LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-09-2014, 08:07 PM   #46
Arcosanti
Member
 
Registered: Apr 2004
Location: Mesa, AZ USA
Distribution: Slackware 14.1 kernel 4.1.13 gcc 4.8.2
Posts: 246

Rep: Reputation: 22

Quote:
Originally Posted by Smokey_justme View Post
Hehe, I agree and disagree with you at the same time... As you said, you should define security goals and acceptable risk and it depends of what you are protecting..

Now, the average user will not be targeted specifically... That means that someone will try to break-in only for fun or for internet access.. That also means that attackers won't packet sniff from the start.. Rather, a bored boy looking for internet access will probably look at his phone and search for some good place to seat on a bench, or sidewalk and power up his laptop... Thus entering hidden SSID... Then, average Joe will be in danger of been hacked by average script-kiddie, which upon successfully cracking a number of wifi's following an online tutorial, still isn't sure what he's doing and will move on if stuff begins to fail, thus enter MAC ACL..

Static IPs simply served the specific case, allowing AlleyTrotter to write a better firewall in case someone does actually break in..

So, while I agree that hidden SSID, MAC access control lists and disabled DHCP do not do much in adding real extra security, I disagree about the fact that these aren't viable steps in protecting your network..
Personally, I would suggest just sticking with wpa/wpa2 and a good long complicated passkey to go with it. And with encryption enabled. Disabling the SSID just isn't a very good idea as the 80211 specs are not designed with it in mind. Also your neighbors will not know what channel you are on and might end up using the same channel as you, killing your wireless speeds.

Last edited by Arcosanti; 01-09-2014 at 08:15 PM. Reason: The usual spelling typos.
 
Old 01-09-2014, 09:29 PM   #47
salemboot
Member
 
Registered: Mar 2007
Location: America
Distribution: Linux
Posts: 161

Rep: Reputation: 36
Quote:
Originally Posted by Smokey_justme View Post
Actually, all incoming connection attempts should be blocked
BIOS passwords are useless in most cases.. It's only useful in libraries or computer laboratories at schools, etc.. Basically anywhere where you can't keep an eye out on what every person is doing on the PCs but opening the case of that PC is not an option for them..

Encryption is useful in case you have important stuff on your mobile PC (laptops anyone) and gets stolen... It is rarely useful on a desktop computer.. But, to be fair, this is only my opinion.. Encrypted partitions provide, indeed, some extra security..
Behind a router, blocking everything incoming except the 192.168.1.X or 10.0.0.X family of IPs is sufficient. It highly depends on the IP category you use. You still want to be able to serve up other machines in the house if it's a server: SSH and SMBFS. But it will cause problems blocking everything if you use Bit Torrents.

Encryption helps physical and network security. It's more of a last resort. Generally you encrypt your home directory separate from the partitions. I wasn't very clear about it. Your root partition is decrypted during operation but your home directory isn't decrypted for anyone except you when you are logged in.
It's a last line of defense but if you get a rootkit, the rootkit can't access your home directory. Think of it as Access Control.

TOR comes stock with NoScript and various web services blocked by default. Yes it will protect your anonymity but it will also keep you from infecting yourself poking around the Internet. Websites can fingerprint your machine. Look below and left, says I'm using MacOS.
 
1 members found this post helpful.
Old 01-10-2014, 06:29 AM   #48
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by Arcosanti
Personally, I would suggest just sticking with wpa/wpa2 and a good long complicated passkey to go with it. And with encryption enabled. Disabling the SSID just isn't a very good idea as the 80211 specs are not designed with it in mind. Also your neighbors will not know what channel you are on and might end up using the same channel as you, killing your wireless speeds.
Well, I'm extrapolating but TCP/IP was not designed with NAT in mind.. One IP per device was the standard... Should that stop us from using internal networks? Should we, upon implementing IPv6 respect the one IP per device standard and essentially start relearning how to build secure internal networks?

I completely respect your point of view about wireless networks, it just shows how different people have different priorities when implementing security... But if you've gone with hidden SSID, changing your channel is not that big of a hustle. I've already stated my reasoning behind this.


Quote:
Originally Posted by salemboot View Post
Behind a router, blocking everything incoming except the 192.168.1.X or 10.0.0.X family of IPs is sufficient. It highly depends on the IP category you use. You still want to be able to serve up other machines in the house if it's a server: SSH and SMBFS. But it will cause problems blocking everything if you use Bit Torrents.
I have to disagree.. Security should be retundand.. Incoming connections should not be allowed by default.. That does not mean you can't open your SSH port if you have to, depending on your needs.. The ideea is to allow new connections only when needed, I thought this was clear.. Considering how many good documentations are out there for setting up iptable based firewalls, this is also not a hustle and definitely not something that should be ignored..

