LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-03-2014, 12:37 PM   #16
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492

I don't really agree with the HOSTS file changes, but the rest is a good start.

A decent article on basic security, which you have mostly covered:
http://docs.slackware.com/howtos:sec...basic_security

Certainly make sure to secure your browser as this is an excellent attack vector for desktop systems. Use NoScript and Adblock, configured properly.

If the machine were used in public, like a laptop, I would also recommend using a boot password, locking the screen when away, and using a K-lock.

I also recommend avoiding USB sticks to transfer data from person to person. This is an archaic method and is an excellent attack vector. Use online file sharing or even an e-mail attachment for smaller files.
 
Old 09-03-2014, 12:41 PM   #17
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223

Original Poster
Rep: Reputation: 195Reputation: 195
Hmmm, why don't you agree with them? They seem ok to me. I got them from here. I already use AdBlock, will take a look at NoScript.

EDIT: About USBs I never really trusted them, and now this
 
Old 09-03-2014, 02:43 PM   #18
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
Quote:
Originally Posted by moisespedro View Post
Thanks, I am gonna give it a try. To be honest, the machine don't have anything on it, if someone hacked it I wouldn't lose much. I just want to get knowledge on Linux security (and OS security in general)
This is a common fallacy that just because you don't have much on your computer that it isn't important to prevent it from being hacked, as it isn't always what you have for them to steal/destroy as much as it is that your computer is a resource that can be used mad into a 'zombie' (a remotely controled unit that can be used as part of a botnet for conducting DDOS attacks or mass spam, or as a hidden repository for other illicit data, etc...), so really it's not just your data that needs protecting but also the ability to remotely control, or otherwise use your computer as a tool for other purposes than what you inted it to be used.
 
Old 09-03-2014, 02:48 PM   #19
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223

Original Poster
Rep: Reputation: 195Reputation: 195
Quote:
Originally Posted by frieza View Post
This is a common fallacy that just because you don't have much on your computer that it isn't important to prevent it from being hacked, as it isn't always what you have for them to steal/destroy as much as it is that your computer is a resource that can be used mad into a 'zombie' (a remotely controled unit that can be used as part of a botnet for conducting DDOS attacks or mass spam, or as a hidden repository for other illicit data, etc...), so really it's not just your data that needs protecting but also the ability to remotely control, or otherwise use your computer as a tool for other purposes than what you inted it to be used.
Errrr, I already said about that
 
Old 09-03-2014, 03:06 PM   #20
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
Quote:
Originally Posted by moisespedro View Post
Errrr, I already said about that
k, hehe, just as long as you are aware

as for how, there are tests you can run such as nmap (from a different computer on your network)
or you can go to https://www.grc.com/x/ne.dll?bh0bkyd2 (shields up) and run a scan which shows what ports are open to the internet whereas NMAP shows what ports are open to the LAN.
there are also programs like rkhunter that you can run on your computer to scan for rootkit infections (note: I would recommend using the latest version from sourceforge rahter than the version in your distribution's repositories as security is one of the areas where it is the most vital to have the absolute latest stable version)
 
Old 09-03-2014, 04:35 PM   #21
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by moisespedro View Post
Hmmm, why don't you agree with them? They seem ok to me. I got them from here. I already use AdBlock, will take a look at NoScript.

EDIT: About USBs I never really trusted them, and now this
Well, the hosts file was originally designed as an alternate name resolution mechanism to a DNS server. It was not meant for use other than this. I know many people use it for other things like blocking ads and restricting hosts, but that is not what it is designed for. It can be used this way, but because it wasn't designed for it, I would use instead something that is designed for it and not have to worry about design flaws (if you can call them that in this case).

I am very concerned about USB devices, and many hacking devices exist that can completely hack a computer if you plug them in, and they look like regular USB sticks. It is a very good attack vector if you have physical access to a machine. It is also a problem if you have a laptop because laptops don't have PS/2 ports anymore so if you use an external mouse you cannot disable USB ports. To be safe I guess you could either use the touchpad or a touchscreen, both of which are daunting to me. I'll either be ripping my hair out because of the touchpad or getting gorilla arm with a touchscreen.
 
Old 09-03-2014, 08:51 PM   #22
enine
Senior Member
 
Registered: Nov 2003
Distribution: Slackʍɐɹǝ
Posts: 1,486
Blog Entries: 4

Rep: Reputation: 282Reputation: 282Reputation: 282
The first time anyone used a mouse it took some getting used to, a touchpad is no different. After I learned it I hate using a mouse, the touchpad is just faster and easier.

I'm trying to remember the slackware groups now, IIRC if you leave your user account out of some of them you can prevent USB from doing anything unless you switch to root.

But then again how often do you plug in an untrusted USB? I have one or two of my own but I don't plug them into anyone elses systems.

Last edited by enine; 09-03-2014 at 08:52 PM.
 
