A lot of security how-tos and such mystify me because I lack the context to understand the issues, I guess. For instance, there's this thread and there's a lot of stuff like this: when do you use su and when do you try to shortcut it with sudo or when do you just change the files like fstab or outright change the permissions on some things? I don't understand, when there are six ways to do something, which is the most secure and which is more vulnerable. And, in terms of mounting and unmounting drives, can that be *any* kind of security issue for a physically secured, single user machine? What kind of cracker is going to break into my machine and unmount my floppy and what kind of damage could that do?

I dunno - maybe just a barebones simple-terms "how-to loosen general security features without specifically loosening your real security." Or a pointer to documentation that won't swamp the security newbie.

I mean, there's stuff I would just *never* think off. The current directory being on root's path being a security risk? The wrong permissions on /temp being disastrous? I just don't know how to begin to get a context on understanding security. I'm willing to work and read, but I get nowhere on this issue.

Thanks for any help from anybody.

Much of what I have learned about linux security is through observing what services are run at boot, reading about other users' ideas and suggestions here at LQ, and doing a bit of homework (ie researching online). A good start is to (in Slack) go into /etc/rc.d and "chmod -x" the services you don't need (sendmail, nfs, ssh, whatever you find you don't need). Another thing to do is set the immutable "-i" flag on certain files; that way even root can't delete them without the proper command.

What I've found works best was having a goal, a clear set one (ie closing all my needlessly open ports), and looking up, both here and elsewhere online, until it was accomplished. Then moving on to the next goal.

Thanks Poetics. That last especially is a good suggestion. I tend to flail around a bit. But I'm not even sure what goals to set. Closing opened ports. Check. But what else? I feel like I'm walking around in the woods with a flashlight - or penlight - with no idea what's outside the beam. Still, as an attitude, maybe I can try to apply that.

The other thing is that a lot of it, like I say, is differentiating what's real security and what isn't. I mean, I could care less if my box is locally secure in software terms. A lock on the door is local security. There, it's not a specific objective - just a general "easing up" - can I run around enabling users to mount drives and look in /proc and so on... a lot of stuff that seems local turns out not to be.

get bastille-linux. it's a set of hardening scripts with
menu's that teach you what it's doing. you should get
something out of that.

Awesome, whansard. Thanks. I think that's going to have to wait until I get DSL (*fingers crossed* - should be the 15th, if it works) because it doesn't seem to go with any distro I've got laying around, but I'll try Debian, maybe, and Bastille. I did understand the website right? It's an application of sorts to go with a few distros? That looks like something hands-on that could really help.

DON'T USE BASTILLE!!! If you want to genuinely learn, you must first do it manually. Why would you want to run something you don't genuinely understand? I know that I sure wouldn't!

Start out learning the basics.
READ SECURITY TUTORIALS!
http://www.ecst.csuchico.edu/~dranch...html#trinityos

LEARN THE SHELL!
http://www.tldp.org/HOWTO/Bash-Prog-Intro-HOWTO.html
http://www.tldp.org/LDP/abs/html/

LEARN VI!
http://www.eng.hawaii.edu/Tutor/vi.html
http://www.collaborium.org/onsite/ve...nux_guides/vi/
http://math.la.asu.edu/vi_tutorial/vi3.html

Try to never login as root always "su - root" (this changes it to an actual login shell). Use sudo to give root access if you only need to run 1 command. NEVER let a user use sudo with an interactive program like vi. (If you do, getting root is a joke, all they have to do from within vi is type something like "! useradd -o -u 0 w00t" to add a new root user named w00t) Disable all unneeded services that your super server runs. First you need to see if you are running inetd or xinetd. You can do this by typing "ps -aux | grep inetd", this will return a line containing inetd or xinetd respectively. If it is inetd, edit /etc/inetd.conf. If it is not, cd to the /etc/xinetd.d directory and edit the individual files for each service to disable unneeded ones. You only change permissions on things you want to be permachanged. I like to use "chattr +i" for all important files on an ext2 or ext3 partition. This makes it so that no one can write to the file, not even root without first typing "chattr -i" It is the little things that count, don't be lazy. Use full path names to programs when possible. "/bin/ls /home" is better than ls /home. What if someone edited your $PATH variable to /tmp before /bin and they placed a trojan ls in the /tmp directory? Do you see what I am getting at? Start small, and then look at the big picture. Read more linux and security tutorials:
http://rute.sourceforge.net/ - AMAZING LINUX READ! 660 pages
http://www.linux-mag.com/2002-09/guru_01.html

Join a LUG (Linux User Group) if one is in your area. There always is... just search on google for your city or town or state and "Linux User Group"

This might be above you, but who knows I love to inspire future prodigies, buy linux and security books.
Maximum Security
Securing and Optimizing Linux, the Hacking Solution
Hacking Linux Exposed
etc

