Security is a thorny issue for many people. One of the
greatest advantages of Linux over a M$ operating system is its high level
of security (especially Redhat v7.1 and above).
The best approach to security is a multi layered one.
The more layers one has to their security the, more difficult it will
be for a potential intruder to penetrate your system.
The 4 main categories of security are Prevention, Monitoring,
Corrective Action and Recovery.
Generally speaking your number one form of prevention
is your firewall. This should deal with 99% of all unwanted traffic quickly
There are then several forms of monitoring tools that
you can use. I would suggest both Portsentry and Tripwire. These perform
different levels of monitoring.
Portsentry attaches itself (listens) to the incomming
network ports on your machine, and assuming your firewall is correctly
configured, you should never hear anything from it.
However if you accidently open a port range on your machine
and a request is made to that port, portsentry will capture it and inform
you that it has done so. For more information on Portsentry read my Portsentry
Tripwire is what is known as an Intrusion Detection System
(IDS). Tripwire builds a database of the important files on your system
and then if any of those files are changed, it informs you that this has
happened. If you have purposly changed the file then you can "ignore"
the changes. However if you have made no such changes, then it is likely
that you have an unwanted "visitor". For more information on Tripwire
read my Tripwire hints.
Readymade firewall/hardening scripts
There's a pretty good comparison of iptables scripts here that includes some of my favourites, however, as the author suggests in his conclusion, if you can figure out how to run these scripts, then you can probably run iptables on its own without the assistance of any scripts.
Using IP Tables
If you are using Redhat 7.1 or earlier the default firewall
is ipchains for compatability reasons. Now while ipchains certainly served
a purpose, iptables is the future and is certainly what you should be
looking to use with the 2.4.x kernels.
First you'll have to remove the ipchains module. Use the
command lsmod and look for ipchains.
If it is there, then use rmmod ipchains
Then to start iptables use chkconfig
Now you're ready to get started with securing your machine...
unfortunately thats a bit beyond this "hint" type page, but I will list
a few usefull iptables commands below:
To ensure all the iptables modules are loaded place the
following lines at the top of your /etc/rc.modules
To drop all traffic from a specific IP address
#iptables --append INPUT --source insert_ip_here --jump
IP Tables resources
IPTables are the core of the firewalling functionality
provided with the linux 2.4 series kernels. This is a massive topic that
I can in no-way do justice to in this section, however I can give you
a few hints, and point you in the right direction via my links.
Testing your Firewall
Here are a number of external sites given in no particular
order that will use varying methods to probe your system.
Simple intrusion detection can be performed by using a feature of the RPM database.
# rpm -Va > ~/results.txt
# more ~/results.txt
Scan through the file looking for files that live in /usr/bin
or /sbin. If you find anything (surefire targets include ls, top, ps and
login) then you have almost certainly been compromised. Time to backup
your data and format the system.
Info to come...
Info to come...
Single User Mode
Reboot and at the lilo spash screen type hit CTRL-X.
At the boot prompt type linux 1
to enter single user mode. This will give you root access to your system.
Note that single user mode should really be protected by a password and the file in which the password is stored in should have root access only.