[Fedora] Seeing input on Securing the Linux system from intrusions and attacks.

Tod Merley todbot88 at gmail.com
Sun Dec 30 02:08:10 UTC 2007 

On Dec 29, 2007 2:43 PM, John Summerfield <debian at herakles.homelinux.org> wrote:
>
> Tod Merley wrote:
> > On Dec 27, 2007 11:10 AM, Daniel B. Thurman <dant at cdkkt.com> wrote:
> >> I have finally got my F8 setup and running so now I am reviewing the
> >> security issues that needs to be taken into account.

> >> I would like to focus on securing Fedora. I have tried snort w/Base etc.,
> >> Tripwire, Fam, nmap, Iptable techniques, and so on.
> >>
> >> Does anyone have any advice, links to great sites focused on security
> >> and how to secure your linux box against intrusions and attacks?
> >>
> >> Thanks!
> >
> > Hi  Daniel B. Thurman!
> >
> > It is late so topics only for tonight:
> >
> > 1. Turn off services you do not use.
> > 2. Make your computer "silent" to all but those who use it - e.g. turn
> > off ping - e.g. use a door knock protocol on a non-standard port for
> > ssh to access ssh (give no reply to those who knock on the normal port
> > and respond to only your special "knock" on your non-standard port),
>
> imv turning off ping is highly overrated, and introduces management
> problems.
>
> My technique that I've already posted all-but prevents password scans.
>

But why let them know where you are in the first place???

>
> > 3. Have a constant background scan done for virus, root kit, e-mail,
> > changes in critical files, port scan, log  files (logwatch), and
> > audits for suspicious activity.  This can and should be "niced" to not
> > interfere with normal operations.
>
> One can't really trust a computer to diagnose itself.
>
I do agree!

Yet why not use those "brains" on the machine that are uncompromised
to see that we are compromised so we can start to do something about
it?

Thanks for the pointer though.  I have considered containing all of
the on box security in a virtual machine (well, most of it anyway).
As well, why not have a separate box do the file scans, log checking,
etc...?
>
> > 4. Google "pen testing".  C/o osstmm.
> > 5. Honey pots!
>
> Really! They may be useful for detecting the ungodly, but they do
> nothing to add to one's security. Quite the reverse, you must assume
> that the ungodly have a nest in your midst.
>
Do not soldiers train with live ammo?  Do you find out if something is
waterproof by exposing it to sunlight?

I have noted with interest that Penetration Testing has become an
expected part of any good security audit.  I believe it is not only
expected, it is practically required.

I would rather find out that my car leaks in my driveway with a water
hose than tragically on the highway!  Any day!  That way I find the
leak in a way I can clean it up.

Honey pots are more of a risk I would agree.  Containment is a real
issue since the goal of many exploiters is to use your machine to
spread their wares.  I guess I am hoping that the containment issues
can be resolved so we can have them as a tool to see what got in -
what it was and how it grows - hopefully to be able to go and deal
with it's progenitor.
>
> > 6. Backup your "used" areas often and in a number of different ways.
> > I use flash drives, CDs, and other portions of the local or remote
> > hard drives.  I also tend to put an occasional file in an obscure
> > e-mail account.  Be ready to "wipe and re-load" efficiently.  I have
> > played with the idea of using "ghosted" "snapshots" for this purpose
> > but have only taken that to the idea level. Tar is becoming a friend.
>
> flash drives are too easy to corrupt. I'm fairly careful with such
> things, but one of mine lost its partition table. In my case recovery
> was easy because I knew that copying the first sector from an identical
> other drive would repair it.
>
What I like about them is that they are convenient, espically for a
laptop.  Since they are fairly cheap what I do is always have and use
more than two.  Loose one, not happy with that but little loss.
>
> > 7. Do planned "wipe and re-loads" several times a year.  For that
> > matter, if you simply save your used areas and then wipe and load the
> > new version of your distro when it comes out that is probably enough.
> > Be ready to restore to where you were if you need to.
>
> That will cause more grief than it is ever likely to save. If you're
> running a serious server, you're off the air for some time. A server
> that's down isn't earning you money.
>
You yourself said:

"What you need to do depends on what you're trying to protect. If you're
not running any servers, then things are pretty cheesy - you only need
to worry about invited data (websites you visit, email you receive and
such)...."

I certainly agree with the first part, but somewhere in the
neighborhood of some six million compromised machines out there now
doing the bidding of organized crime make me down right angry at the
second part of the statement.

I agree with Mr. Spafford:

" The only truly secure system is one that is powered off, cast in a
block of concrete and sealed in a lead-lined room with armed guards -
and even then I have my doubts.	"

       -- Eugene H. Spafford, director of the Purdue Center for
Education and Research in Information Assurance and Security.

If there were a dread disease amongst us, you would do well to keep
your immune system maintained -- lest you be quarantined!
>
>
> You will need to spend time reconfiguring stuff, and I don't know about
> you, but I have better things to do. Probably, the reconfiguring will
> result in unintended changes that need to be fixed.
>
>
In my case I am learning Linux, having fun, and the time is not
critical to what is happening.  I would not consider introducing an
untested and unapproved system into a commercial environment.  I
consider an "upgraded" box as untested.  I absolutely agree with you
about upgrades, they scare me too!  In a commercial environment I
believe that the upgrades should go into a test environment and get
placed on the floor if they actually appear to make the grade, and
slowly at that.
>
> >
> > Ok, I lied - the one link I will give you has some very good ones at
> > the end.  Note the crazy quotes and the interesting message box near
> > the end:
> >
> > http://en.wikipedia.org/wiki/Computer_security
>
> In Wikipedia, read the warnings, and consider the verifiable expertise
> of the author(s).
>
Well spoken!
>
> Cheers
> John
>
Have a great week John.  I enjoy your many contributions to this list!

With appreciation!

Tod

More information about the users mailing list