|
I just skimmed the last part of this thread cos I was bursting to post.
So here I am stepping into the lions den, waiting to burst into flames........ unSpawn, you have a great idea here, and its something thats badly needed, but its probably your own knowledge that will get in the way of success & whilst you all mean well its possible some of you may forgetten how "beginners" think and what level of knowledge they have. (Not a criticism! but rather food for thought) I used to teach unemployed adults and school leavers basic (windows based) computer skills and I found that the best way to get them interested in anything was to give a freebie right at the start, that way the sense of accomplishment from that first success gave them the courage to learn and try more new things. Im proposing that you give a freebie right at the start to get them interested. Give them a basic firewall and show them how to install it,something like this: http://www.linuxforum.com/linux_tutorials/6/1.php BTW there are some good tutorials over there too, (also Im not a member of that forum & Im certainly not promoting it here) then after doing that, start what you were planning by building on it and your audience's new courage. Just my $0.02c / £0.02p as you can see from my post count Im still a relative Linux baby (I totally f'kin hate the word noob) but as with all the other posts above I offer my services and will gladly help in any way I can. Regards Scott |
Quote:
Your idea is very good, in my view, as the documentation released for most operating systems tends to be formal and often badly organized. Some direct and straightforward walk-throughs, learn-by-examples, etc. for major study areas regarding UNIX-like systems would be welcome. |
I love the idea of a howto for newbies. I am a newbie myself, and there are tons of questions I have. Since I am a newbie, I guess I could come with a example chapter layout what I as a newbie would like to see (with some example text) (I write this in case you as guru's, that takes most Linux things for grantet, wants to see what one newbie would like to see)
CHAPTER 1 - Topp 20 security breaches and newbie faults (saw a webpage called this, could more or less copy it) The thing most newbies does wrong is: Updates? Firewall? Logs?? Chapter 2 - How to read the logs. 2.1 - INTRODUCTION One of the first things you should learn as a newbie is how to read the logs. The logs of linux are usually in /var/log (Fedora, RedHat, Debian? etc). In most normal distributions, a summary of the logs are mailed to the root user once a day in an email called ""LogWatch for <servername>". This is the first and best ??? defence against hackers (or is it a waste of times, since most hackers would have modified / gone around the logs ??) 2.2 READING "LogWatch for <servername>" log: The log is fairly straight forward, but some things are common: etc... 2.3 READING sendmail LOG: What to watch for: 2.3.1 - Aug 23 19:09:28 linux ipop3d[2297]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection This is a very common log entry, and means that ???? needs 1777 protection. QUICKFIX: As root user, write "chmod 1777 /var/spool/mail" ???? (I have no idea how to fix it)... 2.3.2 Relaying denied: From [222.101.168.86] to china9988@21cn.com: 1 Times(s) This is spamers trying to look for open relay servers. This is a criminal activity, and can be handled following ways: 1. Check with http://www.ripe.net/perl/whois ?? and find out owner of ip address. Send email to abuse@<ip owner> that 222.101.168.86 is illigaly using your server for trying to relay. You can also enter ??? on ??? webpages to put them into some "blackbook" register. (Is this any point of dealing with it this way. Any better way???) 2. These spamers usually change IP address every day, so there is pointless denying that IP address again. But you can block them by refusing the entire range of IP addresses that is used by the spammer???. If none of your linux server users are using this range of ip addresses reportet by whois, you can make your server "invisible" by adding IP range in /etc/iptables/disallow ?? by typing following in iptables: deny all from 222.101.*.* (Again, I have no clue) 3. You can make sendmail ignore future attempts of relay to 21cn.com by entering *@21cn.com in /etc/mail/deny file 4. You can .... to find their home address, buy a slegdehammar, and .... (Ok. not being serious here). 