John Summerfield and Tom Horsley wrote
>Subject: Re: [Fedora] Seeing input on Securing the Linux system from
>intrusions and attacks.
>
>Daniel B. Thurman wrote:
>> I have finally got my F8 setup and running so now I am reviewing the
>> security issues that needs to be taken into account.
>>
>> [snip!]
>>
>> Does anyone have any advice, links to great sites focused on security
>> and how to secure your Linux box against intrusions and attacks?
>
>
>What you need to do depends on what you're trying to protect.
> [snip!]
Summary:
John: vpn, shorewall, don't use hosts.{allow,deny} because of iptables,
systems cannot be port-scanned, keep watching logs. Firewall to
control spam + use of "countermeasures" and manuall add block.
Tom: ssh only. All other ports blocked(?).
============
Well, what I am trying to protect against? Well some are
identified below but not limited to these. I found via
iptraf, some of the things I added to the list below:
1) General iptable schemes to otherwise block IPs, domains,
and general attacks such as those identified below. I am
not well-versed in the use of iptables which is why I use
firestarter at the moment and I haven't yet learned how to
use shorewall as advised by John.
2) SYN/FIN/RST/CAN combo attacks
[Note:
I have seen a iptable "technique" to block various
forms/combinations of SYN/FIN/RST/CAN combos. I
cannot forsee the end-results of these attacks but it
causes me some consternation. I get reports daily
on these via my HW SonicWall firewall appliance and
have no idea what to do. All I see are MAC addresses as
"they" hide their source/destination OR are using
packet schemes I do not recognize. Are these harmful,
harmless, hog resources, or what? Beats me.
]
3) DDos/Spoof attacks
[Note:
My ports are "hammered" at times causing resource hogs.
]
4) Foil Port-scanner intrusions (various schemes)
[Note:
You can see "them", "walking the dog".
]
5) DNS attacks
[Note:
"They" are attempting to update/modify table entries.
]
6) Sendmail Spams, viruses, ...
[Note:
I am learning, trying to find ways to greylist, blacklist,
regex, pattern/keyword blocks, ... but I am not there yet.
As it is, it is very time consuming manually identifying
spammer's IP/domain names and adding them to the block
list. As it is, I get messages with [SPAM] marked and
yet I still have to deal with them (deleting them) instead
of not simply not wishing to receive them and some find
find ways around spamassassin/clamav anyway.
]
7) Database attacks (MySql, PostgreSQL, ...)
[Note:
"They" are probing for holes, trying brute-force password
cracking, and DDos attacks, or so it seems.
]
8) Website attacks (Apache, Tomcat, and others...)
[Note:
The same as above (7) but with more tricks since there are a lot
of "doors" to attack. Yes, I am being vague in the interest of
brevity.
]
Anyway, this is my "short" list that I am working on right now, so I
guess I have a lot of work to do.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM
