about security in linux

ThreepWood · 2009-02-20 08:55:59

Ahoy, fellow #!ers!!

I'm quite worried lately about securing my newly installed crunchBang.
I don't know nothing about networks - ok basic stuff, i did set up a shared network from my XP to #! over wireless in ad-hoc with wep...but that's it - no intermediate stuff.
Searching on the web (crossing fingers for no infections/break-ins) i found that the first thing to do is to set up iptables, THE linux firewall.
I'm into this right now, and it's not quite as straightforward as i expected.Of course, it COULD be the lack of networking experience and/or knowledge...Anyway.
(http://www.netfilter.org/documentation/ … WTO-1.html)

After setting it up, what should be the next step to do, to get a more secure linux-experience, and enjoy my sleep at night with-no-worries?
What are Your first steps ...after installing a new OS to Your piece? ...before first connecting to a not-know-network as the web itself?

You can share basic stuff...to a crunchbaby all stuff is new!

ps: excuse my ignorance, and posting this in "off-topic". i mean where should this go?

ajclarkson · 2009-02-20 10:02:09

Hi there,

To be honest after iptables, which I often forget to configure myself, I don't really do anything in the way of security, being behind a router is enough for me with linux I have found. I make sure that there are no gaping security holes (like if you have installed mysql for local development bind it to localhost and make sure you have a root password set) but other than that I have never *touch wood* had a security problem in the 4 years I have used linux.

anonymous · 2009-02-20 13:35:19

Personally I dont do anything for security.

Anyways you could install Firestarter as an easy way to configure iptables (unless you prefer manual configuration) and using Bastille (old version available in repository) to harden and secure Linux a bit.

Last edited by anonymous (2009-02-20 13:36:42)

ThreepWood · 2009-02-21 11:22:37

Thanks,
i'm into setting up iptables right now...oh boy a lot-o-reading ahead!
Stay alert for more questions...hehe

Bastille? Definetly will be into that after!
According to homepage "The Bastille Hardening program 'locks down' an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works."
Sounds like a security-wizard/automaton...

where was i...ah yes...
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

ZAP · 2009-02-21 15:52:36

Personally I've always used Firestarter or ufw to configure iptables. Doing it from the command line is not how I want to spend my time. It's also relatively easy to create rules that interfere with services that you need (e.g., Samba shares), and having a GUI makes debugging this a lot easier.

In general you have a lot less to worry about with Linux than you would with Windows (or even with a Mac, since they have the execute bit on by default). If you search the web you'll find many explanations of why this is and endless arguments about whether the fundamental reason is Linux design is innately more secure or it's just because it's a smaller target. Personally my perspective is that the only dangers that you're going to encounter will be a threat because of social engineering, so the more that you familiarize yourself with the Linux (and in this case, Ubuntu) security model, the better armed you'll be to defend yourself.

You shouldn't be using WEP for wireless encryption, however, since it can easily be cracked in minutes. Use WPA instead (if your router doesn't support that, get a new router). A hacker might not be able to get into your machine after cracking your WEP key, but they could read all of your network traffic, reflash your router with phishing firmware, and generally abuse your network connection.

I also think that file encryption is very important on any laptop, since if it's lost of stolen you don't want people going through your stuff. Full disk encryption is best, but most netbooks are a bit slow to do this without suffering a performance hit. Search these forums for how to set up an encrypted Private directory and move your mozilla files into it (which I think is a decent alternative for most users), and check out the password manager app KeePassX.

Ptero-4 · 2009-02-27 02:33:28

AFAIK. By default, ubuntu (and it' s derivatives) are pretty much locked-down already (no ports open except for port 80 by default). So you probably shouldn't need to worry about securing your newly installed ubuntu-based distro. And BTW ubuntu uses ufw since 7.04 (or 7.10 I can' t remember clearly which one of the two releases).

machiner · 2009-02-27 18:47:40

There's a lot more to security than setting a chain in iptables. wink First you've got to begin with Debian as it's what Ubuntu is based upon. Then you've got to know what Ubuntu introduces into the mix. IIRC Ubuntu's default install is pretty tight. But, and I haven't looked at all, what does CrunchBang add to the mix?