2.4 READING sshd LOG: There are a number of automatic hacker tools on the web that tries to automatically hack your server using automatic hacker programs (usually run from another hacked server). Usually you see in the log this: Failed logins from these: admin/password from 202.195.11.66: 2 Time(s) This is not dangerous, and if you have difficult password, you server is fully safe. It would take them xx years to hack your computer if you have a ?? character long password with symbols in it. But never make a user called test with password test... or an admin user with password admin. What you can do: 1. Use whois (command, or webpage) to find owner. Rapport this to abuse@<whois found name> 2. Restrict users that can log in to actually users that use the sshd service by editing /etc/sshd/allow ?? and /etc/sshd/deny ? files. Allways have root in deny file. 3. Make sure that passwords are difficult to hack. Hopefully with ¤&%& symbols in it, and if the user is non-english, use foreign keys to like ّوه to make it harder for hackers. 4. Increase the amount of time between failed log ins from xx seconds to xxxxx seconds from same IP by modifying /etc/sshd/timedelay file (no idea if this file even exists, but it should). It would then take 3000 years to guess a 10 character long password for a hacker. 5. Make the user names hard to guess. Don't use your name, or easy to guess like user1, your-first-name. (Is this any point if this is a mail server, where usernames are usually in user@domain.com) Chapter 3 - THE TOOLS OF SECURITY TRADE Tools that detects hacker activity SNORT (www.snort.org) - This utility does ..?.. This utility is recommended, and should be installed at once. Skills needed to use: Newbie HOW TO USE: Install Look for ..?.. which is sign for hacker activity. It is wise to make following script ... to email you the logs (to email outside the system, eg hotmail) or something if this program detects an hacker in the system. Tools that prevents hacker activity FIRESTARTER http://firestarter.sourceforge.org This program controls the IP tables files, has an GUI interphase (gnome and KDE), and rapports about hits on closed ports. Has an simple inbuilt whois checker to convert IP numbers to domain names?? Skill needed to use: Newbie Frontend: Graphical SMOOTHWALL http://smoothwall.org/ Recommended since it has ??? inbuilt, and can therefore prevent viruses??, trojan ?? Skills need to use: Newbie / moderate / master / guru. Frontend: Text? Ports that is recommended shut Most hackers like to use ?? port because ???? (If relevant). RECOMMENDED MINIMUM SETUP FOR NEWBIES: Um. Maybe Snort and firestarter? Chapter 4 - UPDATES Updates are the most important thing. If you have Fedora, redhat, debian these updates are provided for free automatically if you have done the following... (Um. Enabled daily yum in services??), and you should be set. Other things to make sure you have the latest security: If you have installed packages rpm packages not orginating from redhat or debian (or whatever), check with the webpage that made the package to check if you have the latest version at all times. To check you version, type rpm -?? , and if this differs from the page listet on the webpage, type download the latest package and type rpm -update <packagename> to update package. Remember to restart service with "service <service> restart" or reboot afterwards.. You should also do following: ...... And check with following webpages for security updates: (List of good sites) Dangers with mirrors... Are mirrors less safe?? Chapter 5 - How secure servers are set up If you want a webserver, but are only want static html pages, you should turn off php, cgi etc to make your server more secure. This is how.. If you want a mail server that communicates with Outlook express, you should know that pop passwords are sent none-encryptet, and anyone on the internet can sniff / steal the username/password, and later log into using sshd or something to hack your server. (No idea if this is true). Mail servers should therefore be installed on a seperate computer than sshd and webservers, and have no common usernames or passwords (No idea if this is wise or not). Or you can use spop etc etc. God. I love making this book. I could go on for pages. Too bad I am totally clueless, and have no idea about security and Linux (well, I installed firestarter all by myself, and read that port 22, 110, 25 and 80 can be open safetly)). I hope I am not too Fedorian in my description above (I guess most Linux distro's are similar??). Anyway. Cheers... (Hope this post isn't to large... guess I should have made it into a webpage instead...) |
Linux Newbie Encouragement
Hey guys,
