Hardening Fedora...
Nelson Guedes Paulo Junior
npaulo at linux.ime.usp.br
Mon Apr 26 04:27:37 UTC 2004
,
Hi,
I know that someone posted it before, but I couldn't find any references
to a Tripwire substitute.
I remember that someone asked it before and someone answerer, but I
couldn't ffind.
Thanks for any help.
[]'s
On Sun, Apr 25, 2004 at 05:30:49PM +0200, Alexander Dalloz wrote:
> Am So, den 25.04.2004 schrieb Peter Santiago um 16:46:
>
> > Hi Alexander,
> >
> > Well, by hardening, I mean, enhancing the security of my Fedora
> > installation. I'm just doing this to gain more experience in setting up
> > Linuxes boxes. I could install Fedora Core 2 test release (kernel 2.6.3
> > with SELinux), but I'd rather want to see what I can achieve using Bastille
> > or other methods to make a fedora installation more secure... =^^= Hope I
> > didn't sound way out of my depth....
>
> > Peter Santiago peters at psinergybbs.com
>
> Ok Peter,
>
> on a test machine and for learning purposes Bastille might be one way to
> understand better which problem in security might appear. Taking the RPM
> version I would be cautious there is no comment how good it fits for
> Fedora.
>
> Maybe Bastille is helpful for a Linux beginner to understand some risks
> and learn some "switches" for a valid security. In general I doubt it
> improves security at all if you did not already did something bad with
> your Fedora installation.
>
> It's not that easy to suggest anything specific as the range of possible
> experience in Linux administration is wide and there are lots of topic
> you might care about. Given that you did not accidentally open up your
> system into an insecure state (like using telnet server across WAN
> connections, giving users too much permissions with i.e. suid, setting
> your mail server being an open relay ...) there are several concepts and
> tools to "improve security". Will say, put the administrator/root into a
> situation where he gets non standard information about trials hacking
> the system or on the other side by prohibition of specific actions. That
> may take place with:
> -setting up a good set of iptables rules, securing the services you
> need, and after switching off services you do not need but which run by
> default (like on many Fedora installations the portmapper on port 111 is
> open to the worldwide net)
> - controlling network/host scanning with portsentry or psad
> - restricting user and even root permissions by using kernel based
> policy sets: SELinux or grsecurity
> - restricting permissions and information of the administrator by using
> an IDS like lids (kernel based too)
>
> All that said, the costs of all that is time and efforts to manage these
> things: you do not need just one time setup but all security functions
> need constant administration and control.
>
> I do not know whether that helps you seeing a bit clearer what you
> consider to try. In any case it is good to care for security and it is
> even worth to take a test machine/installation and to test the available
> tools and switches. And certainly there are good books on the market -
> not Fedora specific, but for all Linux users/admins - which cover this
> topic; i.e. Linux Administration by O'Reilly.
>
> Alexander
>
>
> --
> Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
> Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
> Sirendipity 17:04:37 up 6 days, 23:50, load average: 0.06, 0.22, 0.28
> [ ?????????? ??'?????????? - gnothi seauton ]
> my life is a planetarium - and you are the stars
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
--
Nelson Guedes Paulo Junior
E-mail: <npaulo at linux.ime.usp.br> UIN: 2489382 (Tender [:alpha:]*)
--------------------------------------------------------------------------------
Eu cavo, tu cavas, ele cava, nós cavamos, vós cavais, eles cavam...
Não é bonito, mas é profundo.
--------------------------------------------------------------------------------
"A estatística é uma maneira de se torturar os números até que eles confessem!"
--------------------------------------------------------------------------------
More information about the users
mailing list