElinux what file is it that I need??? there's like 5 of them... is SElinux a add on like Bastille? recompileing a kernal is over my head. editing file ... I have done it but mostly I screw it up lol it's been like 4 years since I had a linux box lol so I'm rusty!! yes I shut down all the thinks I didn't need in run level 5 and installed firestarter... I been tring to upate packages there like 238 updates and it locks up ... some error sqlcashe needs updated... I have a post in the Fedors forum but no answers on that. it ther a rpm I can download and just install it the old fassion way? rpm -ivh ?
|
|
|
06-25-2007, 10:32 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
You really should read-up on SELinux before you attempt to use it. It's no cakewalk from what I understand. I can't really help you with it, as I have no experience with it at all, but of course someone else can. I would strongly recommend upgrading to the latest version of Fedora (7 at the time of this post) if possible if you do decide to go with SELinux right now.
That said, I honestly think you should start out with setting-up sudo (which is super simple) and other minor security enhancements (such as a file integrity checker, for example) before embarking on something as major as SELinux, wouldn't you agree?
Of course, if my understanding (or possible delusion) about the Fedora Project's attempt of making SELinux unbelievably simple in version 7 is correct, then perhaps you can have a working SELinux setup in no time (or possibly even out-of-the-box) simply by upgrading.
Last edited by win32sux; 06-25-2007 at 10:36 PM.
|
|
|
06-25-2007, 10:48 PM
|
#7
|
Member
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220
Original Poster
Rep:
|
Is tripwire still the way to go for a file checker?
|
|
|
06-26-2007, 09:07 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by tied2
Is tripwire still the way to go for a file checker?
|
Yeah, pretty much. Lots of people like AIDE also.
|
|
|
All times are GMT -5. The time now is 09:29 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|