Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well, I was just hacked recently, and I'm going to be having a constant banging to into my system, for some reason. Anyway, I'd like to see what I can do asap as I format. I'm using Slackware 9.1 and it runs the 2.4.22 kernel, so it seems a difficulty. First thing I'll do is compile a new kernel, right? But what program/programs or configs I could use/change to make my system untouched.
I couldn't find any how-tos written by someone knowing exactly what they are doing, and I really don't want to take any chances, again.
Anyway, I use slackware 9.1, 2200+ xp, 80gb hdd, aDSL 768/128.
Well, I was just hacked recently,
Yes, and you bailed out of that thread w/o further details.
That kinda sucked IMNSHO.
I'd like to see what I can do asap as I format.
Drop the "ASAP". Think before you act. Plan stuff, I mean.
I'm using Slackware 9.1 and it runs the 2.4.22 kernel, so it seems a difficulty. First thing I'll do is compile a new kernel, right?
No.
10 short steps to start with:
*If this was the box that got compromised, wipe the whole disk(s).
1. Map out your partitions. If you have multiple disks, spread partitions, for instance /boot, /, /bin and /usr on one, /var and /tmp on the other.
2. Decide what to install. DO NOT install what you don't need NOW this goes especially for any network facing services: add them when you're done hardening the box. DO install sudo and TCP wrappers.
3. When installing add an unprivileged user account.
4. When done installing and having rebooted, log in as root and FIRST THING is to stop the network. Note and stop any running network services (see also (x)inetd). "touch /var/log/catchall" and add a line "*.*<WATCHFORTABS>/var/log/catchall" to /etc/syslog.conf, restart syslog. This way you'll log everything possible from which you'll benefit later on when you install something like logwatch or logsurfer.
5. Configure your firewall with a default policy of DROP and LOG your traffic. Make sure /etc/hosts.deny has a line "ALL: ALL". Activate firewall, bring the network back up.
6. Connect to a mirror to fetch updates (if you're sanely paranoid, you'll bring the network down when updates are all downloaded).
7. Install, configure and run Aide or Samhain or tripwire, to have a pristine database of what is on your system. Make a copy of the binary and the database on readonly media. Install and use SASTK (Bastille-Linux won't work on slack), Snort, Tiger (or LSAT) and Chkrootkit. If you ran SASTK and Tiger, check the logs and any recommendations they make. Else you'll have to go in and do stuff like checking daemon account shells, authentication (slack still doesn't have PAM?) etc etc manually.
8. When done updating and configuring the system, and if you run ext2 or ext3, make your system binaries and configs immutable (chattr), and your logs append-only. Subscribe to your vendors security bulletins and have the discipline to update when critical updates are released.
9. When expanding your system use common sense (no security through obscurity, and stealthing the firewall is overrated, a non-issue), look for alternatives (no one needs telnetd: use OpenSSH) and make sure you configure network services and user accounts to use the least necessary privileges and restrict access.
10. Read the stuff XavierP recommended. I didn't explain enough and have left out details.
Yes, I know I shouldn't have bailed out, but what was being said was WAY over my head, you might as well be talking to trash can filled with bricks. Also, class started yesturday and I take online classes, that is why I'm in such a hurry if you can understand. Also I have a new harddrive that I traded up for, 160gb now. =] Once I'am more savvy about such things, I'll write documentation. =] And I will finish telling what happened in the thread of course, the other one that is.
Right now I'm gearing more twords a general tune, for this thread, I just worry about the time while I'm downloading what is required to security this box up. I'll work on reading the reads you suggested now.
Thanks,
If I had a job, I'd pay the bills, than I'd donate,
Yes, I know I shouldn't have bailed out, but what was being said was WAY over my head, you might as well be talking to trash can filled with bricks.
Next time someone just say it if I'm talking in riddles and I'll try 'n explain.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.