NOTE: I'm running Slackware 8.1 if it makes anything different

I've already implemented a pretty good IPTables firewall. I was wondering if there was anything else I could do to improve my security. I refuse to use that one hardening script that requires me to switch to System V init scripts(I think the program started with a B). Anything else I could do?

Shut down and/or uninstall any services you don't need/use. The fewer services you run, the fewer venerabilities will exist on your system. Make sure the services you do need have the latest bug/exploit fixes installed. That's about all I can think of. Watch your logs carefully.

I guess reading the first thread in this forum is out of the question?

First, some basic security principles:

Security is not a simple issue. You have to start with the question "What am I protecting against?". Answers could include internal users (who may have physical access to your system), external users (e.g. legitimate logins from the net), script kiddies, physical break-ins, social engineering, disaffected employees/family, electronic eavesdropping (aka Tempest) and email snooping. Plus anything else you might think of based on your own situation.

Once you are 0wn3d, what is an intruder going to want to do? Steal your secrets for business or blackmail? Wipe your hard drive? Or just use you as a zombie for DDOS on someone else?

If you are an any kind of company network then you need to co-ordinate your work with your company security people.

Security is also a multi-layer thing. Don't look for a Maginot Line; look for defence in depth. Having a firewall will stop the basic attacks, but some attacks can get through it, or come from behind it anyway. A chain is only as strong as its weakest link. It is futile to re-inforce an already strong link if another link is held together by chewing gum.

Security is an on-going mix of people and process as well as technology. Make sure people know what to do (e.g. non-trivial passwords). Regularly check your logs for suspicious activity.

There is no 100% guarantee. What you need to do is trade off risk of intrusion, cost of security measures and the impact an intrusion will have.

Now on to the practical suggestions:

For home or small business use your main concerns are script kiddies, viruses and worms, trojan web pages, and possibly telecom security for remote links.

* A good firewall will generally keep out the script kiddies.

* Keep up to date with security fixes for your distribution, so that anything that gets through your firewall it won't be able to exploit anything inside.

* If you do remote logins then make sure you use a secure protocol. SSH and secure web pages are good. Telnet and plain FTP are bad. Remember that when you log in from any remote device you have to trust that device to not steal your password or execute other instructions using your session.

* Run Tripwire to detect if anyone or anything changes any important system binaries. This requires extra on-going work to keep the Tripwire database up to date when you update system binaries. The default configuration of tripwire is very noisy, so you will need to spend time deleting parts of the default configuration that don't apply to you.

* Consider installing Snort to detect suspicious activity. Putting Snort on the outside of your firewall is futile unless you are really interested in every script kiddy attack and worm probe (although trend statistics from this information can be useful). Better to put it inside your firewall and configure it to watch for protocols and usage patterns that you know will not occur. For example if you never use SNMP then any SNMP traffic is a good clue that someone is sniffing around your network. Similarly incoming HTTP requests from the firewall if the firewall is set to reject incoming HTTP. And so on. But that is a lot of work, and only worth while if you are protecting a valuable resource.

* Turn off unnecessary services. If you run services (e.g. web server, NTP server, X font server) on your machine then make sure each one has its own account to run under. Never run a service as root unless it really needs root permissions. If you want to take this a step further then consider running these services in a chroot jail or even under a User Mode Linux virtual machine. These steps ensure that a single compromised service cannot spread contagion to the rest of your computer. User Mode Linux is the strongest option here, but is rather resource heavy.

* Review your web browser security settings, especially for active content.

* Review your process for downloading and installing updates. Check MD5 checksums. If your distribution does signed updates then use them.

* Check your email settings for attachments. If necessary set up a "sandbox" account for opening untrusted attachments.

Hope this helps.

Paul.

This is for a small webserver/home computer. I'm not worried about people gaining physical access to it. More along the line of script kiddies. I'm a bit paranoid I know. I don't have to worry about opening any thing(Don't run attachements, not that the majority affect linux anyway)

Thanks for reminding me about security updates. I need to do that yet. Tripwire & Snort seem a little far. The only server that I allow internet access to is Apache.

Also, you may want to install a log watching utility to check for any strange log acitivity, they tend to just email you a daily report on the log files. you should aslo check them manually. a hacker can always kill the log watch deamon.

i also would recomend running a program like chckrootkit on a cron job, it will also help in decting hackers, have the output emailed to you

If the only ports you have open to the real world is http, then you may want to run tcpdump (or snort) just on port 80. save it to a file, you can then write a simple cron scipt to HUP it every once in a whiile, compress that file and put it somewhere on the box. This may be helpful later if you find out that you get hacked, you may be able to gain some information from it. . . or at least give it to some people who can.


also, tripwire really isn't to much, sure if you use the default install script that came with it you will get a million flags the first time you patch the system. but there are a few files that are really important and should be watched. for example. all your startup scripts, profile, password, shadow, ect. maybee the binaries of the services you have running, also, any programs that are commoly uses as root . . ie (ls, cd, ....) this will gave you a good set of basic protections, and will go a good way of determining if you have had any onwanted access on the box.

use a tool like monit to monitor critical processes - just like syslog ... also code some scripts yourself that check some /var/log site and maybe even implement a loghost and do remote logging ...

Have you run some online scanners to verify that your firewall is effective? If not, try www.pcflank.com www.blackcode.com www.computercops.biz www.qualys.com www.securityspace.com www.auditmypc.com scan.sygatetech.com or others.

I recommend against signing on as root, especially since you have some open ports.

When browsing the internet, set it to execute as
su - browserID -c "mozilla"
where browserID is an ID that owns essentially nothing and mozilla could be changed to whatever browser you're using. This is particularly useful if you are logged in as root.

Make sure that any non-used IDs in /etc/passwd have a shell of false or nologin.

Apache has some additional security features but unfortunately, that's not my balliwack.

Generally, running a web-server along with critical systems is a no-no. But I understand that you may have only the one so... I'd at least make sure you follow a backup schedule religously. I'd also refrain from using this system for storing your most sensitive information ( finances, passwords etc... ).