Daniel B. Thurman wrote:
John Summerfield and Tom Horsley wrote
Subject: Re: [Fedora] Seeing input on Securing the Linux system from
intrusions and attacks.
Daniel B. Thurman wrote:
I have finally got my F8 setup and running so now I am reviewing the
security issues that needs to be taken into account.
[snip!]
Does anyone have any advice, links to great sites focused on security
and how to secure your Linux box against intrusions and attacks?
What you need to do depends on what you're trying to protect.
[snip!]
Summary:
John: vpn, shorewall, don't use hosts.{allow,deny} because of iptables,
systems cannot be port-scanned, keep watching logs. Firewall to
control spam + use of "countermeasures" and manuall add block.
Tom: ssh only. All other ports blocked(?).
============
Well, what I am trying to protect against? Well some are
identified below but not limited to these. I found via
iptraf, some of the things I added to the list below:
1) General iptable schemes to otherwise block IPs, domains,
and general attacks such as those identified below. I am
not well-versed in the use of iptables which is why I use
firestarter at the moment and I haven't yet learned how to
use shorewall as advised by John.
2) SYN/FIN/RST/CAN combo attacks
[Note:
I have seen a iptable "technique" to block various
forms/combinations of SYN/FIN/RST/CAN combos. I
cannot forsee the end-results of these attacks but it
causes me some consternation. I get reports daily
on these via my HW SonicWall firewall appliance and
have no idea what to do. All I see are MAC addresses as
"they" hide their source/destination OR are using
packet schemes I do not recognize. Are these harmful,
harmless, hog resources, or what? Beats me.
]
3) DDos/Spoof attacks
[Note:
My ports are "hammered" at times causing resource hogs.
]
4) Foil Port-scanner intrusions (various schemes)
[Note:
You can see "them", "walking the dog".
]
5) DNS attacks
[Note:
"They" are attempting to update/modify table entries.
]
6) Sendmail Spams, viruses, ...
[Note:
I am learning, trying to find ways to greylist, blacklist,
regex, pattern/keyword blocks, ... but I am not there yet.
As it is, it is very time consuming manually identifying
spammer's IP/domain names and adding them to the block
list. As it is, I get messages with [SPAM] marked and
yet I still have to deal with them (deleting them) instead
of not simply not wishing to receive them and some find
find ways around spamassassin/clamav anyway.
that's why I often block a large network when I identify a source of
spam. The largest networks I block are in China - because that's where I
find the largest networks assigned to a single organisation (such as a
university).
Note, I do not automatically delete spam. If it gets past the
impediments I place to its delivery, I then mark it up with
spamassassin, and filter it (with procmail) into a special spam folder
where users can choose for themselves whether to keep or delete. I find
it easy to see, "There's no ham there today," and ^A[del] the lot.
]
7) Database attacks (MySql, PostgreSQL, ...)
[Note:
"They" are probing for holes, trying brute-force password
cracking, and DDos attacks, or so it seems.
]
8) Website attacks (Apache, Tomcat, and others...)
[Note:
The same as above (7) but with more tricks since there are a lot
of "doors" to attack. Yes, I am being vague in the interest of
brevity.
]
Anyway, this is my "short" list that I am working on right now, so I
guess I have a lot of work to do.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM
Frankly, I don't value AV "sigs" such as this. What's to prevent my
including it in my spam?
Let's use "hostile interface" to mean a network interface which the
ungodly might attack. Typically, it's one's interface to the public
internet, but it could be a wireless interface or even a local LAN.
A service (such as postgresql) that is not listening to a hostile
interface is not subject to attack through it. If it's not providing a
service to those on the other side of a hostile interface, the server
should not be listening to it.
Some of those attacks attack only the kernel. Your only protection is to
keep your kernel up2date.
Websites are necessarily (most often) listening to a hostile interface.
Keep the software up2date, keep an eye out for security concerns. Most
likely-to-succeed attacks will attack your application - groupware,
wikiware and such. Some of that will need access to your databases, and
a successful attack against that might give access to other stuff such s
your databases.
rate-limiting incoming connexions restricts enumerating accounts'
passwords. I do that for ssh. imap, smtp (if you allow password
authentication for out-of-office users) and ftp are also subject to
this. If you don't run an ftp server, the ungodly can't use it to breach
your security.
If you want a stable, secure system, start with your software selection.
Fedora's not the answer, just look at how many people have problems
after updating their software!
Next, buy and read and understand books dealing with installing,
configuring & securing Linux. There's a lot of HOWTOs out there, and
mostly they're good, but they don't provide a complete, well-considered
course of study.
Speaking of which, a good course is hard to beat. I have the impression
your own experience is rather limited.
I have a book here, "Linux Firewalls" that's about 560 pages. That's
only part of what you need, you're not going to get all your answers
here. I also have "Reliable Linux," "Maximum Linux Security" and then
books on sendmail, tomcat, mysql, postgresql, LDAP and other topics
deserve consideration, according to your specific needs.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
