Tod Merley wrote:
On Dec 29, 2007 2:43 PM, John Summerfield <debian@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Tod Merley wrote:
On Dec 27, 2007 11:10 AM, Daniel B. Thurman <dant@xxxxxxxxx> wrote:
I have finally got my F8 setup and running so now I am reviewing the
security issues that needs to be taken into account.
I would like to focus on securing Fedora. I have tried snort w/Base etc.,
Tripwire, Fam, nmap, Iptable techniques, and so on.
Does anyone have any advice, links to great sites focused on security
and how to secure your linux box against intrusions and attacks?
Thanks!
Hi Daniel B. Thurman!
It is late so topics only for tonight:
1. Turn off services you do not use.
2. Make your computer "silent" to all but those who use it - e.g. turn
off ping - e.g. use a door knock protocol on a non-standard port for
ssh to access ssh (give no reply to those who knock on the normal port
and respond to only your special "knock" on your non-standard port),
imv turning off ping is highly overrated, and introduces management
problems.
My technique that I've already posted all-but prevents password scans.
But why let them know where you are in the first place???
I run a mail server, finding me is no great difficulty.
3. Have a constant background scan done for virus, root kit, e-mail,
changes in critical files, port scan, log files (logwatch), and
audits for suspicious activity. This can and should be "niced" to not
interfere with normal operations.
One can't really trust a computer to diagnose itself.
I do agree!
Yet why not use those "brains" on the machine that are uncompromised
to see that we are compromised so we can start to do something about
it?
Thanks for the pointer though. I have considered containing all of
the on box security in a virtual machine (well, most of it anyway).
As well, why not have a separate box do the file scans, log checking,
etc...?
4. Google "pen testing". C/o osstmm.
5. Honey pots!
Really! They may be useful for detecting the ungodly, but they do
nothing to add to one's security. Quite the reverse, you must assume
that the ungodly have a nest in your midst.
Do not soldiers train with live ammo? Do you find out if something is
waterproof by exposing it to sunlight?
They don't generally invite the opposition into the camp, and that's
what you propose.
I have noted with interest that Penetration Testing has become an
expected part of any good security audit. I believe it is not only
expected, it is practically required.
The trouble one needs to take to implement security depends on what one
has to protect.
the first step is to choose software that is and will be properly
supported into the future, and that means _not_ Fedora. There are
hardened Linux disros around, and there are NetBSD and OpenBSD:
---
NetBSD is a free, secure, and highly portable Unix-like Open Source
operating system available for many platforms, from large-scale server
systems to powerful desktop systems to handheld and embedded devices.
---
Only two remote holes in the default install, in more than 10 years!
The OpenBSD project produces a FREE, multi-platform 4.4BSD-based
UNIX-like operating system. Our efforts emphasize portability,
standardization, correctness, proactive security and integrated
cryptography. OpenBSD supports binary emulation of most programs from
SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.
---
In contrast:
Fedora is a Linux-based operating system that showcases the latest in
free and open source software.
and I note that RH doesn't highlight security at all, that's I could
find in three clicks.
I would rather find out that my car leaks in my driveway with a water
hose than tragically on the highway! Any day! That way I find the
leak in a way I can clean it up.
Honey pots are more of a risk I would agree. Containment is a real
issue since the goal of many exploiters is to use your machine to
spread their wares. I guess I am hoping that the containment issues
can be resolved so we can have them as a tool to see what got in -
what it was and how it grows - hopefully to be able to go and deal
with it's progenitor.
You will never find out who got into anything but the honeypot, by
looking at the honeypot. Nor is one likely to highlight the viruses and
trojans your users download in their web content and email.
If there's a place for a honeypot in aiding security (and having
considered it for some years I doubt it), it's in an organisation with a
well-trained security team with the resources to set one up, isolate it
from the rest of the organisation, and monitor it.
It's not for a relative beginner who's just installed his first Linux
box and us confused about all the attacks he sees.
6. Backup your "used" areas often and in a number of different ways.
I use flash drives, CDs, and other portions of the local or remote
hard drives. I also tend to put an occasional file in an obscure
e-mail account. Be ready to "wipe and re-load" efficiently. I have
played with the idea of using "ghosted" "snapshots" for this purpose
but have only taken that to the idea level. Tar is becoming a friend.
flash drives are too easy to corrupt. I'm fairly careful with such
things, but one of mine lost its partition table. In my case recovery
was easy because I knew that copying the first sector from an identical
other drive would repair it.
What I like about them is that they are convenient, espically for a
laptop. Since they are fairly cheap what I do is always have and use
more than two. Loose one, not happy with that but little loss.
bank account details? SS number for Americans. Information about you
that could lead to someone else knowing enough about you to present
himself as you?
7. Do planned "wipe and re-loads" several times a year. For that
matter, if you simply save your used areas and then wipe and load the
new version of your distro when it comes out that is probably enough.
Be ready to restore to where you were if you need to.
That will cause more grief than it is ever likely to save. If you're
running a serious server, you're off the air for some time. A server
that's down isn't earning you money.
You yourself said:
"What you need to do depends on what you're trying to protect. If you're
not running any servers, then things are pretty cheesy - you only need
to worry about invited data (websites you visit, email you receive and
such)...."
I certainly agree with the first part, but somewhere in the
neighborhood of some six million compromised machines out there now
doing the bidding of organized crime make me down right angry at the
second part of the statement.
and reinstalling them all the time would be of limited benefit. However,
keeping up to date with vendor fixes, using firefox and thunderbird
instead of Internet Exploder and Lookout Express (these are mostly
Windows boxes) _would_ help.
A little while ago, I bought a Thinkpad R40 at auction. It had Windows
XP SP2 professional more-or-less installed, ready for me to provide a
few personal details.
It did not present me with an opportunity to set a password for
Administrator, it did create my user account[1] as an administrator (and
wouldn't let me change that), and I don't recall it wanted a password
for that either. Further user accounts also are administrators, unless
the administrator chooses otherwise.
Reinstalling every six months or so would simply exacerbate the problem.
[1] I knew that was coming, so my first user account I named "admin" and
I then created another, less privileged, account.
If there were a dread disease amongst us, you would do well to keep
your immune system maintained -- lest you be quarantined!
Better, a shield and keep the opposition on the other side.
You will need to spend time reconfiguring stuff, and I don't know about
you, but I have better things to do. Probably, the reconfiguring will
result in unintended changes that need to be fixed.
In my case I am learning Linux, having fun, and the time is not
critical to what is happening. I would not consider introducing an
untested and unapproved system into a commercial environment. I
consider an "upgraded" box as untested. I absolutely agree with you
about upgrades, they scare me too! In a commercial environment I
believe that the upgrades should go into a test environment and get
placed on the floor if they actually appear to make the grade, and
slowly at that.
and that precluded reinstalling all the time just because "it seems a
good idea." It might be okay for you, helping achieve your wish to learn
about Linux; I have a selection of alternative hardware for that, and do
not play those games on anything important.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
