hardening my security
 

Well, I was just hacked recently, and I'm going to be having a constant banging to into my system, for some reason. Anyway, I'd like to see what I can do asap as I format. I'm using Slackware 9.1 and it runs the 2.4.22 kernel, so it seems a difficulty. First thing I'll do is compile a new kernel, right? But what program/programs or configs I could use/change to make my system untouched.

I couldn't find any how-tos written by someone knowing exactly what they are doing, and I really don't want to take any chances, again.

Anyway, I use slackware 9.1, 2200+ xp, 80gb hdd, aDSL 768/128.

Thanks for any help,

-Jalalabee

UnSpawn (one of the mods) has written several how-tos:
Real Newbie How-Tos, Refs, etc etc.
Security References.

The can be found on the Linux-Security Forum. (The second link has links to loads of sites that deal with this issue).

Well, I was just hacked recently,
Yes, and you bailed out of that thread w/o further details.
That kinda sucked IMNSHO.


I'd like to see what I can do asap as I format.
Drop the "ASAP". Think before you act. Plan stuff, I mean.


I'm using Slackware 9.1 and it runs the 2.4.22 kernel, so it seems a difficulty. First thing I'll do is compile a new kernel, right?
No.

10 short steps to start with:

*If this was the box that got compromised, wipe the whole disk(s).

1. Map out your partitions. If you have multiple disks, spread partitions, for instance /boot, /, /bin and /usr on one, /var and /tmp on the other.
2. Decide what to install. DO NOT install what you don't need NOW this goes especially for any network facing services: add them when you're done hardening the box. DO install sudo and TCP wrappers.
3. When installing add an unprivileged user account.
4. When done installing and having rebooted, log in as root and FIRST THING is to stop the network. Note and stop any running network services (see also (x)inetd). "touch /var/log/catchall" and add a line "*.*<WATCHFORTABS>/var/log/catchall" to /etc/syslog.conf, restart syslog. This way you'll log everything possible from which you'll benefit later on when you install something like logwatch or logsurfer.
5. Configure your firewall with a default policy of DROP and LOG your traffic. Make sure /etc/hosts.deny has a line "ALL: ALL". Activate firewall, bring the network back up.
6. Connect to a mirror to fetch updates (if you're sanely paranoid, you'll bring the network down when updates are all downloaded).
7. Install, configure and run Aide or Samhain or tripwire, to have a pristine database of what is on your system. Make a copy of the binary and the database on readonly media. Install and use SASTK (Bastille-Linux won't work on slack), Snort, Tiger (or LSAT) and Chkrootkit. If you ran SASTK and Tiger, check the logs and any recommendations they make. Else you'll have to go in and do stuff like checking daemon account shells, authentication (slack still doesn't have PAM?) etc etc manually.
8. When done updating and configuring the system, and if you run ext2 or ext3, make your system binaries and configs immutable (chattr), and your logs append-only. Subscribe to your vendors security bulletins and have the discipline to update when critical updates are released.
9. When expanding your system use common sense (no security through obscurity, and stealthing the firewall is overrated, a non-issue), look for alternatives (no one needs telnetd: use OpenSSH) and make sure you configure network services and user accounts to use the least necessary privileges and restrict access.
10. Read the stuff XavierP recommended. I didn't explain enough and have left out details.


Hope this gets you started.

Yes, I know I shouldn't have bailed out, but what was being said was WAY over my head, you might as well be talking to trash can filled with bricks. Also, class started yesturday and I take online classes, that is why I'm in such a hurry if you can understand. Also I have a new harddrive that I traded up for, 160gb now. =] Once I'am more savvy about such things, I'll write documentation. =] And I will finish telling what happened in the thread of course, the other one that is.

Right now I'm gearing more twords a general tune, for this thread, I just worry about the time while I'm downloading what is required to security this box up. I'll work on reading the reads you suggested now.

Thanks,

If I had a job, I'd pay the bills, than I'd donate,

But until I can find a job, I'll get stiffed. :D

-Jalal

Yes, I know I shouldn't have bailed out, but what was being said was WAY over my head, you might as well be talking to trash can filled with bricks.
Next time someone just say it if I'm talking in riddles and I'll try 'n explain.