LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-02-2014, 01:24 PM   #31
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-Current
Posts: 6,446
Blog Entries: 15

Rep: Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016

For a desktop, I'd first want to define what resources on my network need to be shared, what my users need access to on the network, what level of permissions are needed, and how much anti malware defense is required.
 
Old 01-02-2014, 02:23 PM   #32
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.2 (5.1.10) UEFI enabled (LFS-8.4 when Slackware becomes too easy)
Posts: 535

Rep: Reputation: 193Reputation: 193
What I am interested in securing (as well as possible) is the desktop that I wake up to every morning. Read several news sites, check my email, fiddle around pretending to be a programmer. Just about the same as when I started using Slackware back in the late 90's. My banking is done online. I also do some book keeping for my church, and am the family (US) income tax expert
So far I have modified the /etc/hosts.allow - deny files
Code:
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided by
#               the '/usr/sbin/tcpd' server.
# Version:      @(#)/etc/hosts.allow    1.00    05/28/93
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org

ALL:127

httpd:127.0.0.1
sshd:127.0.0.1
Code:
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
# Version:      @(#)/etc/hosts.deny     1.00    05/28/93
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
ALL:ALL
Have commented out all the daemons in /etc/inetd

SSHD is turned off as I don't have any need for it.

Run Alien's firewall with one modification to allow wifey to access my PHP addressbook from her tablet
Code:
# HTTP
$IPT -A tcp_inbound -p TCP -s 192.168.1.0/24 --destination-port 80 -j ACCEPT
Thinking that I should block all inbound/outbound services/ports except for the ones I actually use http, https, email etc.

Almost forgot I regularly run rkhunter and chkrootkit. I have also installed aide and use it before and after any new software installs. I do my initial install without running netconfig until after the rootkit tools, aide and firewall is up and running.

Someplace to start?
John

Last edited by AlleyTrotter; 01-02-2014 at 02:40 PM. Reason: I just keep thinking of more procedures I have followed over the years
 
2 members found this post helpful.
Old 01-03-2014, 08:37 AM   #33
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys for decades while testing others to keep up
Posts: 2,200

Rep: Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208
Quote:
Originally Posted by ReaperX7 View Post
For a desktop, I'd first want to define what resources on my network need to be shared, what my users need access to on the network, what level of permissions are needed, and how much anti malware defense is required.
Unless I'm hopelessly out of date (1 year? 2?) it is my understanding that although someone created a test case in which some minor malware was installed in a Linux system. it was unable to do anything but sit there as it is compartmentalized. Here, I am using "malware" in the manner of advertising, information gathering, and other non-destructive cruft that used to clog Windows to the choking point. Has this changed?

To offer some minor assistance for new "hardeners" here is what is hopefully a useful (and not too utterly basic) a recommendation as a starting point. Get "rkhunter" and start by running it like this
Code:
 rkhunter --check --report-warnings-only
so that you aren't overwhelmed with all the "checks ok" data and only see what needs attention

Last edited by enorbet; 01-03-2014 at 08:42 AM.
 
2 members found this post helpful.
Old 01-03-2014, 03:14 PM   #34
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-Current
Posts: 6,446
Blog Entries: 15

Rep: Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016
No operating system is truly safe from malware. Just because malware can be compartmentalized and not effect a system, doesn't mean it's not safe to keep running. Apple touted this for the longest time, claiming they were immune to malware, and then several years ago, they got attacked with system crippling malware. GNU/Linux is not immune either. Just because malware is compartmentalized doesn't mean you fully know what it's doing. Systems today have many ways malware could easily infect a Linux system with ease and go undetected. We've had issues with rootkits as noted in an earlier topic, so yes having some level of anti malware protection it recommended. This isn't 1999 when hardly anyone even thought of even trying to attack a UNIX-like with malware and only target Windows.
 
