Hello.

I have been putting my own distro together for years now and something Ive always wondered is if its possible for someone though the network connection to compromise the system? The systems I make contain almost no servers excluding of course xorg. I know that if I downloaded something rather nasty and it contained a hidden server that this would allow remote access and thus would be a way for someone to get in. Forgive me if this seams rather simplistic but it is something ive wondered from time to time as having a system with minimal programs and normally a leading edge kernel I have come to feel safe with my setup.

Perfectly sane question and likely cluebies will tell you right away that you "should not worry". There's a difference between feeling safe and making certain though. The latter means amongst other things verifying the validity of applications sources, the integrity of the applications you run, the right configuration of access controls, logging, reading filtered logs and acting on anomalies. The fact you run a home-brewn system doesn't mean basic system hardening doesn't apply to it nor would it be hard to set up or maintain. Regardless of the practicality of compromising a system one has no access to (asserting you're not a very interesting high profile target), with basic system hardening in place you don't have to wonder if the system is still yours as you then have the tools at hand to ensure it is and remains that way.

1 members found this post helpful.

Ahh so basically what I was thinking. This system is a netbook so its never exposed to the internet directly always though a router with a firewall and it is never left on for extended periods of time. I don't currently have any kind of security atm other then checking log files from time to time and looking at what type of connections my system is sending out, but that is it. Most of the places I get any software is from freshmeat and from stuff in the blfs book those are normally pretty safe. I have been thinking of creating a simple firewall for the system in iptables to watch incoming and outgoing connections. Just have to refresh my memory on how to work with it, from what I remember its rather simplistic unless you wanna do complicated rules.

Ah. So you'd also skip using a seatbelt until after your first major car crash, right?..

lol, So what would basic system hardening entail anyway? I wouldent think that access controls would be needed on a system that contains only root and myself but then again I dunno.

Since you're a BLFS user you might also like to explore things yourself first. So I'd like to invite you to search this forum for terms like "system hardening". You'll find plenty leads, especially those threads where actual security incidents were handled. How does reading some, making a (even partial?) list and then discussing it here sound?

Sounds good. I was already searching around for some clues your post back in 2003 may be helpfull if any of it is not outdated http://www.linuxquestions.org/questi...erences-45261/. Some of the first basics I have come up with is def some sort of firewall on the local system in case anyone has breached the hardware firewall and installing a rootkit finder. As for tripwire I am unsure with this one do you think thats overkill for a desktop system?

One way could be to explore the reverse: your perspective from the incident side. If you check the CERT Intruder Detection Checklist at http://web.archive.org/web/200801092...checklist.html and Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/win-UN...ompromise.html then you'd see what you would need or could use to determine the state of the system. The LQ Security references have been cleaned up at http://rkhunter.wiki.sourceforge.net/SECREF (print version at http://rkhunter.wiki.sourceforge.net/SECREF?f=print)


Aforementioned perspective should show a need for (making backups and access restrictions and) mostly logging events (configuration and software changes, users, network traffic) and adjusting or taking measures if necessary.
If a system that is connected to networks and runs no publicly accessable services then access controls may be as simple as setting up users in their own homes with good passwords and account aging, setting non-human user shells to an inert shell, and using sane /etc/login.defs and any /etc/*.deny, /etc/security/ settings. By setting up access controls you create a basis for logging access violations.
Logging means knowing. While logging might be a source of disk I/O you'd rather avoid when on battery it also is a good source for information when troubleshooting issues. How you log things depends on the location of the system in a network (as in connected or not), what distribution you're running (PAM or not, package management), plus any requirements to satisfy the current or future purpose of the system. Since reading logs is tedious reading reports as emailed by for instance Logwatch is more efficient.
As far as firewalling goes it too serves two purposes: logging and access control. Here too logging may aid troubleshooting. If the system does not run any publicly accessable services then your firewall policies could be set to DROP and only allow inbound ESTABLISHED,RELATED traffic. Your choice of logging bogons, INVALID packets and packets in the NEW state trying to initialize connections or not.
File integrity checkers log changes in configuration and software. Here as well goes that if changes are logged then you can correlate them to software updates or investigate them if they are unexpected. Not logging any changes means having no clue about the state of the system and remaining in the dark about things. Like never checking your six when playing FFA or never checking bank statements.

Thanks for the information. I was checking out the CERT list yesterday and will work though that to see what type of stuff I can get setup. After I ran a rootkit checker it showed me that netstat was infected but nothing else was. I found some posts online about how debugging symbols can cause a false positive with this so I striped the binary file and reran the check this then showed not infected. After checking for outbound services I was also surprised to see xorg listening. I thought I had nothing out there but apparently xorg will do this by default unless you tell it not to. I have since closed that up and I am in the process of making myself a iptables firewall.

If anything I am learning alot of stuff I was not aware of and hopefully I can be better at watching my systems. I do not have any kind of package management on my system, other then a text file that I keep version and tarball name for everything I install on the system. Its not a perfect system but it works for me to keep things organized. I am unsure about non human shells being set to an inert shell I will have to look that up.