You've got to know what's running and it's got to be justified. Default Debian, and derivitives, are pretty solid. You've just got to know how these derivitives add or mod any of what they built on. When you've justified the daemon you've got to make sure it's tight. Again, the default ones, don't worry. But if you add a LAMP setup, then you've got to make sure it's tight. On it's own -- no way. I say that because it's important to change a few things in a default Apache install in order to enhance what the devs did for us. Security is "all encompassing" so it behooves you to , say, not let some malcontent know which version of Apache you're running. Versions are key. That kind of stuff.

What have you installed? Any known exploits? What's cool about Linux in general is that it's constantly evolving. Todays exploits are fixed post haste. Having the eyes of a global population on your code goes a long way towards keeping it tight, too. And, having a dedicated development team at work on the distribution is a must, and that's what Debian has - so the derivitives have a safe pool to choose from. To build on. If you install apps from unknown sources then you take a risk. If you stick with the repos then you're good.

To tell the truth, I haven't touched netfilter in years. lol. I'm behind a router with a firewall -- my LAN is safe. Moreover, my boxes are Debian with justified daemons et al running and a common sense approach to security. I run a bunch of servers at home for us: web, mail, etc. I'm not at all worried about crackers or other nonsens because I have config'd every running server or daemon in curious enough ways as to thwart all but the most seasoned and determined bad-guy. And you know what? He's not even trying because it's a total waste of time.

No GUI's where they are not necessary (like my main server box)
running services in secure ways like maybe chrooting Apache. Although, way unnecessary on most cases
NFS has proper permission implementations and our drives are protected
ssh runs tightly
mysql and postgre are tight

You get the idea. Most will come to you fine. However, you can and should make your own, personal, changes. Whether they be based upon paranoia or ignorance or real concerns because of the way you allow a thing to run, or be used, on your LAN.

If you run lsof -i right now as root you will see what's going on. On my laptop, which changes weekly, the following network activity is taking place:

lapbox:/home/machiner# lsof -i
COMMAND    PID        USER   FD   TYPE DEVICE SIZE NODE NAME
portmap   2325      daemon    4u  IPv4   5731       UDP *:sunrpc 
portmap   2325      daemon    5u  IPv4   5740       TCP *:sunrpc (LISTEN)
rpc.statd 2336       statd    5u  IPv4   5764       UDP *:816 
rpc.statd 2336       statd    7u  IPv4   5775       UDP *:56933 
rpc.statd 2336       statd    8u  IPv4   5778       TCP *:39782 (LISTEN)
avahi-dae 2674       avahi   14u  IPv4   6358       UDP *:mdns 
avahi-dae 2674       avahi   15u  IPv6   6359       UDP *:mdns 
avahi-dae 2674       avahi   16u  IPv4   6367       UDP *:51836 
avahi-dae 2674       avahi   17u  IPv6   6368       UDP *:59498 
mysqld    2769       mysql   10u  IPv4   6463       TCP localhost:mysql (LISTEN)
postgres  2865    postgres    3u  IPv4   7817       TCP localhost:postgresql (LISTEN)
postgres  2865    postgres    6u  IPv6   7818       TCP localhost:postgresql (LISTEN)
postgres  2865    postgres    8u  IPv4   7838       UDP localhost:34053->localhost:34053 
postgres  3157    postgres    8u  IPv4   7838       UDP localhost:34053->localhost:34053 
postgres  3158    postgres    8u  IPv4   7838       UDP localhost:34053->localhost:34053 
postgres  3159    postgres    8u  IPv4   7838       UDP localhost:34053->localhost:34053 
postgres  3160    postgres    8u  IPv4   7838       UDP localhost:34053->localhost:34053 
cupsd     3232        root    2u  IPv4 647690       TCP localhost:ipp (LISTEN)
cupsd     3232        root    3u  IPv6 647691       TCP localhost:ipp (LISTEN)
cupsd     3232        root    5u  IPv4 647694       UDP *:ipp 
exim4     3499 Debian-exim    3u  IPv4   8350       TCP localhost:smtp (LISTEN)
hddtemp   3546        root    0u  IPv4   8427       TCP localhost:7634 (LISTEN)
privoxy   3582     privoxy    1u  IPv4   8517       TCP localhost:8118 (LISTEN)
apache2   3818        root    3u  IPv6   9400       TCP *:www (LISTEN)
apache2   3818        root    5u  IPv6   9404       TCP *:https (LISTEN)
apache2   3855    www-data    3u  IPv6   9400       TCP *:www (LISTEN)
apache2   3855    www-data    5u  IPv6   9404       TCP *:https (LISTEN)
apache2   3856    www-data    3u  IPv6   9400       TCP *:www (LISTEN)
apache2   3856    www-data    5u  IPv6   9404       TCP *:https (LISTEN)
apache2   3857    www-data    3u  IPv6   9400       TCP *:www (LISTEN)
apache2   3857    www-data    5u  IPv6   9404       TCP *:https (LISTEN)
apache2   3858    www-data    3u  IPv6   9400       TCP *:www (LISTEN)
apache2   3858    www-data    5u  IPv6   9404       TCP *:https (LISTEN)
apache2   3859    www-data    3u  IPv6   9400       TCP *:www (LISTEN)
apache2   3859    www-data    5u  IPv6   9404       TCP *:https (LISTEN)

