[EMAIL PROTECTED] wrote:
> Ok what are peoples ideas about how to secure a linux box out there. Is
> saint/satan the best, if so why? Maybe a security demo on that kind of
> thing... We could break this down into two topics security schemes and
> programs?
Well, OK, here's what I do (but not all that I do, I can't give out all
my
secrets)
-Do an install
-install ssh
-nmap localhost to see what ports are open
-netstat -L to see who's listening on what port
-Uninstall uneccessary services (on Debian--nfs, talk, telnet, rsh
usually
installed by default)
-Block out ports that are still needed for local use but I don't want
exposed to
the world, where $portnumber can be any port that I want to block:
ipchains -F
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 $portnumber -j REJECT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 $portnumber -j REJECT
-Block out ports that are high-risk anyway to reduce my false alarms,
which are
currently netbios, LPR, and ftp
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 137 -j REJECT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 138 -j REJECT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 139 -j REJECT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 21 -j REJECT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 515 -j REJECT
-Change /etc/hosts.deny to ALL:ALL or ALL:PARANOID to restrict access
with tcp
wrappers. This by itself is a good measure.
-Add hosts that should have access to /etc/hosts.allow
-Install ippl and logcheck. ippl logs any incoming connection, and
logcheck can
be set up with a cron job to periodically scan your logs and report
anything
unusual. At first, you have to tell it to ignore stuff for each
specific machine,
but after time the ingore ruleset gets more refined and the false alarms
go down.
-nmap the box from both my workstation and my box at home on an
unpriviledged
network to see what's available locally and to the world
-Test the box to make sure I can access it with ssh from at least one
remote box
(my workstation)
-For a high-profile server such as www or mail, I also add portsentry,
which can
block out people who do portscans with ipchains or a dropped route,
and/or snort,
which can detect attacks based on a complex set of rules. Alot of
times, snort
can tell you if somone was doing a syn-fin scan or a smb wildcard
attack. That's
good stuff.
-For a box that changes little, such as a firewall or webserver, I also
install
aide or tripwire. They do periodic scans of your directories to see if
anything's
changed.
-Monitor--read the emails that your system sends. Add rules as the
attack
environment changes. Filter out the false alarms from logcheck. It's
all alot of
extra work at the beginning, but ends up being 1-2 hours/month if you
set it up
right.
And lastly, some of my security resources:
www.dshield.org--a compilation of [cr|h]acker activity
www.snort.org--has rulesets and a port lookup tool that lets you see
what's hiding
behind port 31337
http://linuxdocs.org/HOWTOs/IPCHAINS-HOWTO.html Need I say it?
http://www.psionic.com/abacus/portsentry/ The portsentry site
--
Organizing Linux users is like herding cats,
only harder.