My experience with linux is slightly greater than my post count here, but I probably still count as linux newbie in the area of administration and security. A lot of the knowledge I bring to the table comes from being a UNIX user for years and years. I'm decent at shell scripting. I've got a good knowledge csh, borne (not a lot of ksh and bash specific stuff) awk, sed and other text manipulation command line tools. I'm a programmer by trade, with perl, C++, C, some XML/HTML under my belt of tools. So, all that knowledge and I'm still woefully ignorant in the realm of linux security requirements, having not worked with linux much or even administered my own system much. I read through the thread and the mailing list archives and saw some good sparks and some good intentions, but this document is 18 months in jestation and seems to be marooned! Oh no! It seems like bandwidth on unSpawn's brain is what would be needed to get this going on the current course, but maybe we could turn this into a community project cobbling together knowledge around a guiding principle and getting review from unSpawn on whether we missed anything big. I know, I know, I'm new here, with 3 posts under my keyboard, but this HOWTO is too good of an idea to not encourage. Maybe part of the issue is that we're in need of a healthy family of Security HOWTOs, but a newbie HOWTO is probably a good place to start. Maybe I'm not the exact target audience for the newbie HOWTO since I've got significant technical and terminology knowledge, but I think I'd benefit from such a thing, and the community would definitely benefit since there's only so much time in a day and as linux gains popularity, vulnerable linux boxes could become a problem... I might have a purpose statement that might serve as a sufficient focus: Guiding principle?: The Newbie Linux security HOWTO's primary purpose is to keep the newbie from having a glaringly vulnerable system when he decides to put his system on the net to do elementary things. We're not going to teach a newbie to watch for every little chink I don't think, but some things are more vital than others. Are there any configurations that MUST be changed, ways to audit user security before putting the machine on the net? What are the easy things to watch for to make sure you haven't been invaded? Maybe a toolkit is neccessary as well to bring security down to a newbie's level? Learning continuously is of course key, but avoiding making a mess while learning is also good. Bjorkli, I think your topic break down is good for the mid level (low mid) Howto, but is too abstract for a newbie just starting up, and might well put us WAY over the 10 page document target. I think to keep the size of a newbie security tutorial down, there will be major points that amount to, "turn it off, or don't expose it to the outside world yet, until you read the next level HOWTO or figure out what >THIS LIST OF THINGS< mean." If we stay at a high enough level, will we manage to mostly steer clear of distribution differences? My first cut of a high level outline would be: - Classes of vulnerabilities with some prevention steps - Firewall guidlines - ssh security - (maybe) elementary web security - Next topics to explore Thoughts? I don't have a lot of security knowledge to contribute, but I think I'm pretty good at putting myself in newbie shoes, and I'm totally willing to review things, try them out etc. BenODen P.S. I'm subscribed to the mailing list, should I shoot a copy of this to the mail list as well? I posted here because the mail list has been SO quiet... |
I think its great that we are gonna get together a how-to on security. The only problem is that there is alot of people who have differing opinions on this issue. Personally I think that we can only give them a "best" practices document. As all of you know securing a system regardless of its OS is a daunting uphill task.I think that we could give them a primer on what tools are available to them on a linux system,what kind of things to look for, how to implement a firewall and IDS, and other such things. Honestly there are so many different ways and exploits on unix and linux that it seems almost impossible to write a document telling all. I mean just looking at rootkits alone, there are like a million different backdoors, and covert channels that no one could even pick up, with or without an IDS. I guess what Im trying to say is that we are never going to be able to teach them security, we can only give them tools and ideas. No system is ever fully secure. I dont want to give anyone a false sense of security. I think we need to stress that security is an ongoing process , its a "state of being". I dont want people to just go through the document, and then be like "well thats it, Im secure now, guess Ill go get a sandwich and go to bed". There are always gonna be new hacks, new exploits and new attacks. I think any document we would develop should help a new user understand the hostile environment that they dwell in.
|
I agree entirely Tekhead. I think the most we can hope for with an absolute newbie is to guide users to isolate their computer from having attacks come in from the net and give them a road map to how to do things safely.