Lastly, strive to become linux certified. It proves you know your stuff and will make you feel more confident in your ability. Start out with Linux+ studyguides (http://www.comptia.org/certification/Linux/default.asp is the main site, not a site to studyguides) and then work your way up to the prestigious Linux Professional Institute exam ( http://www.lpi.org ). If you don't want to get certified, read the books. You learn so much in linux cert studyguides

This is how I started...

wow you are a soldier.

i know what piece of information you need digiot. the
one piece that is generally assumed, but you didn't
catch it. it's mostly about becoming root.
all of this security talk is about vulnerabilities that can allow
a user to become super-user or root. all this talk of access
or privlidged user or creating users is about getting
access to a computer, to get info there, or taking control
of it.
all these little (or big) vulnerabilites allow a person, or
virus access to a computer, if they know how to use it.
the worst ones are where a remote user ( not at the
computer) is allowed to gain root access, when they
shouldn't have it. or access at all. local means at
that machine.
so all this stuff is about that. after you know that people
will try to look at your machine for business info, or
credit card numbers, bank account numbers, or info
to blackmail people with, or control over a machine to
launch a denial of service attack later, or a virus, or
whatever, or to install a key logger, to get your
passwords at sites you visit, you will see that all this
security stuff is talk about ways that access can be
gained, and ways to guard against or deny the access.

This is slowly becoming an excellent thread IMHO, especially with the clear insight into the basics Whansard has given (dude, dunno why you didn't join the LQ Newbie security tutorial...). The tools you will use are basically just there to "ease the pain", and understanding what they operate on will further your knowledge of (securing) Linux much more than mindlessly operating those tools.

Basic security stance
As Whansard said, the powers of the root account are to be guarded at all times. Since we'll be writing the "LQ Newbie security tutorial" I'll try and categorize things a bit and see if we can take it from there.

Next to "root is all-powerfull" there are three basic mantra's you should know:
- "don't install/run what you don't need NOW"
During the OS install phase this means you should not install applications you have no direct need for, the "I'll get into that later on" stuff. Depending on the purpose of the box, this could mean (compilers, development packages, the XFree86 windowing system,) filesystem sharing applications and serving applications. Just install them when you get to the point you need those.

- "that what is not explicitly allowed is forbidden"
Do not allow everyone to use/access everything. Human users don't need access to root utilities like "vipw", and networked users don't need access to the whole filesystem.

- "no box can be made 100 percent secure".
You can install, upgrade, update, read, learn, protect, log and audit til you get all blue in the face, but no box can be made 100 percent secure.

Now how to protect a basic newbie Linux box? Well, you have to split your attention over three area's: system security (filesystem, users), networking and control. Linux is "the networked OS" and so people tend to focus on getting the firewall up and hoping that is all they need to do. It just ain't.

System security could be split into two area's:
I. Filesystem: (partitioning, bootloader, physical security aspects,) kernel+modules, permissions,
II. Users: root user, privileged system users, human users, processes, authentication, resource limits.

Network security could be split into two area's:
III. System: kernel networking options, sysctl, firewall basics,
VI. Networked daemons: services, authentication, sharing and serving.

There's another part you need:
Maintenance and control, which is the part where you make sure the box is and will stay under your control by setting up an update and backup scheme, proper logging, a network IDS, local integrity detection and do auditing. Part of it should be addresses just after installing the OS, the rest when you're configuring the OS before going live.

(Anyone wanting to take it from here in a structurized fashion, BMG, else I'll try and pick it up and add links/expl for points I-VI later on)

Wow. Thanks whansard and unSpawn.

I appreciate your post whansard because I get the feeling a lot of times that there are certain "understood" fundamentals that I'm missing and, if I'm missing them, I'm lost. Some things "go without saying" if you're familiar with the issues and so, if you're not, you never hear them. But actually, I *did* get the idea of root powers and what your trying to defend from in a general sense. (I remember first hearing about a "root kit" and scratching my head and then going "OHH!" - I still don't know what it is exactly but I'm guessing it has to do with seizing root control through a set of cracker tools? Or am I totally off? But anyway - I get the idea of restricting critical things to root as the hardest to seize control of and then working to make that harder to do. It's more the issue of - well, I mean for instance, like I mentioned - I couldn't mount a floppy as user. Since I don't see that as a security issue and I mount floppies and CDs a lot, I wanted to enable it for non-root. So the method I used was just to edit the entries in fstab to 'users'. But I know there are other methods. And in general, is it 'safer' to use 'sudo' or to outright change permissions or set sticky bits or edit a relevant file? It's mostly the subtle advantages or security dangers of the various methods that confuse me. What is it that makes 'sudo' dangerous and why would I use it rather than something else?

