I foolishly accidently mailed this reply to Cory, but he was nice enough to forward me back my e-mail below. I thought it was important to clarify a few points. Read below... > On Fri, Dec 22, 2000 at 10:54:36AM -0800, Cory Petkovsek wrote: > The best way (measuring from simplicity and efficiency) is to see what openings >there are and close them. Same as on any OS. I dont mean to nitpick here, but... :-P. I think the best way to secure something is to learn the OS, and learn your system and your needs. You can read articles and HOWTOs and probably have a reasonable amount of success, but learning the OS is the best, all the little gotchas and details. > Nmap is a great tool to see what is open. > Saint/Satan do not secure anything, they are only analysis tools. I fully agree here. I never bother with SAINT or SATAN. I know nmap, and I love it. Also, never forget the handiest of tools: 'ps aux', 'vi /etc/inetd.conf', rpcinfo, and 'ls -l /etc/init.d'. > Get nmap (www.insecure.org). Run it on yourself: > nmap -v 127.0.0.1 Don't do this, or rather do this in addition to nmapping your actual IP address. Some services are/can be configured to listen on a specific interface. So while it won't show up on loopback, it will on your 209.181.x.x or what have you. Also, I prefer to use the command line 'nmap -v -sT -O ip.add.re.ss', and if you're testing from outside a firewall try using the -sS option instead of -sT. Make sure to do this for each interface, unless you're absolutely sure you don't have interface specific daemons running. -v is verbose, -sT is plain ol' TCP connect(), and -sS is a "stealth" connect, this also seems to be better at grepping info from beyond a firewall, although i havent looked at the source for this option in depth. > When nmap reports no services, THEN you are secure. you're never secure, never consider yourself secure. nmap doesnt detect rpc vulnerabilities, it doesnt detect cgi vulnerabilities, it doesnt detect buffer overflow or most remote root vulnerabilities. I personally like to follow up an nmap scan with a scan from Nessus (www.nessus.org), and another scanner (usually ISS Scanner, from www.iss.com; or Retina, from www.eeye.com [yeah, they have demo versions]). I personally think Retina and ISS scanner are shoddy, though. I really like Nessus, though. But as with doctors, its always good to get a "second opinion". Again, using UNIX securely involves knowing your system, and each process running on it, well. Linux/UNIX isn't like Windows, no matter what candy interface comes out. You need to understand the concept of UNIX. > If you need services available to the internet, this is where security gets more >complicated. > > lpd and portmap are found in your startup scripts. On debain, look in /etc/init.d. >In mandrake/redhat use chkconfig. Something like: > chkconfig --list (to see what services are available) > chkconfig --list |grep -i on (to see what services are running in what >runlevel)chkconfig --levels <service, ie lpd> 2345 off > (to turn off that service for runlevels 2-5. I think the syntax is correct, 'man >chkconfig' to verify) this is good info. if you aren't running a print server, or dont have a printer connected to your box, disable lpd. if you dont use NFS (blech) or other RPC services, disable all rpc daemons, and portmap itself. if you get your mail from your ISP, and you use a mail client like kmail (which is great), or netscape mail, disable sendmail on the local machine, and specify your ISP's SMTP server as the server to use. also: - dont run telnetd, period, use ssh. OpenSSH seems to be the preferred SSH client and daemon these days, they can be had from your distro, or www.openssh.org. SSH also allows you to encrypt network connections with a remote server, making sniffing relatively futile. I use SSH tunneling with SMTP and POP3, among other services, do a search for the Secure POP3 HOWTO for an excellent example. It's a simple one-line command to forwards ports automatically. - try not to run ftpd, if you do, disable anonymous access, if its not needed. Learn scp ([secure copy] which comes in the SSH packages). You can transfer files over an encrypted channel, and your username and password arent exposed to the network. - use decent passwords, even on your home box. a suprising amount of people are lazy when it comes to passwords for the accounts on their home boxes. These suggestions and learning your OS will help you on the path to "being secure". Keep in mind your box will probably never be "secure" or "hackproof", and to trust that it is, is very foolish. Simplicity and high crypto are the way to go. You'll probably experiencing a little growing pains at first, but soon you'll get used to it. Whenever I'm investigating intrusion attempts at work, it is almost always a hacked Red Hat box (not to bash Red hat, thats just a fact). Unfortunately most people use Red Hat. This may sound all stark and scary for newbies, and they may consider jumping into the Windows world, but its even worse for the Windows/Windows NT world. You're talking NO security model in 9x's case, and a complete disaster of a security model for NT/2000. NT actually has a really good security model at the kernel level, but no one really seems to code to it, they usually seem to bypass it, and go with some duct tape and bailing wire solution (yes, even the OS coders). See the Red button flaw (which has since been patched [read: duct taped even more]). Look at all these IIS component exploits, they exploit the fuctions of these components, because these components within NT either don't use the NT security model, or they use a crude high-level security model abstracted above NT's native security. rain.forest.puppy is a good researcher in this area, see www.wiretrip.net. I know NT very well, and I know UNIX very well. I've studied the kernel and base systems of both pretty heavily (independent study). I also code in both environments. The view that since NT doesnt have telnetd, or bind, or sendmail by default means it is more secure, is flawed. With NT you are less capable of monitoring processes by default, you simply can't disable some of the trash, because it's "integrated into the core OS". I have an MCSE (WWHOOOooooah!), but I place my trust in UNIX. jakob