Old 01-03-2014, 04:10 PM   #35
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD, Arch
Posts: 5,764

Original Poster
Rep: Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881
In addition to rkhunter I like using chkrootkit. There are occasions where you can get a false positive so it is nice to have another utility to take another look at a rootkit detection.
You can get chkrootkit from the good people at slackbuilds.org.

http://slackbuilds.org/repository/14...em/chkrootkit/

Navigate to /usr/sbin and start chkrootkit with:

Code:
# ./chkrootkit
 
Old 01-03-2014, 09:51 PM   #36
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys for decades while testing others to keep up
Posts: 2,200

Rep: Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208
Quote:
Originally Posted by ReaperX7 View Post
No operating system is truly safe from malware. Just because malware can be compartmentalized and not effect a system, doesn't mean it's not safe to keep running. Apple touted this for the longest time, claiming they were immune to malware, and then several years ago, they got attacked with system crippling malware. GNU/Linux is not immune either. Just because malware is compartmentalized doesn't mean you fully know what it's doing. Systems today have many ways malware could easily infect a Linux system with ease and go undetected. We've had issues with rootkits as noted in an earlier topic, so yes having some level of anti malware protection it recommended. This isn't 1999 when hardly anyone even thought of even trying to attack a UNIX-like with malware and only target Windows.
IMHO a rootkit is not simple malware. It may accompany malware to get in and break out of the compartment, but a rootkit is an attack, pure and simple, a coup d'etat, if you will.

Can you name one malware item that has infected a linux system, say for gathering website visitation history or ad popups? I'm not referring here to cookies that we freely allow in our browsers, but rather backdoor stuff commonly for commercial use. We all know some and suspect more about such as NSA.
 
Old 01-07-2014, 01:39 PM   #37
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Damn you guys are hard to follow...

But, still no sugestions we're given..

@AlleyTrotter: What you've done is pretty ok so far but you must analyze your weak points..

From what you have said, it's safe to presume that you are behind a router. If that router is not set to DMZ your computer and has no port forwarding enabled, and you are connected by a cable to it, you are already more secure from the outside than you realize... Your weak points are..
1) The LAN (specifically the Wireless part of it)... The good news is that this only affects you if an attacker is close to you...
1.1) The HTTP port... You have allowed access from all your LAN into HTTP port..
2) You.. And by that I mean any software that you launch and reaches the internet, since that is the only way packets will even reach your computer.

Now, let's look at quick solutions to enhance your security:

1) Take a bit of time and configure your router.. Change your default password for the admin interface, hide your SSID broadcast and use only-MAC based access lists.. Stop using dhcp for your LAN. This will require a bit of work when connecting your devices to the network and will require that you take care of IPs in your network, but it will enhance your overall security...
1.1) Since you gave up dhcp in your LAN, you don't have to allow every IP in, but just those that you want... I would rewrite that part of firewall to something like this:
Code:
allowedips="192.168.1.2 192.168.1.3" #Replace this with the IPs that need to have access to your server... You can have as many as you want, just space separate them
for ip in $allowedips; do
  $IPT -A tcp_inbound -p TCP -s $ip --destination-port 80 -j ACCEPT
done
---
Also, you have to consider packet sniffing... if your wife has access or needs to have access to confidential data then you should use at least SSL... Please keep in mind that you only need this for someone sniffing your packets in, let's say at most 100m range of your router... You're quite safe from the Internet.. So, if you are afraid that a family member or a neighbour is out to catch you, then by all means use SSL.. Also, if you are afraid that someone in your LAN wants to harm you, then you have another weak point.. Your PHP application..

2) Now to the interesting stuff... You are only as secure as the software you use... Be sure to use Firefox with NoScript... Be sure not to let the browser save your important site passwords... Be careful how you use "the cloud" and be careful on which webpages you browse... You cannot be fully protected from a nasty XSS in a poorly developed site, but trust me, NoScript will do wonders in many cases and always use it when browsing new sites or following links.. However, even I browse Youtube with Google Chrome ).. It just works better and if you keep your eyes open you'll be fine.. Don't get too paranoic..

Don't download stuff that you do not trust... Instant messengers are a great thing, but don't download funny PowerPoint slides while in Windows (which, of course, is not your case, but you see my point, right?) not even from family or friends... And the list can go on.. Basically, in your configuration, only software that you use and the way you use it can keep you protected..