Old 09-04-2014, 01:58 AM   #23
lems
Member
 
Registered: May 2004
Distribution: BSD
Posts: 269

Rep: Reputation: 119Reputation: 119
Quote:
Originally Posted by moisespedro View Post
@tronayne Although it might be considered relative secure (if you compare to some other Linux distro or Windows) I don't believe Slackware is that secure by default. In the end, it is just a vanilla Linux distro put together by Patrick (not picking on him or anything).
Well, Fedora has SELinux and firewalld enabled by default, Ubuntu uses AppArmor. While firewalld can be replaced with other solutions (ufw et cetera), what about SELinux? Is it worth it? I've heard it's really complex and difficult to understand (see for example this post by Theodore Ts'o), and it's also from the NSA … I think enabling SELinux on Slackware would require recompiling software, maybe even patching it.
 
Old 09-04-2014, 02:34 AM   #24
BratPit
Member
 
Registered: Jan 2011
Posts: 253

Rep: Reputation: 100Reputation: 100
Some post install basic steps /not mine work/:

http://mina86.com/2014/01/25/slackware-post-install/

Some of the possibilities /kernel, userspace etc.../ the system the way Ubuntu gathered in a logical and coherent whole.
Do not all included in Slackware , but some things to think about.

https://wiki.ubuntu.com/Security/Features
 
Old 09-05-2014, 07:37 AM   #25
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Quote:
Originally Posted by moisespedro View Post
@tronayne Although it might be considered relative secure (if you compare to some other Linux distro or Windows) I don't believe Slackware is that secure by default. In the end, it is just a vanilla Linux distro put together by Patrick (not picking on him or anything).

"You do not, under any circumstances, put passwords on any administrative account with the sole exception of root."

Why would I let the account password-less?

DenyHosts looks great, thanks for the tip

Oh and by the way guys I am not running a server, it is a desktop machine.
If you look at both /etc/passwd and /etc/shadow you can see why the administrative accounts (except root) do no have passwords.

/etc/passwd looks like this (note: my machines all default to KornShell rather than BASH; Linux is all about choice and that's mine):
Code:
root:x:0:0::/root:/bin/ksh
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
oprofile:x:51:51:oprofile:/:/bin/false
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
<user accounts are below here>
Most them have the 7th field, user command interpreter, set as /bin/false (you can see the explanation of the fields with man 5 passwd). Any attempt to log in to any one of those immediately exits with an error set (the exit code is 1, not 0: successful execution of a command exits with 0). That error code sends you right back to the log in prompt; i.e., you cannot log in to any of those accounts (and should not ever).

/etc/shadow is where your encrypted passwords (on those accounts that need them) are set. It looks like this:
Code:
root:$5$AveOb59jlj7/80u$60A.qA5MOUhWpw.E5rRQk5K/sWnKSwQa.Gf8gahEyq3:16033:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::user command interpreter
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
oprofile:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
<user accounts are below here>
The asterisk in the second field, the encrypted password field, prevents log in (it cannot be decrypted). See man 5 shadow.

/etc/passwd is readable by anybody, /etc/shadow is only readable by root; that should never be altered for any reason. Too, there will never be any reason whatsoever to change any of the administrative accounts' user command interpreter field to anything other than /bin/false (or what they are by default, such as sync, shutdown and the others that are not /bin/false.

It ain't broke, don't try to fix it.

If you're going to have more than one machine on a LAN (as in you have a router), you want to connect the two with ssh which provides you secure communications between multiple machines. You would also use SSH to connect with machines outside your LAN where you have permission to do so or where you have granted an outside machine to connect to yours -- only do so with SSH (and learn about what you're doing when you choose to do so).

Hope this helps some.
 
1 members found this post helpful.
Old 09-05-2014, 01:59 PM   #26
genss
Member
 
Registered: Nov 2013
Posts: 744

Rep: Reputation: Disabled
Quote:
Originally Posted by metaschima View Post
Well, the hosts file was originally designed as an alternate name resolution mechanism to a DNS server. It was not meant for use other than this. I know many people use it for other things like blocking ads and restricting hosts, but that is not what it is designed for. It can be used this way, but because it wasn't designed for it, I would use instead something that is designed for it and not have to worry about design flaws (if you can call them that in this case).

I am very concerned about USB devices, and many hacking devices exist that can completely hack a computer if you plug them in, and they look like regular USB sticks.
well it has allow and deny, so why not

...

they are regular USB sticks https://www.youtube.com/watch?v=dp7IMyXyfvA
 
Old 09-05-2014, 05:12 PM   #27
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by genss View Post
well it has allow and deny, so why not
Because there are better ways and because it is too blunt a way. You block everything, and then you forget you put those lines in there and you'll post here because something doesn't work and you don't know why. I prefer sharp tools to dull ones, but I guess some people prefer hammers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Test box for RHEL/Fedora suggestions Mcleish Linux - Newbie 2 07-11-2011 10:09 AM
How to test the security of your linux box? cucolin@ Linux - Security 22 09-08-2006 10:39 AM
RHEL Test Box? carlosinfl Red Hat 2 05-03-2006 08:18 AM
How should I 'test' my Linux box? AMDPwred Linux - General 8 01-16-2002 10:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration