PDA

View Full Version : Securing Linux


Pages : [1] 2

grey_1
08-21-07, 09:00 PM
Pretty straight forward. So many of the tutorials and suggestions I find are out of date or at odds with each other.

I'll have two linux and 1 win box on a small home network, and would like some suggested reading tips on the best way to really start becoming familiar with security on these things.

Thanks in advance.

evilghost
08-21-07, 09:18 PM
The first thing you need to do is disable unneeded listening daemons. I usually do this by issuing a "netstat -apvtul" which means "all program verbose tcp udp listening". Identify what you don't need and disable that daemon. There's various ways to do this, on a Debian system, I find it easy to just "cd /etc/init.d" and "update-rc.d -f [daemon] remove". RedHat based systems you can use "sysvinit".

The second thing you need to do is establish a good ingress (inbound) and egress (outbound) firewall policy. Things like FireStarter can allow you to configure iptables via GUI, however, I find it better to actually understand iptables so you can configure it manually.

I've got much more to say but I need to determine the context. For example, do you allow SSH inbound? If so, you can use keybased authentication, don't permit root login, only use protocol version 2, change the default listen port, and use something like fail2ban to prevent brute force attacks. You can also use port-knocking.

grey_1
08-21-07, 09:35 PM
The first thing you need to do is disable unneeded listening daemons. I usually do this by issuing a "netstat -apvtul" which means "all program verbose tcp udp listening". Identify what you don't need and disable that daemon. There's various ways to do this, on a Debian system, I find it easy to just "cd /etc/init.d" and "update-rc.d -f [daemon] remove". RedHat based systems you can use "sysvinit".

The second thing you need to do is establish a good ingress (inbound) and egress (outbound) firewall policy. Things like FireStarter can allow you to configure iptables via GUI, however, I find it better to actually understand iptables so you can configure it manually.

I've got much more to say but I need to determine the context. For example, do you allow SSH inbound? If so, you can use keybased authentication, don't permit root login, only use protocol version 2, change the default listen port, and use something like fail2ban to prevent brute force attacks. You can also use port-knocking.
Thanks eg! This is exactly the type of stuff I'm looking for.

Removing the daemons not a problem, the iptables I want to learn. Time to get past the 'button monkey' stage. :D

SSH inbound will be allowed, but only temporarily so I can gain a passing familiarity with it.

Fail2ban I had to google. I like it, are there any limitations on updating it's ip list...er...updating the iptables?

I feel like a kid at christmas. I should have the third rig up tomorrow, + my laptop will be used now and again, through a linksys BEFSR41 I was given, seems nice and pretty configurable. Heh, got to learn that too!

evilghost
08-21-07, 09:41 PM
I use fail2ban, it's quite powerful, I use it to detect 404 and 401 errors on my webserver and ban them immediately, if they connect to an IP and not a vhost. It works very well at mitigating the brute-force and script-kiddie attacks. I also use it for SSH, but again, I run it on a high TCP port, not TCP 22, and I don't see brute force attacks. That, and I'm using key-based authentication, not password authentication.

OSSEC-HIDS is a great IDS for a local machine and it's log analysis engine is outstanding; think of it as Snort for logs.

There's tons of information I can give but it's hard to 'dd if=/dev/evilghost of=/dev/grey_1' without knowing what's applicable to you.

evilghost
08-21-07, 09:45 PM
I also watch security trends, vulnerabilities, and issues via RSS. I use liferea and I'd be more than happy to share my RSS subscriptions with you.

grey_1
08-21-07, 09:50 PM
I use fail2ban, it's quite powerful, I use it to detect 404 and 401 errors on my webserver and ban them immediately, if they connect to an IP and not a vhost. It works very well at mitigating the brute-force and script-kiddie attacks. I also use it for SSH, but again, I run it on a high TCP port, not TCP 22, and I don't see brute force attacks. That, and I'm using key-based authentication, not password authentication.

OSSEC-HIDS is a great IDS for a local machine and it's log analysis engine is outstanding; think of it as Snort for logs.

There's tons of information I can give but it's hard to 'dd if=/dev/evilghost of=/dev/grey_1' without knowing what's applicable to you.
Lol, I got a kick out of that.

Basically my main rig running Deb, my second box running deb, my wifes winpc.

My second rig is going to be my learning box...starting with the security, then file sharing, server set up etc. I'm not worried about breaking the install on it. This entire setup is a learning exercise for me, the more the better, as it's very pertinent to my career as well as personal gratification from learning as much as I can.

A formal college would be best, but families needs are still priority with me. :) Ergo my plea to MikeC for this forum.

grey_1
08-21-07, 09:52 PM
I also watch security trends, vulnerabilities, and issues via RSS. I use liferea and I'd be more than happy to share my RSS subscriptions with you.
I'm interested, although I'm not sure I would understand what I'm reading at this point.

Lol, I'll pretty much be full time linux soon as I finish Bioshock :D so the learning will be faster.

evilghost
08-22-07, 08:41 AM
I use the following RSS feeds:
Security Viewpoints - http://feeds.feedburner.com/advosys/viewpoints
Milw0rm - http://www.milw0rm.com/rss.php
Stephen Esser's PHP Security Blog - http://blog.php-security.org/feeds/categories/1-PHP.rss
SecuriTeam - http://www.securiteam.com/securiteam.rss
Packet Storm Security (last files) - http://packetstormsecurity.org/last.xml
SANS ISC - http://iscxml.sans.org/rssfeed_full.xml
SANS ISC SecNewsFeed - http://iscxml.sans.org/newssummary.xml
eEye Digital Security - Zero-Day Tracker - http://research.eeye.com/rss/zeroday.rss

evilghost
08-22-07, 08:43 AM
A formal college would be best, but families needs are still priority with me. :) Ergo my plea to MikeC for this forum.