P.S. We leave in a great world with lots of sites and a lot of internet banking available... Don't use password managers (especially ones that have "cloud" capabilities), but write your passwords onto a piece of paper... If there isn't any thread from within the house and the paper is not left lying around when you have visitors, that's the absolute safest way to go..


---

Now, if you have a laptop that you use while not at home, I would even go on and set up a SSH proxy on your slackware machine (needs port 22) and set the router to forward outside connections to that port.. This would not only give you access to your PHP application in a secure manner wherever you are, but would actually protect you from packet sniffing from that specific location... But that's another discussion... Maybe for a later post...

Have fun, and hope I've been of help..

P.S.. I'm not a native english speaker, so please don't complain about any mistakes (no matter how dumb they are)

Last edited by Smokey_justme; 01-07-2014 at 01:47 PM.
 
1 members found this post helpful.
Old 01-07-2014, 02:14 PM   #38
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.2 (5.1.10) UEFI enabled (LFS-8.4 when Slackware becomes too easy)
Posts: 535

Rep: Reputation: 193Reputation: 193
Quote:
Originally Posted by Smokey_justme View Post
Damn you guys are hard to follow...

But, still no sugestions we're given..

@AlleyTrotter: What you've done is pretty ok so far but you must analyze your weak points..

2) Now to the interesting stuff... You are only as secure as the software you use... Be sure to use Firefox with NoScript... Be sure not to let the browser save your important site passwords... Be careful how you use "the cloud" and be careful on which webpages you browse... You cannot be fully protected from a nasty XSS in a poorly developed site, but trust me, NoScript will do wonders in many cases and always use it when browsing new sites or following links.. However, even I browse Youtube with Google Chrome ).. It just works better and if you keep your eyes open you'll be fine.. Don't get too paranoic..

Have fun, and hope I've been of help.
I am doing most of what you say.
I have been considering setting up the wireless (tablet, 2 televisions) by MAC address. I recently read an article on just this subject
I don't really see any advantage to not using DHCP on the wired side.
[EDIT] after rereading your reply I think I get your intent on 'no DHCP'[/EDIT]
Thanks for the reply
John

Last edited by AlleyTrotter; 01-07-2014 at 02:31 PM.
 
Old 01-08-2014, 11:06 PM   #39
salemboot
Member
 
Registered: Mar 2007
Location: America
Distribution: Linux
Posts: 161

Rep: Reputation: 36
Secure it

Just some basic broad brush strokes for security
  • Enable a password on the System BIOS
  • Disable booting from USB / CDROM if you don't need it
  • Encrypt the filesystem(s), at the very least encrypt your home partition
  • Use the TOR bundled browser when you need to browse untrusted sites
  • Turn off crash and health reports in Firefox and delete the ~/.mozilla directory often; you can back it up after you got it configured: "tar cfvz mozilla.tgz ~/.mozilla" then just "rm -rf ~/.mozilla; tar vxf mozilla.tgz" whenever you feel the urge.
  • Always zero write new USB media, it's a known attack method to store bad stuff on USB sticks: "cat /dev/zero > /dev/sd_ " the underscore will be either a b c d e f or g... whatever the letter is. be careful
  • Run tcpdump if it's still included in the latest version; it should show you all connection attempts
  • Block ad servers and software that may be calling home in the /etc/hosts I think ie. akonadi.snooping.kde.org 127.0.0.1

Many people block connection attempts from outside their private networks but that is more advanced.

Last edited by salemboot; 01-08-2014 at 11:15 PM.
 
1 members found this post helpful.
Old 01-09-2014, 05:25 AM   #40
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Actually, all incoming connection attempts should be blocked (regardless from where the connection is coming) and this policy is a default in many modern Operating Systems (even in newer Windowses).. Only expected packages should be allowed in..

In Slackware however, you have to implement your own firewall (you can do that in /etc/rc.d/rc.firewall).. A simple firewall generator that will be more than sufficient for normal users can be found here: http://www.slackware.com/~alien/efg/

Talking about firewalls, a not-so-common suggestion for normal day-to-day usage is to stay behind a simple (even cheap) router (just don't enable DMZ).. It will in itself act as a small firewall simply because it won't know where to send incoming connection attempts (thus refusing them).

