LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
 
Search this Thread
Old 08-01-2011, 03:16 PM   #16
lpallard
Member
 
Registered: Nov 2008
Distribution: CentOS/RedHat
Posts: 979

Original Poster
Rep: Reputation: 44

I've figured it out. Snort is now configured, running and seems to work. I tried to probe my machine using nmap and snort reacted quite heavily. What I need is some kind of front end to it. I tried to install snorby, but its very heavy, and turned out to be a nightmare... worked for like 3 hours then after several reboots, stopped working and threw tons of ruby errors... I just got rid of the whole thing.

Really coming back to the essence of this thread, aka hardening my system, I wonder what would be the best way to discover all flaws and potential holes wwithout going in the details of the programming of every packages and applications... Scanning the machine for open ports? Is nmap or its GUI version Zenmap good for this?
 
Old 08-02-2011, 10:06 AM   #17
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by lpallard View Post
I've figured it out. Snort is now configured, running and seems to work. I tried to probe my machine using nmap and snort reacted quite heavily. What I need is some kind of front end to it. I tried to install snorby, but its very heavy, and turned out to be a nightmare... worked for like 3 hours then after several reboots, stopped working and threw tons of ruby errors... I just got rid of the whole thing.

Really coming back to the essence of this thread, aka hardening my system, I wonder what would be the best way to discover all flaws and potential holes wwithout going in the details of the programming of every packages and applications... Scanning the machine for open ports? Is nmap or its GUI version Zenmap good for this?
Snorby is a beast, more so than BASE, IMO. Have you tried BASE instead? It doesn't depend upon ruby/rails. IMO, it is easier to set up than Snorby (far easier).

nmap is only going to search for open ports. It will not discover flaws. Use Nessus for more involved vulnerability testing. In fact, Nessus will use nmap when doing host discovery, and then it will even scan for any running services on the hosts it discovers. Give that a shot.
 
Old 08-02-2011, 08:29 PM   #18
lpallard
Member
 
Registered: Nov 2008
Distribution: CentOS/RedHat
Posts: 979

Original Poster
Rep: Reputation: 44
Quote:
Use Nessus for more involved vulnerability testing. In fact, Nessus will use nmap when doing host discovery, and then it will even scan for any running services on the hosts it discovers. Give that a shot.
I searched and seems that OpenVAS is a fork of Nessus and was available at Slackbuilds.org so I downloaded and installed all necessary packages, but there is no startup shortcut in my XFCE menu and I cant figure out how to start the apps....

THe slackbuilds page says:

Quote:
The openvas-client GUI is needed to interact with the OpenVAS scanner,....
How do I get the GUI? THe only thing I can think of is the GTK libraries that are supposedly required, but I am not sure which package(s) to install, there is lots of them.
 
Old 08-04-2011, 09:29 AM   #19
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Check for client software at openvas' website.

I can't help you with the compilation of the software itself (not really security-related). As much as I love Slackware, I don't really follow the philosophy of building packages from source, especially in cases where there can be tons of dependencies. That's just me, though.
 
Old 08-10-2011, 02:57 PM   #20
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
BlackRider's guide for a secure system:

-----BASIC LEVEL:

Disable everything you don't need.

Encrypt your partitions. The absolute minimum to prevent critical data leaks is to protect /var /tmp /home and the swap space, but this configuration is not perfect. The best is to encrypt the whole drive (screw out the MBR!) and keep the /boot partition in a USB flash. This way, nobody will install a keylogger in the unprotected partitions of your laptop, because there is not room for that.

Apply security updates when they are released.

Protect your browser with security extensions. NoScript can protect you of many JavaScript exploits, can enforce encryptted connections and manage cookie encryption. Request Policy and Certificate Patol are good to have too. The weakest point for a domestic GNU/Linux user is web surffing, so this one is important.

Use your brain. Have you received a mail claiming you are going to be paid 100 megabucks? Sorry, it's a trick :-)

-----MEDIUM LEVEL:

Use a rootkit hunter (such as rkhunter) to protect yourself from some kinds of malware.

Use an integrity checker (such as Aide or Tripwire) to detect suspicius activities in your computer.

Use an IDS. Not really needed unless you have any server softyware running (for example, a P2P app), but it helps.

Use GPG for your comunications.


----PARANOIA LEVEL:

Get some kernel security patches in order to prevent common exploits against apps or the kernel itself.

Use some kind of role based access control for your system. These can isolate a compromised service, so if someone uses an exploit against your torrent app, he won't be able to comprimise anithing else in your system. Have a look at SElinux, GRsecurity...

Use a hard drive with hardware-level encryption and self-destruction features (I have seen some of theese ones around). It is expensive, yet cool.

Set a running server at home, so if you are to use a public WIFI, you can set a tunneled SSH connection to your server and browse from it, instead of browsing with the public WIFI directly. The WIFI administrator could easily trakc your traffic if you are not careful.

Don't forget your tin foil hat, otherwise they will be able to read your thoughts :-)



----------

The weakest point in domestic security is your web browser. If you have your Iptables up and blocking everything except Firefox, then firefox is the most likely target. Watch your back against untrusted sites, untrusted certificates, block every content you don't need (remember NoScript?), forget about Flash (the damn thing is damn exploitable) and avoid porno sites (statistics in hand).

I think I have covered most of the basics. You have a lot of material to start investigating.

Last edited by BlackRider; 12-29-2011 at 05:41 AM.
 
Old 08-10-2011, 08:50 PM   #21
lpallard
Member
 
Registered: Nov 2008
Distribution: CentOS/RedHat
Posts: 979

Original Poster
Rep: Reputation: 44
OK

- BASE requires a fully functional web server right? (Like a LAMP)? I'm not interested to run apache on my laptop... There must be a GUI alternative somewhere that does not monitor real time or requires such an overhead ...

- ENcryption of the HDD. I have not really found a good step by step guide on how to take an existing system and move it to an encrypted one. I am really not interested to reinstall everything!! I must have 60000 packages, all compiled and configured. Too much work to restart from scratch. Anybody knows if a way to do this?
 
Old 08-11-2011, 04:00 AM   #22
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
If you want to encrypt your drive without trashing out your installation, you have to dump the contents of your inner hard drive in an external hard drive, then repartition your inner hard drive, wipe the partitions with pseudo-random data (you can use shred and feed it with /dev/frandom), encrypt needed partitions, dump the data from the external drive to the encrypted partitions and perform some basic configuration (you'll need to edit /etc/fstab, modify your boot loader and create a new initrd with decryption capabilities).

It is easier that it seems, really.

In case you don't have an external drive, you can use a partition in the inner drive itself if you have room enough. I strongly advice you to get a external drive for backup purposes, because having a copy of your data is good, just in case a horse steps on your laptop...

You can use also unencrypted filesystems and protect only the important data with file encryption tools (such as OpenSSl or GPG). Or you could create a file-contained filesystem and encrypt it, thus creating and encrypted folder with a fixed size. This will prevent the casual thieve from getting your data, but this method could easily leak sensitive information to /tmp or /var, so use with caution. Be warned: some file-contained filesystem tools are prone to corruption, so read the documentation of the tools you choose. Avoid journaling filesystems for this kind of task. dm-crypt and TrueCrypt are good tools for this.

EDIT: Have a look at this manual: http://slackware.osuosl.org/slackwar...ADME_CRYPT.TXT

It contains 20 pages of instructions about setting encrypted Slackwares.

Last edited by BlackRider; 08-11-2011 at 04:04 AM.
 
Old 08-11-2011, 03:30 PM   #23
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by lpallard View Post
OK

- BASE requires a fully functional web server right? (Like a LAMP)? I'm not interested to run apache on my laptop... There must be a GUI alternative somewhere that does not monitor real time or requires such an overhead ...
Nope. There isn't a GUI that I'm aware of that will do what you need. In fact, Snorby install it's own web server. And just so you're aware, you can run the web server somewhere else (on a home machine)...at least with BASE, you can. I'm sure you can do the same with Snorby. With a lot of these security event managers, they are designed to be scalable (ie, they aren't really meant to be installed on laptops). You can have the database on one machine, the web server on another, and the IDS sensor(s) all over the place. You're trying to use a Snort IDS as a HIDS when it's designed to be a NIDS. It can be done but your view is going to be oddly focused. If I were you and this HAD to be done, I'd install the database and web server on one machine, and run Snort on your laptop, having Snort send its logs to the database machine. You'd access the events through the web server (or the database, if you're geeky enough to like viewing in that manner...too much geek for me). About the overhead, unless you're using hardware that's two generations behind, you're not going to have a big issue. Snort will generate much more load than a local instance of Apache (that only you're going to use...I can see if you're talking about having an organization use it but there's only you that will be accessing it).

Or, you can use Snortreport. It requires a database populated with Snort logs and shows the logs in an HTML format (it isn't realtime, though you can refresh the page to see the latest events). There's another tool that I've been using at home that is similar to Snortreport, but is Ajax-based).

Between BASE and Snortreport, Snortreport would probably be the better option for you. All that would be required is a running instance of Snort and a local (or even non-local) database.
 
Old 08-13-2011, 05:33 PM   #24
lpallard
Member
 
Registered: Nov 2008
Distribution: CentOS/RedHat
Posts: 979

Original Poster
Rep: Reputation: 44
I managed to install BASE (very easy) and it does what I need!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing my laptop dellthinker Debian 4 06-16-2009 10:40 PM
securing slackware server jcombs_31 Slackware 8 02-14-2006 04:46 PM
Securing Slackware 8.1 Tekime Slackware 9 02-21-2004 09:27 PM
POSTFIX -securing [slackware] darklogik_org Linux - Networking 0 01-24-2004 04:02 AM
Securing slackware 9.0 ematrixxx Linux - Security 1 08-27-2003 09:03 PM


All times are GMT -5. The time now is 06:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration