[Fedora] Seeing input on Securing the Linux system from intrusions and attacks.

John Summerfield debian at herakles.homelinux.org
Sun Dec 30 07:08:42 UTC 2007


Tod Merley wrote:
> On Dec 29, 2007 2:43 PM, John Summerfield <debian at herakles.homelinux.org> wrote:
>> Tod Merley wrote:
>>> On Dec 27, 2007 11:10 AM, Daniel B. Thurman <dant at cdkkt.com> wrote:
>>>> I have finally got my F8 setup and running so now I am reviewing the
>>>> security issues that needs to be taken into account.
> 
>>>> I would like to focus on securing Fedora. I have tried snort w/Base etc.,
>>>> Tripwire, Fam, nmap, Iptable techniques, and so on.
>>>>
>>>> Does anyone have any advice, links to great sites focused on security
>>>> and how to secure your linux box against intrusions and attacks?
>>>>
>>>> Thanks!
>>> Hi  Daniel B. Thurman!
>>>
>>> It is late so topics only for tonight:
>>>
>>> 1. Turn off services you do not use.
>>> 2. Make your computer "silent" to all but those who use it - e.g. turn
>>> off ping - e.g. use a door knock protocol on a non-standard port for
>>> ssh to access ssh (give no reply to those who knock on the normal port
>>> and respond to only your special "knock" on your non-standard port),
>> imv turning off ping is highly overrated, and introduces management
>> problems.
>>
>> My technique that I've already posted all-but prevents password scans.
>>
> 
> But why let them know where you are in the first place???

I run a mail server, finding me is no great difficulty.

> 
>>> 3. Have a constant background scan done for virus, root kit, e-mail,
>>> changes in critical files, port scan, log  files (logwatch), and
>>> audits for suspicious activity.  This can and should be "niced" to not
>>> interfere with normal operations.
>> One can't really trust a computer to diagnose itself.
>>
> I do agree!
> 
> Yet why not use those "brains" on the machine that are uncompromised
> to see that we are compromised so we can start to do something about
> it?
> 
> Thanks for the pointer though.  I have considered containing all of
> the on box security in a virtual machine (well, most of it anyway).
> As well, why not have a separate box do the file scans, log checking,
> etc...?
>>> 4. Google "pen testing".  C/o osstmm.
>>> 5. Honey pots!
>> Really! They may be useful for detecting the ungodly, but they do
>> nothing to add to one's security. Quite the reverse, you must assume
>> that the ungodly have a nest in your midst.
>>
> Do not soldiers train with live ammo?  Do you find out if something is
> waterproof by exposing it to sunlight?

They don't generally invite the opposition into the camp, and that's 
what you propose.



> 
> I have noted with interest that Penetration Testing has become an
> expected part of any good security audit.  I believe it is not only
> expected, it is practically required.

The trouble one needs to take to implement security depends on what one 
has to protect.

the first step is to choose software that is and will be properly 
supported into the future, and that means _not_ Fedora. There are 
hardened Linux disros around, and there are NetBSD and OpenBSD:
---
NetBSD is a free, secure, and highly portable Unix-like Open Source 
operating system available for many platforms, from large-scale server 
systems to powerful desktop systems to handheld and embedded devices.
---
Only two remote holes in the default install, in more than 10 years!

  The OpenBSD project produces a FREE, multi-platform 4.4BSD-based 
UNIX-like operating system. Our efforts emphasize portability, 
standardization, correctness, proactive security and integrated 
cryptography. OpenBSD supports binary emulation of most programs from 
SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.
---

In contrast:
Fedora is a Linux-based operating system that showcases the latest in 
free and open source software.

and I note that RH doesn't highlight security at all, that's I could 
find in three clicks.


> 
> I would rather find out that my car leaks in my driveway with a water
> hose than tragically on the highway!  Any day!  That way I find the
> leak in a way I can clean it up.
> 
> Honey pots are more of a risk I would agree.  Containment is a real
> issue since the goal of many exploiters is to use your machine to
> spread their wares.  I guess I am hoping that the containment issues
> can be resolved so we can have them as a tool to see what got in -
> what it was and how it grows - hopefully to be able to go and deal
> with it's progenitor.

You will never find out who got into anything but the honeypot, by 
looking at the honeypot. Nor is one likely to highlight the viruses and 
trojans your users download in their web content and email.

If there's a place for a honeypot in aiding security (and having 
considered it for some years I doubt it), it's in an organisation with a 
well-trained security team with the resources to set one up, isolate it 
from the rest of the organisation, and monitor it.

It's not for a relative beginner who's just installed his first Linux 
box and us confused about all the attacks he sees.

>>> 6. Backup your "used" areas often and in a number of different ways.
>>> I use flash drives, CDs, and other portions of the local or remote
>>> hard drives.  I also tend to put an occasional file in an obscure
>>> e-mail account.  Be ready to "wipe and re-load" efficiently.  I have
>>> played with the idea of using "ghosted" "snapshots" for this purpose
>>> but have only taken that to the idea level. Tar is becoming a friend.
>> flash drives are too easy to corrupt. I'm fairly careful with such
>> things, but one of mine lost its partition table. In my case recovery
>> was easy because I knew that copying the first sector from an identical
>> other drive would repair it.
>>
> What I like about them is that they are convenient, espically for a
> laptop.  Since they are fairly cheap what I do is always have and use
> more than two.  Loose one, not happy with that but little loss.

bank account details? SS number for Americans. Information about you 
that could lead to someone else knowing enough about you to present 
himself as you?



>>> 7. Do planned "wipe and re-loads" several times a year.  For that
>>> matter, if you simply save your used areas and then wipe and load the
>>> new version of your distro when it comes out that is probably enough.
>>> Be ready to restore to where you were if you need to.
>> That will cause more grief than it is ever likely to save. If you're
>> running a serious server, you're off the air for some time. A server
>> that's down isn't earning you money.
>>
> You yourself said:
> 
> "What you need to do depends on what you're trying to protect. If you're
> not running any servers, then things are pretty cheesy - you only need
> to worry about invited data (websites you visit, email you receive and
> such)...."
> 
> I certainly agree with the first part, but somewhere in the
> neighborhood of some six million compromised machines out there now
> doing the bidding of organized crime make me down right angry at the
> second part of the statement.

and reinstalling them all the time would be of limited benefit. However, 
keeping up to date with vendor fixes, using firefox and thunderbird 
instead of Internet Exploder and Lookout Express (these are mostly 
Windows boxes) _would_ help.

A little while ago, I bought a Thinkpad R40 at auction. It had Windows 
XP SP2 professional more-or-less installed, ready for me to provide a 
few personal details.

It did not present me with an opportunity to set a password for 
Administrator, it did create my user account[1] as an administrator (and 
wouldn't let me change that), and I don't recall it wanted a password 
for that either. Further user accounts also are administrators, unless 
the administrator chooses otherwise.

Reinstalling every six months or so would simply exacerbate the problem.

[1] I knew that was coming, so my first user account I named "admin" and 
I then created another, less privileged, account.

> 
> If there were a dread disease amongst us, you would do well to keep
> your immune system maintained -- lest you be quarantined!

Better, a shield and keep the opposition on the other side.

>>
>> You will need to spend time reconfiguring stuff, and I don't know about
>> you, but I have better things to do. Probably, the reconfiguring will
>> result in unintended changes that need to be fixed.
>>
>>
> In my case I am learning Linux, having fun, and the time is not
> critical to what is happening.  I would not consider introducing an
> untested and unapproved system into a commercial environment.  I
> consider an "upgraded" box as untested.  I absolutely agree with you
> about upgrades, they scare me too!  In a commercial environment I
> believe that the upgrades should go into a test environment and get
> placed on the floor if they actually appear to make the grade, and
> slowly at that.

and that precluded reinstalling all the time just because "it seems a 
good idea." It might be okay for you, helping achieve your wish to learn 
about Linux; I have a selection of alternative hardware for that, and do 
not play those games on anything important.




-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)




More information about the users mailing list