Btw, just a small note In Linux systems the /etc/hosts syntax is "ip domain" (example: "127.0.0.1 akonadi.snooping.kde.org").. And yes, that is a very good tip... A simple Google search will even give you a lot of premade hosts files blocking a lot of ad servers (example: http://winhelp2002.mvps.org/hosts.txt )

While TOR is a great software, personally I wouldn't recommend using it.. It is still a proxy controlled by third parties and a malicious exit-node could still harm you.. Don't confuse it's anonymity functionality with security. As an example, let's say you play an online game and use TOR to connect to it... Most of them will not use SSL even when logging in, but still most of them will even offer a "remember me" function... That exit-node will have a very easy time getting your connection details.. You are basically allowing a "man in the middle"

BIOS passwords are useless in most cases.. It's only useful in libraries or computer laboratories at schools, etc.. Basically anywhere where you can't keep an eye out on what every person is doing on the PCs but opening the case of that PC is not an option for them..

Encryption is useful in case you have important stuff on your mobile PC (laptops anyone) and gets stolen... It is rarely useful on a desktop computer.. But, to be fair, this is only my opinion.. Encrypted partitions provide, indeed, some extra security..
 
1 members found this post helpful.
Old 01-09-2014, 10:40 AM   #41
BratPit
Member
 
Registered: Jan 2011
Posts: 237

Rep: Reputation: 85
The most simple yet powerfull IMO explanation of firewall for 1 host is here:

https://wiki.archlinux.org/index.php...teful_Firewall

Passwords . Today 8 symbol passwords are weak. The standard is 12 now IMO.

8 symbol offline crack on 1 machine with power of grafic card /Upper,lower case and digits/ hash MD5 from /etc/shadow takes about half an hour.
The sha256 /slack 14.1/ takes only 10 times longer.
Of course there is option in login.defs:

SHA_CRYPT_MIN_ROUNDS default 5000 that hardening paswords but only that in /etc/shadow so IMHO 8 symbol secure passwords gone away .

Here is nice calculator.

https://www.grc.com/haystack.htm

So I do not agree that password in BIOS is nothing .
The Bios passwords are weak but possibility of instant booting to everyone is far worse.

Last but not least

The lilo has option -p which store encrypted password /DES3/ in separate file.
So "linux single" is not so obvious.
 
2 members found this post helpful.
Old 01-09-2014, 10:56 AM   #42
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 851

Rep: Reputation: 169Reputation: 169
Quote:
Originally Posted by Smokey_justme View Post
While TOR is a great software, personally I wouldn't recommend using it.. It is still a proxy controlled by third parties and a malicious exit-node could still harm you.. Don't confuse it's anonymity functionality with security. As an example, let's say you play an online game and use TOR to connect to it... Most of them will not use SSL even when logging in, but still most of them will even offer a "remember me" function... That exit-node will have a very easy time getting your connection details.. You are basically allowing a "man in the middle"
Discussion of Tor is off topic for this thread because it has nothing to do with hardening a Slackware system. But some of your comments about Tor deserve a response.

TOR is intended for primarily for anonymous internet browsing and for evading censorship. Paraphrasing the TOR FAQ - What Protections Does Tor Provide question, it prevents websites and other services from learning your location, prevents people who may be watching your traffic locally (such as your ISP) from learning what information you're fetching and where you're fetching it from, and it routes your connection through more than one Tor relay so no single relay can learn what you're up to.

Obviously, it should not be used to enter personally identifying information at unsecure non-encrypted sites, or to log in to sites that do not provide secure end-to-end encryption (SSL), since non-encrypted communications can be captured by the exit node. Active content should also be blocked while using TOR (e.g., Java, Javascript, Adobe Flash, Adobe Shockwave, QuickTime, RealAudio, ActiveX controls, VBScript, et. al.), since it can also reveal information about you.