In the security industry there's little value in formal education because:
1) The instructors usually don't understand the material themselves.
2) The material is outdated
3) Practical experience is more job valuable.

DiscipleDOC
08-22-07, 09:36 AM
There's tons of information I can give but it's hard to 'dd if=/dev/evilghost of=/dev/grey_1' without knowing what's applicable to you.
I use this command (or a variation) to zero out hard drives when we reimage them....

In the security industry there's little value in formal education because:
1) The instructors usually don't understand the material themselves.
2) The material is outdated
3) Practical experience is more job valuable.
QFT. It's hard to get an education on cutting edge technology.

grey_1
08-22-07, 02:51 PM
In the security industry there's little value in formal education because:
1) The instructors usually don't understand the material themselves.
2) The material is outdated
3) Practical experience is more job valuable.
Good to hear, all the more reason to dig in here. I'll be back bugging you for help once I have this set up. :D


Thanks Bro.

nekrosoft13
08-23-07, 11:11 AM
The first thing you need to do is disable unneeded listening daemons. .


linux got DEMONS!!,



..... runs away..........

six_storm
08-23-07, 07:34 PM
I need to take a crash course in network security. There is a class on campus for "Intro to Network Security" but I won't be able to take it until next Spring.

ViN86
08-23-07, 11:59 PM
I need to take a crash course in network security. There is a class on campus for "Intro to Network Security" but I won't be able to take it until next Spring.
i find that i tend to learn programming and things of the sort better just by reading books.

maybe you should try picking up a book and just reading it. then again, if you want credits, thats a different story :p

six_storm
08-24-07, 09:38 AM
i find that i tend to learn programming and things of the sort better just by reading books.

maybe you should try picking up a book and just reading it. then again, if you want credits, thats a different story :p

I've been thumbing through some books here and there when I get a chance to head down to BAM, but most of the network security books are either too simple ("How to use Anti-virus software!") or over the security features of Windows Server 2k3. And then there are the books that have the word "Hacker" in the title which are just a marketing ploy. They don't teach you anything but are rather more fictional than anything.

Since I have to take so many hours of credits, you can bet I'll be taking some classes like network security 101. :D

ViN86
08-24-07, 09:42 AM
I've been thumbing through some books here and there when I get a chance to head down to BAM, but most of the network security books are either too simple ("How to use Anti-virus software!") or over the security features of Windows Server 2k3. And then there are the books that have the word "Hacker" in the title which are just a marketing ploy. They don't teach you anything but are rather more fictional than anything.

Since I have to take so many hours of credits, you can bet I'll be taking some classes like network security 101. :D
heh, i know what you mean.

that is a good point. most security books i see are along the lines of what you said and probably wouldnt offer very much good material.

six_storm
08-24-07, 03:49 PM
heh, i know what you mean.

that is a good point. most security books i see are along the lines of what you said and probably wouldnt offer very much good material.

I actually stopped by a local BAM and looked at their "Networking" section. Not much has changed. The only real interesting books are a little over my head (even in the first chapter!) so I put them back down lol.

grey_1
08-24-07, 05:30 PM
I've been thumbing through some books here and there when I get a chance to head down to BAM, but most of the network security books are either too simple ("How to use Anti-virus software!") or over the security features of Windows Server 2k3. And then there are the books that have the word "Hacker" in the title which are just a marketing ploy. They don't teach you anything but are rather more fictional than anything.

Since I have to take so many hours of credits, you can bet I'll be taking some classes like network security 101. :D
+1 Hence this thread.

Now if my "learning" rig will just Freakin install debian for me I'll be all set. Freezes about halfway through. Meh...it's older hardware, I'll MAKE it work.

evilghost
08-24-07, 05:49 PM
Probably buggy APIC, check for bios updates and try booting with noapic.

grey_1
08-24-07, 07:56 PM
Probably buggy APIC, check for bios updates and try booting with noapic.
I did on both. I'm hoping it's not just a buggy generic mobo, older hp nf2 with an athlon XP2600.

It loaded dsl just fine a couple times though, so dsl isn't loading or initializing something that deb is. My iso checks good, I may just re-download it and try it again.

evilghost
08-24-07, 09:28 PM
acpi=off ?

grey_1
08-24-07, 09:37 PM
acpi=off ?
Nope, forgot this one. :o I've used it enough before, you would think I'd remember it. I'll post in the a.m. how it goes.

grey_1
08-24-07, 09:48 PM
Been meaning to ask too, on choosing which daemons to get rid of, shouldn't I use 'netstat --all --programs' ? Or just use both?

Thanks man.

evilghost
08-24-07, 09:53 PM
Been meaning to ask too, on choosing which daemons to get rid of, shouldn't I use 'netstat --all --programs' ? Or just use both?

Thanks man.

netstat -apvtul

grey_1
08-24-07, 10:11 PM
netstat -apvtul
That's confusing..I recognize a good deal of what's there,

What are common ones that are usually should be closed? Should I just post the output?

EDIT: Just realised what that first line looks like, lol. Thinking and typing...