You can see the current running servers and daemons on my laptop. This is not my main server, that's currently offline. But it represents a pretty typical workstation for work I'm currently doing. I justify both sql servers because of what I have to build or test and apache to see it all. Privoxy because I don't like to see crap online, although Privoxy is only one thing that I employ in that regard. Avahi, exim, rpc, portmap -- those are currently at their default install state -- pretty tight for my laptop. I may turn portmap off as I'm not really using it - but my desktop will be different next week anyway.

lol, once you start here you get pretty boggled. My advice is to not think too much about it. If you have to run a server then you need to be familiar with what it does so you can make sure it doesn't bite you in the arse.

But, since I know you're gonna....If you have to run a voip app why not ekiga? Skype has known issues and currently the NSA is demanding backdoors. Do you run Forefox? Add a bunch of add ons? Well, there is an issue right there. Most of what you added might be in another browser already - like Opera.

It's also those kinds of questions you must ask yourself - am I using the right program for the job? They are not all created equal.

ThreepWood · 2009-03-01 11:16:59

Machiner,

thanks for Your post - i'm still trying to get everything You wrote puzzled out... hehe
For now, still doing my homework; digging a bunch-o-howtos to get familiar with networking, tcpip and all the other stuff. I missed these back in the days, when i started my journey of personal computing. No escape this time.
But once i get there, definetly will be looking up what You shared here!
Right now, i'm just concerned about controlling incoming-outgoing traffic. After that, probably sharing files on a mixed network (xp-linux), and finally running my own web server. But still looks like a loong road ahead till there.

For all the folks:

Keep the ideas and tips/trick coming, i really think this will be (and hopefully already is for others) helpful!

ThWd

machiner · 2009-03-03 19:18:59

I am sorry, I was damned vague. Like security is - vague. But - what goal are you trying to accomplish with "security"? Securing against what? Know what I mean?

How many users on your box? Do you have ~/ chmod'd 700? Do you allow ssh access to your box? Is root allowed? When you put your box to sleep is it configured so your screensaver will be running when the box is awakened?

Do you run a mail server? Is it a relay? Do you run a web server? Using webdav? What modules are loaded? (Ask yourself this, don't answer my question wink ) If you cannot justify running that module - don't. Apache on Lenny loads up about 10 modules -- I saw them the other day when installing LAMP - you are notified, and I copied the info but I couldn't find it a moment ago. Anyway - do you need to run those modules? Do you need to run php? Is php tight? Do you run Joomla or a similar script that allows ancillary modules to be installed on top of it? Who writes these?

It can make you crazy. If you're not running a web server then there are a million security issues that you do not need to know. If you are, though....

What of your LAN? How is that set up? Are you even on a LAN or do you jsut have the one computer? Are you using a router? Signal in (ISP service) to router to computer?

Linux is a completely different animal than *cough* Windows. You can make Windows pretty tight - there are different issues with that OS, but on a Linux box you don't worry about the same sorts of issues. Man -- you shouldn't even be worrying about a firewall. Really.

If you're worried about appearing stealth at shieldsup, well -- I just went there. As I was posting this. I have a web server running right now, sql, and stuff......I installed my system last night from a net install and then added what I want so this setup is nothign special. Didn't touch netfilter and did not touch any server configurations - I'm at all defaults. The point is, I'm running servers and they are not part of a "normal" desktop installation.

As you can see - at Shields Up I come up stealth. Makes me laugh, "stealth".

http://www.debiantutorials.org/images/s … 3mar09.png
http://www.debiantutorials.org/images/s … 3mar09.png
http://www.debiantutorials.org/images/s … 3mar09.png

Think about the route of the signal in. First my ISP is protecting my box - by not allowing connections to port 80 whether I run a web server or not. Since it also doesn't allow that I run a mail server, those ports are blocked (dropped) at the ISP level, too - never reaching me at all. (I could use other ports and open these services up). Then, after you (the incoming signal, bad guy, good guy, whomever) pass by my ISP's filters you have to get by my router. There's a NAT firewall on it so go study up on those and learn how to defeat any lame protection it gives me, or - us, inside the LAN.

After you get by my router then you deal with me running Debian. You deal with the default security attached to any process or daemon running on a default Debian installation. Which is limiting to the bad guy.

I'll bet your setup is similar - give or take a step, a "stealthed" port, whatever.

machiner · 2009-03-03 19:34:11

Just an addendum to why I included Shields Up. Many people think they are pretty safe when they see a "stealth" report. lol. My stealth report was funny because I know that I am running servers on some of those ports. Bad guys will know it, too. The kind of bad guys that can really mess my world up - not the kind that don't know anything about networking. Shieldsup said my computer doesn't exist - false assurance. My IP is completely pingable from my cousin's house. Moreover, I'm also visible when the network that I'm on (my ISP) is scanned.

Shields up may be useful to spot gaping holes but why bother. nmap is better all day long an you can run it from your terminal. lol, it reports my servers, too - it doesn' t report that those ports are steallthed. You can install zenmap for a useful GUI. See this snapshot I just took of a quick scan on my IP:

http://www.debiantutorials.org/images/z … 3mar09.png

ThreepWood · 2009-05-10 10:58:04

Machiner,

thanks for all these value add ons! I'll keep them in mind.

Hopefully one day i will build my own web server, till then, i'm really just interested in getting my own personal pc out of sight for others on the net. I mean personal data stored and my own ip provided (no misuse of it).
I have a modem (no firewall as far i know), and my ISP does something like a firewall...but. Since it's a slick little machine i have, i would like to use it everywhere to connect to any, untrusted network on the go. Not to talk about connecting via proxies...
That leaves my system as the only trusted control over network traffic. So i would love to have it locked down against intrusion, thats my point.
Till recent, i used a win machine with ad-hoc wifi connection to share internet, but it's bye-bye now, dead, no leds no POST...

Got me a book from the library, called "Linux firewalls - third edition" from novell press...boy-o-boy. Still reading, already have absorbed like 100 pages dealing with base concepts on networks and OSI, and just got to the chapter of firewalls...
So i'll be back after finishing some more reading.

See You all (hopefully) soon...
thwd

CrunchBang Linux

SEARCH

#1 2009-02-20 08:55:59

about security in linux

#2 2009-02-20 10:02:09

Re: about security in linux

#3 2009-02-20 13:35:19

Re: about security in linux

#4 2009-02-21 11:22:37

Re: about security in linux

#5 2009-02-21 15:52:36

Re: about security in linux

#6 2009-02-27 02:33:28

Re: about security in linux

#7 2009-02-27 18:47:40

Re: about security in linux

#8 2009-03-01 11:16:59

Re: about security in linux

#9 2009-03-03 19:18:59

Re: about security in linux

#10 2009-03-03 19:34:11

Re: about security in linux

#11 2009-05-10 10:58:04

Re: about security in linux

Board footer