The Tor network is too slow to effectively use it for playing games on an internet game site, as in your example, even if it did use SSL. Nevertheless, Tor is a useful tool to help protect anonymity when used appropriately and with an understanding of what it does and does not protect you from. You may not want to use Tor, but that is no reason to recommend that other people don't use it.
 
1 members found this post helpful.
Old 01-09-2014, 12:17 PM   #43
granth
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware64
Posts: 212

Rep: Reputation: 55
System hardening is relative to the acceptable risk level. You should define your security goals and acceptable risk. This will define the level of hardening required. For example, hardening a public-facing web server which processes credit card payments is completely different than hardening Joe Blow's web surfing PC.

The web browser & plugins are typically the weakest link in PC's. Firefox + NoScript + responsible browsing is a good start. Disabling unused services and adding a local firewall will help to reduce local threats, but it won't stop the end-user from installing malware.


Quote:
Originally Posted by Smokey_justme View Post
hide your SSID broadcast and use only-MAC based access lists.. Stop using dhcp for your LAN. This will require a bit of work when connecting your devices to the network and will require that you take care of IPs in your network, but it will enhance your overall security...
Hidden SSID, MAC ACL, and disabling DHCP does nothing to enhance security. These things will only make your life more difficult. Any person within range of your WLAN can easily sniff out the hidden SSID and MAC addresses of connected systems. This information is transmitted OTA without encryption. As for DHCP, anyone with the ability to crack your wireless encryption will also know how to detect your IP range and set a static IP.

If wireless security is a major concern, you should separate it from your wired LAN (wireless DMZ) and use strong encryption/passwords. If necessary, only allow secure services, like SSH, through your WLAN -> LAN firewall.
 
2 members found this post helpful.
Old 01-09-2014, 12:31 PM   #44
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
@Z038: My game example was just that, an example.. Also, there are a lot of users playing browser games to avoid in-game rules as "one person per account" and "one account per person per game world"..

I completely agree with the rest of your text.. That was actually my point, TOR does not offer security... It offers anonymity. I just emphasized on the fact that it actually creates a risk if you are not aware of this fact..

---

And, just not to be completely off-topic, a small program that I always use (most often for the SSH server) is Fail2Ban (available from slackbuilds.org for Slackware).. It's small, simple, powerful and extendable..
 
1 members found this post helpful.
Old 01-09-2014, 12:53 PM   #45
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by granth View Post
Hidden SSID, MAC ACL, and disabling DHCP does nothing to enhance security. These things will only make your life more difficult. Any person within range of your WLAN can easily sniff out the hidden SSID and MAC addresses of connected systems. This information is transmitted OTA without encryption. As for DHCP, anyone with the ability to crack your wireless encryption will also know how to detect your IP range and set a static IP.
Hehe, I agree and disagree with you at the same time... As you said, you should define security goals and acceptable risk and it depends of what you are protecting..

Now, the average user will not be targeted specifically... That means that someone will try to break-in only for fun or for internet access.. That also means that attackers won't packet sniff from the start.. Rather, a bored boy looking for internet access will probably look at his phone and search for some good place to seat on a bench, or sidewalk and power up his laptop... Thus entering hidden SSID... Then, average Joe will be in danger of been hacked by average script-kiddie, which upon successfully cracking a number of wifi's following an online tutorial, still isn't sure what he's doing and will move on if stuff begins to fail, thus enter MAC ACL..

Static IPs simply served the specific case, allowing AlleyTrotter to write a better firewall in case someone does actually break in..

So, while I agree that hidden SSID, MAC access control lists and disabled DHCP do not do much in adding real extra security, I disagree about the fact that these aren't viable steps in protecting your network..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] slackware hardening tips -Su: authentication failure san2ban Slackware 20 08-04-2013 02:08 AM
[SOLVED] Protecting Slackware Konphine Slackware 31 07-19-2011 10:25 PM
Slackware hardening guide tangle Slackware 4 03-14-2005 09:47 PM
Hardening Slackware AhYup Slackware 8 03-07-2005 06:35 PM
is slackware protecting me? shanenin Slackware 1 10-19-2003 09:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration