[Fedora] On Securing the Linux system from intrusions and attacks.

Daniel B. Thurman dant at cdkkt.com
Thu Dec 27 21:57:00 UTC 2007


John Summerfield and Tom Horsley wrote
>Subject: Re: [Fedora] Seeing input on Securing the Linux system from
>intrusions and attacks.
>
>Daniel B. Thurman wrote:
>> I have finally got my F8 setup and running so now I am reviewing the
>> security issues that needs to be taken into account.
>> 
>> [snip!]
>> 
>> Does anyone have any advice, links to great sites focused on security
>> and how to secure your Linux box against intrusions and attacks?
>
>
>What you need to do depends on what you're trying to protect. 
> [snip!]

Summary:

John: vpn, shorewall, don't use hosts.{allow,deny} because of iptables,
      systems cannot be port-scanned, keep watching logs. Firewall to
      control spam + use of "countermeasures" and manuall add block.

Tom:  ssh only. All other ports blocked(?).

============

Well, what I am trying to protect against? Well some are
identified below but not limited to these.  I found via
iptraf, some of the things I added to the list below:

1) General iptable schemes to otherwise block IPs, domains,
   and general attacks such as those identified below.  I am
   not well-versed in the use of iptables which is why I use
   firestarter at the moment and I haven't yet learned how to
   use shorewall as advised by John.
2) SYN/FIN/RST/CAN combo attacks
   [Note:
    I have seen a iptable "technique" to block various
    forms/combinations of SYN/FIN/RST/CAN combos.  I
    cannot forsee the end-results of these attacks but it
    causes me some consternation.  I get reports daily
    on these via my HW SonicWall firewall appliance and
    have no idea what to do.  All I see are MAC addresses as
    "they" hide their source/destination OR are using
    packet schemes I do not recognize.  Are these harmful,
    harmless, hog resources, or what?  Beats me.
   ]
3) DDos/Spoof attacks
   [Note:
    My ports are "hammered" at times causing resource hogs.
   ]
4) Foil Port-scanner intrusions (various schemes)
   [Note:
    You can see "them", "walking the dog".
   ]
5) DNS attacks
   [Note:
    "They" are attempting to update/modify table entries.
   ]
6) Sendmail Spams, viruses, ...
   [Note:
    I am learning, trying to find ways to greylist, blacklist,
    regex, pattern/keyword blocks, ... but I am not there yet.
    As it is, it is very time consuming manually identifying
    spammer's IP/domain names and adding them to the block
    list.  As it is, I get messages with [SPAM] marked and
    yet I still have to deal with them (deleting them) instead
    of not simply not wishing to receive them and some find
    find ways around spamassassin/clamav anyway.
   ]
7) Database attacks (MySql, PostgreSQL, ...)
   [Note:
    "They" are probing for holes, trying brute-force password
    cracking, and DDos attacks, or so it seems.
   ]
8) Website attacks (Apache, Tomcat, and others...)
   [Note:
    The same as above (7) but with more tricks since there are a lot
    of "doors" to attack.  Yes, I am being vague in the interest of
    brevity.
   ]

Anyway, this is my "short" list that I am working on right now, so I
guess I have a lot of work to do.

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM
 




More information about the users mailing list