|
hardening slack?
Hi all,
I'm not sure if this goes into the security forum or not, as I'd really like you slackware folks to advise... If I install slack 10.1, what do I need to do to secure? I'm on dialup right now, so I'm not AS worried, but we are thinking about dsl, so... I've seen some sites that are way over my head on what to do, and in the end, my head is just swimming. Can someone simplify me (a checklist, if you will) on what I need to do on a fresh install before putting it on a network? Thanks, Dan |
Well, first of all you should get rid of any daemons that are running that you don't need (cause they open ports).
First give the output of: nmap localhost Mine looks like this Code:
21/tcp open ftpFor example port 80, wich is httpd (a apache webserver). If i wanted to close port 80 I would make sure httpd isn't running. To stop such a specific daemon you should chmod -x /etc/rc.d/re.daemon-you-want-to-stop. In this case i would do chmod -x /etc/rc.d/rc.httpd The same goes for most services (for some of them you may have to look a little further, some reside in /etc/inetd.conf for example (ftp and some others). For the ports to close you could 1) reboot your computer 2) before you chmod -x them you should, for example do ./etc/rc.d/rc.sshd stop And offcourse you can always use iptables to make it all more secure, but lets start with the above. |
Well, let's see it. I'm not in home, so I can't check my own checklist. Some tips I remember:
1. Disable uneeded services, like DNS servers or mail servers. To do it, you only need to 'chmod -x' the respective scripts in /etc/rc.d/ folder. Well, how do you gonna know which service is needed or not? My advise is: be very restrictive. Look inside the scripts and check which daemon is started by it. If you are in a desktop you won't need httpd, mysqld and other network daemons. If you are a web developer and need Apache for testing you sites, it's safer to start it using 'apachectl start' when you're working than to run it as a daemon from the startup. 2. Give a look in the /etc/login.defs file (or something like that). The comments are self-explanatory and can provide a lot of ways for hardening login. 3. There is a file in /etc name 'securetty' or something like this. The uncommented lines defines the terminals the root is allowed to use for logging in. In a very hardened system you can disable all access (comment all lines) and force people to log as an ordinary user and use 'su' to do root jobs. 4. In /etc/sudoers you can restrict who can use the 'su' command and which command the user can do as root. I don't know very well how to configure it, but I think that there is a 'man' page for this file. 5. Ah, evidently: use a firewall. Iptables is very powerful, but hand-configuring it is very very hard for a newbie as I'm. Use Guarddog for doing that. I think it does a good job. 6. Search in Sourceforge.net or in Freshmeat.net for security tools as Nmap, Tripwire, Chkrootkit, SARA (former SATAN, I guess), Logcheck (or Logwatch). It's advisable to run some File Integrity Check Tool just after the installation or the script found in the Post-Installation Checklist HOW-TO. http://www.tldp.org/HOWTO/Post-Insta...ist/index.html This script takes a snapshot of the clean system, before you start to do the silly things that makes it unsecure :-) It's useful for rolling back some bad idea or for use as a standard of file integrity. Schedule the auditing tools in root's crontab file. Check 'man crontab' to see how to use it. It's not very hard. You'll maybe need to write some simple Bash scripts in order to control the command-line options of the programs. For instance, I use scripts in such a manner that the reports are not overwritten, but each new report receives a unique name, is put in a specific folder, chmoded 400 and chatter'ed +i (i.e., made immutable). 7. Check the permissions settings of some important folders. In principle there must be very few world-writable files and not a lot of world-readable files in some important folders. But it's better to do extensive changes only after the forementioned snapshot, for some files in "system" folders needs to be readable even by ordinary users. I don't have a general recommendation in this point. But you can maybe check this file: http://www.userlocal.com/security/secfileperm.php (and the parent folder, as well). Other kind of permission attribute is set with the "chattr" command. Two options are interesting for security purposes: +i to make the file immutable, even for root (but root still can unset this attribute) and +a to make the file only appendable. Well, there are many other tips, but these are the ones I can remember now. I'm still a newbie, but I grant you that researching the security topic is very addicting. So, I recommend you to pay attention to all the security HOW-TOs, including the marvellous "Secure Programs", for it contains general security considerations too. I recommend this guide too: http://www.tldp.org/LDP/solrhe/Secur...ution-v2.0.pdf It is very RedHat-centric but a lot of informations are useful in any Linux Distro. Good Luck and enjoy Slackware! If I remember something I come back and post it! |
Hey,
try these links also: SLACKWARE security: good list of permissions (I'll use it in my box!) -> http://members.cox.net/laitcg/new/ss.html TrinityOS: general hardening. Beware of some things strange to Slack way of life (I'mean some configuration files are different in Slack and RedHatcentric distros) -> http://www.ecst.csuchico.edu/~dranch...inityOS-c.html |
For simplicity sake turn off the daemons that you don't need running in the /etc/rc.d/directory. nmap localhost is probably the best way to evaluate. Also, get a copy of guarddog for linuxpackages.net and run it configure a simple firewall. You may need to move it to /etc/rc.d and make it executable with chmod +x /etc/rc.d/rc.firewall. This should be straightforward if you turned off the other serivces. It needs to be in /etc/rc.d in order to start on boot automatically.
|
| All times are GMT -5. The time now is 09:43 AM. |