An isolated computer not on the net is not vulnerable to anything, but on the other hand, these days, it doesn't do the things people want it to do either. SO my theory about this how to is to make sure that the newbie doesn't accidentally expose his computer to connections coming into his computer from the net, and give him pointers like this: "-- A firewall of some sort is VITAL if you have your linux computer on the net, especially if it's on line for hours at a time. Hardware firewall has the highest security, but has some downsides. A firewall on your local box is good too, though you may have to keep the software up to date. -- If you're going to allow users to log in from the internet, set up a SSH server and make sure you have no users with easy to guess usernames/passwords. You might even want to make sshd listen to a port other than 22. Don't list the external port in a public place. Do XXX instead" Are there recent firewall vulnerabilities that compromised the computers they were protecting? How about Apache and SSH vulnerabilites? Other common services that have had common incoming issues? Like I say, I'm kind of a newbie, but I think I understand the absolute basics. The above tips are of course incomprehensable to an absolute newbie and need to be explained in much much much more basic terms, but the idea is there. -Ben |
Mates,
I'd like to throw some *opinion* into this frey. unSpawn is a busy, busy man. If you look at the home page for LQ, you'll get an idea of just one of his ongoing tasks. For the seasoned *nix sysadmin, that's probably almost as much security update notices as one needs. (Since I'm not in that category, I added probably.) The other guys who were discussing the Newbie Security HOWTO are busy, also. And IMO the list took the discussion so deep, and so far, I think they realized how utterly impossible it would be for them, with their knowledge of security, to create a simple document for newbies that would be (a) any better than what's already been posted, and (b) thorough enough to be considered worth the effort. Read their discussion and outlines. If that thing ever got published, it would be a book and would either require constant updates, or a very strict disclaimer. Now, IMO (worth what you've paid for it) what we (Linux newbies) could use is a nice HOWTO about *what to put* into one's hardware firewall. I have a router that serves 4 computers, but don't know diddly about what I should do with it to block the crackers. I have generated a script to use with iptables, but I've now got to read through 656 lines of text just to figure out where to put it and how to use it. I started reading, but at the beginning it talked about how to use it with DeadRat, which doesn't work the same as Slack. I really need to do this, though, as I've just recently gotten a static IP and am online 24/7 with 4 comps. So, perhaps one of you could write a simple HOWTO on using a hardware firewall, and/or a software firewall, that is generic enough for any Linux distro and submit it to the LQ Tutorials or Wiki. There might even be one in them by now - I haven't checked in quite some time. At any rate, I don't think this took the route that unSpawn expected when he started. Those guys *know so much* that they probably don't want to leave too many stones unturned. |
Hey there,
I agree entirely about the number of things these guys have going.. And maybe you're right, maybe there is no way a small document can help very much. There are six or more major vendors of consumer hardware firewalls/Switches (DLink, Linksys, Netgear, SMC, Belkin, Cisco etc) and a bunch of minor players. There are a bunch of popular software firewalls, with bunches of wrappers for each. (Ipchains, iptable, LRP, tcp_wrappers, uh uh, my knowledge is lacking here, but I did do a quick scan of www.net-security.org and reminded myself of these... Hadn't heard of LRP.) Luckily there's one popular web server, Apache. One popular secure login host, SSH, though there are two flavors, right? Uh, other popular services people want the outside world to access... I'm not coming up with much... A mud, I guess, dunno about security guidelines here, but I think they're minimal. The variety of implementations is why I thought a dynamic howto might be best, with the static one containing all the variations and a pointer to the site with the dynamic one. Click on your software and hardware, click the generate button, and voila, instant customized howto, just for you! New things get popular? Just add a section on the new hardware or software. Maybe I have enough knowledge to write some of these from online manuals, but just discussing these topics, and giving a quick intro to more advanced topics is going to make a long doc... And graphical, since there aren't command line interfaces to most of these routers these days. BUT that said, I think there's demand for this thing if it's possible to make... Chinaman, if you have a linksys router/firewall, I may be able to help you with it, go ahead and shoot me an email... I have one and understand the base firewall stuff. I've struggled with some of the more advanced stuff like port triggering, but I've been able to set it up to let only ssh through on a non-standard port. Linux newbies helping newbies, how fun! *laugh* -Ben |
Thanks, Ben.
