DarkGlobe Icon DarkGlobe Text

Life, Linux, Games and Stuff.


Intro

My little introduction

Install

Installing Linux.

Networking

Networking your box.

Security

Locking your box down.

Configuration

Configuration tweaks.

Utilities

A few invaluable utilities.

Software

My pickings of the available software.

Links

Linux links, bookmark them now.



Divider

Security is a thorny issue for many people. One of the greatest advantages of Linux over a M$ operating system is its high level of security (especially Redhat v7.1 and above).

The best approach to security is a multi layered one. The more layers one has to their security the, more difficult it will be for a potential intruder to penetrate your system.

The 4 main categories of security are Prevention, Monitoring, Corrective Action and Recovery.

Generally speaking your number one form of prevention is your firewall. This should deal with 99% of all unwanted traffic quickly and efficiently.

There are then several forms of monitoring tools that you can use. I would suggest both Portsentry and Tripwire. These perform different levels of monitoring.

Portsentry attaches itself (listens) to the incomming network ports on your machine, and assuming your firewall is correctly configured, you should never hear anything from it.

However if you accidently open a port range on your machine and a request is made to that port, portsentry will capture it and inform you that it has done so. For more information on Portsentry read my Portsentry hints.

Tripwire is what is known as an Intrusion Detection System (IDS). Tripwire builds a database of the important files on your system and then if any of those files are changed, it informs you that this has happened. If you have purposly changed the file then you can "ignore" the changes. However if you have made no such changes, then it is likely that you have an unwanted "visitor". For more information on Tripwire read my Tripwire hints.

Readymade firewall/hardening scripts

There's a pretty good comparison of iptables scripts here that includes some of my favourites, however, as the author suggests in his conclusion, if you can figure out how to run these scripts, then you can probably run iptables on its own without the assistance of any scripts.

Using IP Tables

If you are using Redhat 7.1 or earlier the default firewall is ipchains for compatability reasons. Now while ipchains certainly served a purpose, iptables is the future and is certainly what you should be looking to use with the 2.4.x kernels.

First you'll have to remove the ipchains module. Use the command lsmod and look for ipchains.

If it is there, then use rmmod ipchains

Then to start iptables use chkconfig iptables on.

Now you're ready to get started with securing your machine... unfortunately thats a bit beyond this "hint" type page, but I will list a few usefull iptables commands below:

To ensure all the iptables modules are loaded place the following lines at the top of your /etc/rc.modules file:

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

To drop all traffic from a specific IP address

#iptables --append INPUT --source insert_ip_here --jump DROP

IP Tables resources

IPTables are the core of the firewalling functionality provided with the linux 2.4 series kernels. This is a massive topic that I can in no-way do justice to in this section, however I can give you a few hints, and point you in the right direction via my links.

http://www.linuxguruz.org/iptables/

Testing your Firewall

Here are a number of external sites given in no particular order that will use varying methods to probe your system.

http://www.cablemodemhelp.com/portscan.htm
http://www.grc.com/
http://www.hackerwatch.org/probe
http://www.hackerwhacker.com
http://www.secure-me.net
http://www.vulnerabilities.org/analysis.html
http://www.nessus.org
http://www.secure-me.net
http://www.secure-me.net
http://www.vulnerabilities.org/analysis.html

Intrusion Detection

Simple intrusion detection can be performed by using a feature of the RPM database.

# rpm -Va > ~/results.txt

# more ~/results.txt

Scan through the file looking for files that live in /usr/bin or /sbin. If you find anything (surefire targets include ls, top, ps and login) then you have almost certainly been compromised. Time to backup your data and format the system.

PortSentry

Info to come...

Tripwire

Info to come...

Single User Mode

Reboot and at the lilo spash screen type hit CTRL-X.

At the boot prompt type linux 1 to enter single user mode. This will give you root access to your system.

Note that single user mode should really be protected by a password and the file in which the password is stored in should have root access only.



Divider

Site hand crafted with skill and care by www.darkglobe.org :o)