Can you explain why BitTorrent packets would not have a problem getting passed by the router to you but would hit a brick on your firewall? I might be missing something.. Of course, your router might not support NAT-PMP and not work by default, requiring you to set up both port-forwarding and open up a port on your PC firewall (and use a static IP for that PC), but that's a router problem that you'll have even if your PC doesn't have any firewall at all..

Quote:
Originally Posted by salemboot View Post
Encryption helps physical and network security. It's more of a last resort. Generally you encrypt your home directory separate from the partitions. I wasn't very clear about it. Your root partition is decrypted during operation but your home directory isn't decrypted for anyone except you when you are logged in.
It's a last line of defense but if you get a rootkit, the rootkit can't access your home directory. Think of it as Access Control.
Hmm, kind of see your point.. It is worth a go in many situations..

Quote:
Originally Posted by salemboot View Post
TOR comes stock with NoScript and various web services blocked by default. Yes it will protect your anonymity but it will also keep you from infecting yourself poking around the Internet. Websites can fingerprint your machine. Look below and left, says I'm using MacOS.
No.. TOR will only protect your anonymity.. Firefox, NoScript and those other extensions that come with the default TOR bundle will keep you safe.. Do not confuse these two facts.. Considering the internet is swamped with javascript, browsing to an unencrypted site that you frequently use and know it has safe scripts and enabling JavaScript is more dangerous that browsing to that site from a normal connection... Even with NoScript enabled, browsing without encryption will not protect your data beeing sniffed by the TOR-exit node.. Consider using http://webchat.quakenet.org/ behind TOR.. Yay, they have no idea who you really are so you should feel safe, right?.. Wrong... Instead of offering your ISP the possibility to sniff your conversation, and offering the quakenet server your real ip, you just possibly offered your conversations to a complete stranger.. In my mind, that is unacceptable..

I'm not saying TOR is a bad thing, actually it is a great thing, but it is an anonymizer and those come with security implications.. Even the TOR developers have put up a list of warnings: https://www.torproject.org/download/...tml.en#Warning

P.S. Look at below and left on this post ... It says that I'm using Win7.. I'm actually using Slackware 14.1 and Chrome.. No VMs or TOR envolved.. But I get it, you we're just giving me a simple example of tracking..
Btw, for more details about tracking on the internet this should be a fun read: http://www.letmetrackyou.org/identify.php

Last edited by Smokey_justme; 01-10-2014 at 06:47 AM.
 
Old 05-22-2016, 01:26 PM   #49
slac-in-the-box
Member
 
Registered: Mar 2010
Location: oregon
Distribution: slackware64-14.2
Posts: 306

Rep: Reputation: 117Reputation: 117
Post what about app armor?

Quote:
Slackware doesn't use SELinux, and it's fairly good on handling security issues provided you actually know what you are doing, and build the proper software around the system to maximize your methods.
I was recently rebuilding a kernel, and noticed that the options for SELinux were disabled. I also noticed, in same security section, an option for apparmor, and wondered if anyone has tried it with slackware?
 
Old 05-09-2017, 09:55 PM   #50
Slakerlife
Member
 
Registered: May 2016
Location: somewhere in the world!
Distribution: slackware
Posts: 63

Rep: Reputation: Disabled
I know this thread is a like old but i found this slackware script, im not an expert but it seems like a good idea what its trying to accomplish, has anyone used it and maybe comment on it
https://github.com/pyllyukko/harden.sh
 
Old 05-09-2017, 11:56 PM   #51
hoodlum7
Member
 
Registered: May 2016
Posts: 30

Rep: Reputation: Disabled
Quote:
Originally Posted by Slakerlife View Post
I know this thread is a like old but i found this slackware script, im not an expert but it seems like a good idea what its trying to accomplish, has anyone used it and maybe comment on it
https://github.com/pyllyukko/harden.sh
I look at this and it looks interesting. However, I some issues with how the script patches various configurations in SSH and HTTP around cryptography. SSH configuration is locked to only AES256-CTR. I would include AES192 and AES128 as fallback. The bigger complaint I have is around SSL configurations in Apache. The cipher suite is too narrow and does not include AESGCM. Additionally, The SSLProtocol is wrong. It should be configured with -all and adding TLSv1.2.

SSLProtocol -All +TLSv1.2

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

or

SSLProtocol -All +TLSv1.2

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128


I do not agree with requiring root's password instead of the users when working with sudo. If you are not running a server, hardening is going to create some sort of reduction in ease of use for the end user. Taking common sense steps is a better security for the investment.
  1. Stop unneccessary services
  2. use strong passwords
  3. use a personal firewall
  4. never send credentials in clear text (FTP, Telnet, HTTP)

keep IoT devices (smartTV's, wireless thermostates, etc) separate from your regular home network.
 
Old 05-10-2017, 05:15 AM   #52
spongetron
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 61

Rep: Reputation: Disabled
Quote:
Originally Posted by Slakerlife View Post
I know this thread is a like old but i found this slackware script, im not an expert but it seems like a good idea what its trying to accomplish, has anyone used it and maybe comment on it
https://github.com/pyllyukko/harden.sh
I never ran the script myself but I used it as a resource for information in the past. I would suggest to follow the advice form ReaperX7 in post #27 of this thread.

To harden my SSH configuration I considered the information in this blog post https://stribika.github.io/2015/01/0...ure-shell.html and storing my keys on a LUKS encrypted usb thumb drive. The post is two years old but should still be valid today.
 
Old 05-10-2017, 02:59 PM   #53
Slakerlife
Member
 
Registered: May 2016
Location: somewhere in the world!
Distribution: slackware
Posts: 63

Rep: Reputation: Disabled
Quote:
Originally Posted by spongetron View Post
I never ran the script myself but I used it as a resource for information in the past. I would suggest to follow the advice form ReaperX7 in post #27 of this thread.
I guess your refering to do things manual instead if using some kind of magical script, yeah i aggree but time isn't always on my side, i would really like to learn more in depth. I do keep reading from various forum or websites is
1. Use strong root password
2. Turn off unnecesarry services
3. Have somekind of firewall
 
Old 05-11-2017, 06:11 AM   #54
spongetron
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 61

Rep: Reputation: Disabled
Quote:
Originally Posted by Slakerlife View Post
I guess your refering to do things manual instead if using some kind of magical script, yeah i aggree but time isn't always on my side, i would really like to learn more in depth. I do keep reading from various forum or websites is
1. Use strong root password
2. Turn off unnecesarry services
3. Have somekind of firewall
The problem with security is, that it has a broad spectrum and there is no "one size fits it all" solution. You yourself have to decide what you want to protect and how you want to protect it. That means you will have to invest some time in understandig what information/system is valuable to you and to find solutions/activities to secure that information/system. The mentioned script shows you some possibile solutions to harden your system.

I suggest to read the scripts, take from it what fits your needs and generate your own script. Do not apply thing you do not understand, always try to use a layerd approach to security and don't forget to backup your information.

Last edited by spongetron; 05-11-2017 at 06:12 AM.
 
Old 05-11-2017, 10:47 PM   #55
Slakerlife
Member
 
Registered: May 2016
Location: somewhere in the world!
Distribution: slackware
Posts: 63

Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by spongetron View Post
I suggest to read the scripts, take from it what fits your needs and generate your own script. Do not apply thing you do not understand, always try to use a layerd approach to security and don't forget to backup your information.
Actually i already begin to read the script to see what it does 😁, but i do have one question i do get that no one size fits all but is this script more intended for a server and a desktop? I use my machine as a desktop so just wondering if u can give me some general pointers as to what i shouldnt really worry about and what stuff only applies to servers
 
Old 05-11-2017, 10:54 PM   #56
hoodlum7
Member
 
Registered: May 2016
Posts: 30

Rep: Reputation: Disabled
Looking at the script it seems primarily designed towards a server. However, there are still useful parts for a desktop. I think the SSH and harden_etc stuff are relevant for a desktop. The PHP and Apache stuff are definitely for servers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] slackware hardening tips -Su: authentication failure san2ban Slackware 20 08-04-2013 02:08 AM
[SOLVED] Protecting Slackware Konphine Slackware 31 07-19-2011 10:25 PM
Slackware hardening guide tangle Slackware 4 03-14-2005 09:47 PM
Hardening Slackware AhYup Slackware 8 03-07-2005 06:35 PM
is slackware protecting me? shanenin Slackware 1 10-19-2003 09:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 05:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration