LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Please bear with me (https://www.linuxquestions.org/questions/linux-security-4/please-bear-with-me-523472/)

moborichard 01-28-2007 09:25 AM
Please bear with me
 
I know next to nothing about all of this. I've been using Fedora Core 4. Does this OS require additional firewall, security software or do I need to activate provided software to insure my computer isn't vulnerable to invasion etc? Or is that all installed when you install the OS? Just wondering as this isn't obvious from looking at the desktop etc. I have a ethernet connection to a Netgear Rangemax router.

MensaWater 01-28-2007 09:30 AM
It comes with iptables firewall and SELinux. Both of which deal with security. SELinux has lousy documentation so most people turn don't turn it on. iptables allows for firewall configuration but doesn't have much enabled by default normally. There is apparently a GUI frontend called Firestarter. I don't use the GUI much so can't say whether it comes with FC4 or not.

In addition to firewall it is normal to disable services that open ports if you don't use them. (e.g. telnetd and ftpd usually are disabled by default but can be enabled - you shouldn't enable them without a specific need. using ssh and scp/sftp is preferred as those are more secure).

unSpawn 01-28-2007 09:43 AM
Quote:
SELinux has lousy documentation so most people turn don't turn it on.
But if you do turn it on (which I applaud) we will put in a maximum effort to help you cope with it.

Crito 01-28-2007 10:12 AM
This is the web page most people refer to when talking about which services to enable/disable in Fedora Core:
http://www.mjmwired.net/resources/mj...4.html#service
or the newer versions
http://www.mjmwired.net/resources/mjm-services-fc5.html
http://www.mjmwired.net/resources/mjm-services-fc6.html

I, personally, only follow some of his recommendations. In particular, like jlightner, I'm rather fond of ssh. And though I'm probably in the minority, I actually like bluetooth for some things too, so keep those services enabled. Oh, and on my WiFi laptop I always enable NetworkManager. But anyway, opinions on what's "best practice" vary considerably, so you'll have to evaluate the risk/reward of each based on your own particular needs.

MensaWater 01-29-2007 09:18 AM
Quote:
Originally Posted by unSpawn
But if you do turn it on (which I applaud) we will put in a maximum effort to help you cope with it.
I'd really like to use it. Do you know of a site that has good documentation for it? The NSA stuff was a joke the last time I looked at it.

unSpawn 01-29-2007 12:17 PM
If you want to understand SELinux there is nothing that beats dead trees. Sorry. I currently have on my desk Prentice Hall's "SELinux by Example" by Mayer, Macmillan and Caplan (which I still have to write a review for) and it's what you want, believe me. It explains how it's structured, has good examples and explains to write and modify policies.

If you just want to use SELinux then the first thing I'd notice is how much FC6 differs from FC5 (note I usually don't do distro talk trying to be as distro-agnostic as I can and I have *no* idea of RHEL5). With the disappearance of separate SELinux policy sources (the ones which you had to D/L separately from Tresys) and using tools like semanage with audit2allow FC6 *really* makes it easier. That is not to say there are no problems at all, like Setroubleshootd keep saying to chcon something, but it's definately easier, way more usable. But I don't know how much in-depth nfo the FC site and Wiki have on SELinux.


All times are GMT -5. The time now is 06:20 PM.