And again, wow - I didn't understand half of that unSpawn, though I get the idea it was all clear - just a lot of elements I don't know anything about. Got some researching of a dozen terms to do. Parts I did understand tell me I completely screwed up. I've been doing totally minimal installs on two boxes with a 102 meg hard drive and an 812 meg hard drive, dual booting with DOS/9x systems. Tight squeeze. So when I installed Slack on this machine I said "Give me it ALL!" I'm so tired of missing stuff. And I've been adding stuff since, even, like bluefish for html because I didn't find it by 'locate' or in /var/log/packages. I did notice I've got a million daemons running and I knew that wasn't good. Just not sure what I need and what I don't. Connecting to the net has always been an ordeal (I destroyed my connection last night and had to reset it today, for instance) so I really want a fully operational net connection and not disable a daemon that disables my connection.

And in Windows, I download a bunch of apps and set them in a paranoid fashion and I've got a reasonably tight box according to one site, for what it's worth. All without knowing anything except to not trust Microsoft and be paranoid generally. (I don't even trust the results I got but don't know anything better to do.) In Linux, I have no idea what to do regarding firewalls and anti-virus measures. I just know I haven't done any security work and must. If I couldn't get the system up at all, or connect to the net at all, there was no need for security, so I've been focussing on other issues. But now I am on the net and have to deal.

As far as my permissions regarding the filesystem and all - I wanted to mount removable drives. I'm confused about dialing up - ppp-go requires me to be root, yet kppp doesn't and I use kppp. I often wish I could read stuff in /proc and elsewhere. Once I downloaded a dockapp for blackbox and it wouldn't work unless I was root, yet gkrellm in fluxbox seems to be reading 'sensitive' stuff. I downloaded the skin I've been using since Mozilla 1.0 and had no troubles but when I tried to add the radial context menu the xpi seemed to assume it was going to be global and tried to install in /usr and got 'permission denied' when I only want it in ~/.mozilla. Stuff like this just mystifies me. The only thing I can recall weakening is the fstab modification, though.

I dunno - rambling. But thanks for the replies and I hope others do jump in and carry on those points you outlined.

i don't know much of anything about security, cause i've
never used linux on a network except for the internet with
a modem. i wouldn't even know how to network 2
machines.
i think it may help to see what crackers try to do when
they do get access to a machine. i think
www.honeynet.org
has somewhere on their site, logs of attacking intruders
and what they try to do when they get access.
you will almost never see general stuff online about
how to break in to machines, because people don't
want that stuff easily available. i mean you just rarely
see posted the step by step to use a vulnerability in
something, and along with steps of what you would
have to do to thwart that attack.
i would still love to see those steps layed out like in a
table, with explanations of what the cracker typed, and
why he did it - along with steps to take on your machine
to keep this from working. usually you just see little
bits and pieces of stuff. i have seen stories though,
from each side, attacker and attackee.
by the way, a honeypot, is a network or machine that
is intended to be broken into, for the purpose or
monitoring crackers, or distracting them from the
actual important stuff on a network.

In the 'Whitepaper' section? I think I found it. The general discussion is kind of vague and the links to the text files of logs are too specific - kind of incomprehensible to me, but I'll try to make sense out of them. And you bring up a point I should be clear about - I'm not on a local network or anything like that, either. On Linux, I've been mostly on completely isolated machines or briefly connected on really slow dialups. Now I've got a good modem connection - when it actually works, that is - and a dynamic IP. Hopefully soon I'll have DSL but that would mean a fixed IP. But either way, my only threats are over the internet or having someone steal my computer. I can take care of the second threat but the first one is tricky.

That project's an interesting idea, though. Based on what I understand of either, it's kind of like a 'chroot jail' on a huge scale - not really, but a similar misdirection to contain a hacker and waste his energies and, in the case of the honeypots, learn from him.

See, I'd be just as happy to do a basic install on one of my 686-class machines and connect to the net and keep all my files on the other. At worst, a bare OS would get hacked and I'd reinstall. But it's partly an ego thing - hack *me*, you $@^%@#!$? - and mainly just that I don't want to be a vector for hackers to spread their activities from and screw other people up. Every idiot on the net like me makes it more dangerous for everybody else. So I gotta get un-idioted. *g*

Which command is it to delete immutable files? sounds like something worth doing on a lot of stuff (setting the flag, not deleting them )

B.

Please note that the chattr and lsattr commands ONLY work on ext2 and ext3 filesystems. Upgrade to ext3 for it's journaling capabilites. It will save you from filesystem errors. Here is the info you asked for.

chattr +i /etc/passwd - not even root can add users helps prevent simple rootkits

chattr -i /etc/passwd - removes the immutable bit

lsattr /etc/passwd lists the extended attributes of a file

If you are a BSD person, the command is chflags instead of chattr

You can read the man page for chattr here:
http://nakula.rvs.uni-bielefeld.de/c...=&man=chattr.1

man lsattr:
http://nakula.rvs.uni-bielefeld.de/c...h?man=1+lsattr

awesome.