I have a D-Link DI-704P (LinkSys wasn't available here except about 4X the price of buying it in the U.S., so I bought another brand). You didn't allow email through your LQ UserCP - shoot me one if you'd like. There is a website that generates a script for iptables (ipchains is going to be dropped from the kernel soon). It's at - well, I couldn't find it, but there is one, and I've generated a file called rc.firewall or something like that. I'm in the darkside right now cause I had to use some software that won't work in Linux... |
This is my first visit/post @ LQ.
Count me in on helping write the documentation. I think what UNspawn wants, correct me if im wrong, is something for newbies that goes something like this: After you install linux , what to do: It is important to make sure no one gets into your root folder. #chmod -R 000 /root This will protect your root directory. Next, we want to make a user, so we arent logged in as root. #useradd newusernamehere #passwd newusername newuserspasswordhere ... I know its not an in depth thing but I think this is what Unspawn wants, I'm all for it. |
Hmm, why can't even root read his own home directory files? What's so vital in there?
You do bring up a good point though. Are we talking only network security, or also internal security in a multi-user environment, where the attacker could be one of your own users... I was leaning towards network security only, but I guess there are ways to make intrusions less problematic... I dunno. I think the howto should discourage newbies from running their own multi user system with untrusted users present. I think it's asking for trouble: there are so many assumptions you can't make knowing you have untrusted users on your internal network. You not only have to worry about attacks coming into your network. Maybe my inexperience shows here, but it seems like can harden your system to be impervious to the majority of the attacks. If you have untrusted users on your machine, you have to worry about your users staging attacks or sending spam from your machine, which can be much harder to prevent, and very hard detect in some cases. |
Quote:
|
AH HA. True enough. Forgot that root was above read/write permissions issues, even for his own files.
But why is having a mode of 000 superior to mode 700 or 600 if all the files are owned by root? chmod -R go-rwx /root seems like a more helpful reccommendation. Then your execute bits stay set and you can run scripts and have /root/bin in root's path if you want to. After /root is mode 700 and owned by root it seems like the ownerships internally are irrelevant... Probably either way works security wise and that the distinction is above newbie level, but may as well make a good reccomendataion if we're going to address internal security. |
This article in the Tutorials Section here at LQ helps me to get
my head around file permissions. It's important to understand ownership, also. Notice it's in the Security section. Quick and Dirty Guide to Linux File Permissions |
Newbie doesn't mean clueless
I noticed a lot of responses assumed a "dumbing down" of the effort as a problem. There is no need for that. In my journey into Linux, the problem for may and probably others, has been one of navigation. How to drill down into a subject matter and get an understanding, not just the serial howto that says:
OK, first to an nfark -zrfq /phtn then do a plsysq -ahrn | arfl -x Everything should work fine after that ... Personally, I thnk the O'Reilly books are pretty good at this, but I in general, the ability to zoom in on a subject is valueable: System Administration -> Security -> System Hardening -> Network Security -> Securing Ports I've read a lot of Linux documentation, and a lot of it reads like the operating manual for my vacuum. Googling whatever issue I'm interested in has been or searching this site has so far been better than anything else. Which means my next PC will be an Apple. The backoffice will stay Linux of course. |
| All times are GMT -5. The time now is 10:25 PM. |