What do you do for security?

hotsauce · 2006-03-07 13:51:07

Hi everyone!

I have to come clean with you guys, I have been on linux for about a year and a half and with arch for about 4-5 months but was always to lazy to really dive into system hardening. I have been quite lucky so far with only trusting my router for firewalling and pretty much leaving the rest alone. Of course I do -Syu pretty just about every day, but I still consider I don't do much.

So the question is: On a virgin arch install (home, desktop, work, etc.) what kind of security measures do you guys usually apply?

Ciao

hotsauce

lumiwa · 2006-03-07 14:39:50

hotsauce wrote:

Hi everyone!
I have to come clean with you guys, I have been on linux for about a year and a half and with arch for about 4-5 months but was always to lazy to really dive into system hardening. I have been quite lucky so far with only trusting my router for firewalling and pretty much leaving the rest alone. Of course I do -Syu pretty just about every day, but I still consider I don't do much.
So the question is: On a virgin arch install (home, desktop, work, etc.) what kind of security measures do you guys usually apply?
Ciao
hotsauce

I have a standalone computer and I use Shorewall Firewall.

wrj · 2006-03-07 15:20:44

I have a standalone machine acting as a router and firewall. It's a lean build of debian with a custom firewall.

Gullible Jones · 2006-03-07 20:36:31

Isn't "lean build of Debian" a bit oxymoronic?

*runs*

wrj · 2006-03-07 21:04:45

true ...

I guess I thought it was lean at the time. That was before I tried arch. Time to update my lingo ... better yet ... update my machine

Neuro · 2006-03-07 21:44:33

Same here.. a separate firewall machine running Slackware + custom firewall scripts.

Apart from that, good paswords. I mean 9-12 characters long ones with letters, numbers and special characters. For a desktop , I think nothing else is needed. But if you think about using it as a server in a truly multi-user environment, tighten the perms in filesystem a bit and perhaps apply grsec patches.

Gullible Jones · 2006-03-08 00:06:21

I thought X wouldn't run with GrSec?

_Gandalf_ · 2006-03-08 00:13:28

Seperate Firewall machine running IPCOP all ports are closed except the ones i really want to open, like some NON standard ports for Azureus, i don't really care now about soem intruders, even if they could enter my network, there's a Good password to hack which i think it's impossible with

FAIL_DELAY              60

in /etc/login.defs, can somone really be that patient to hack a 15/20 chars pass with 1 min between each try, hmm i don't think so

LB06 · 2006-03-08 17:50:30

This is what I do on my (non-Arch) server:
- Alter limits.conf to limit the amount of concurrent proccesses that can be run (both system wide and per user).
- Set a password on GRUB and BIOS, to prevent anyone from custom booting anything.
- Run SSH on a non standard port and allow access from certain ranges only (local, university, work)
- Install mod_security and mod_suid on apache.
- Install sudo (we have multiple administrators, and sharing a password is not desirable)
- Allow su and sudo from admin group only.

etc. etc.

jaboua · 2006-03-09 13:43:12

I dont have any external firewall, but I use an iptables setup which wont allow incoming connections unless that specific port (or IP, etc) is specificly mentioned for iptables. I always forget if it's named inclusive or exclusive firewall :oops:

In addition I've setup kernel-level antispoof (source verification or something like that) and a few other sysctl's

soloport · 2006-03-09 14:30:40

One technique I rely on is to port knock (knock numbers have been altered, of course):

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:TRAFFIC - [0:0]
:SSH-INPUT - [0:0]
-A INPUT -j TRAFFIC
-A FORWARD -j TRAFFIC
# Accepted
-A TRAFFIC -i lo -j ACCEPT
-A TRAFFIC -s 192.168.0.0/24 -j ACCEPT
-A TRAFFIC -p icmp --icmp-type any -j ACCEPT
-A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Knocking
# Use either port 4844 or port 3633 to close knocking
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH1 -j ACCEPT
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH1 --remove -j DROP
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 3633 -m recent --rcheck --name SSH0 -j SSH-INPUT
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH0 --remove -j DROP
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 4844 -m recent --name SSH0 --set -j DROP
--name SSH0 --set -j DROP
-A SSH-INPUT -m recent --name SSH1 --set -j DROP
# Others
-A TRAFFIC -j DROP
COMMIT

Think of this as a simple state machine. You have to knock in sequence or the state goes back to zero. Therefore, to close the port, you simply knock once more, out-of-sequence (i.e. using 4844 or 3633 in the example).

I use the following script (knock.sh) to automate knocking:

#!/bin/bash
# $1 host name or IP address
nmap -P0 --host_timeout 201 -p $2 $1 &> /dev/null
nmap -P0 --host_timeout 201 -p $3 $1 &> /dev/null

So to knock open port 22: sh ~/knock.sh hostname.com 4844 3633

IPTABLES will honor access ONLY from the IP address that knocked (i.e. all other IP addresses will still see port 22 as closed). That's got to be the coolest part of the deal!

Another nicety is that this works with any platform (RH, SuSE, *BSD) that supports IPTABLES.

NOTE: Don't forget to open the knocking ports on your DSL / Cable router, as you would port 22.

hotsauce · 2006-03-09 22:21:05

Well thanx a lot people for all your input. Honestly I was secretly hoping for something a tiny bit more exotic like intrusion detection or something else

But I guess the next step for me is to learn how to use iptables properly.

So thanx again, cheers

hotsauce

Neuro · 2006-03-09 22:47:41

Gullible Jones wrote:

I thought X wouldn't run with GrSec?

I don't know really. But who runs X on a server?

hotsauce wrote:

Honestly I was secretly hoping for something a tiny bit more exotic like intrusion detection or something else Laughing

Actually if you're looking for a way to tighten up your desktop computer/home network, an IDS is like using an air-to-air missile to shoot down flies

The GNU/Linux is provides a sensible level of security, as long as it's properly configured. Finetuning services, filesystem permissions, running a basic firewall + monitoring logs would do the job just fine in a non-production environment.

Romashka · 2006-03-10 08:24:10

I use simple but very restrictive firewall on my server that guards large Windoze network.
Maybe I should try to disconnect Power and Reset too :twisted:

postlogic · 2006-03-10 09:29:14

I use a, perhaps too simple, firewall script using iptables. I just started learning iptables, so it's far from done. But it works nonetheless.

IMHO, the wiki could use an entry or two on iptables and security in general.

For example on how to stop fork bombs and similar. I didn't even know there were measures to hinder it before I accidentally stumbled upon something mentioning it and how to fix it. It'd be especially nice to have something covering some setting up logging after setting up the iptables script.. Just my 2 cents.

Anyway, yes, security is nice. I used to run firestarter, but it didn't really make me feel comfortable, since it only has so many options.

LB06 · 2006-03-10 21:53:32

hotsauce wrote:

Well thanx a lot people for all your input. Honestly I was secretly hoping for something a tiny bit more exotic like intrusion detection or something else

Well port knocking is certainly an eligible candidate if you ask me

Another tenchnique that we apply to some servers is to allow SSH access only from one IP. So if one wants to access that particular server, one has to go though another one. This is to make sure that our servers can't possibly be bruteforced directly.

hotsauce · 2006-03-11 13:56:45

LB06 wrote:

Well port knocking is certainly an eligible candidate if you ask me

Sounds like that, but I'm not too sure if I really know what you are talking about. hehe, that's why I didn't mention it.

But I will read on it I will

thanx for that

hotsauce

jesus franco · 2006-03-11 20:32:23

Some good articles to read.
http://www.securityfocus.com/infocus/1416
http://www.linuxjournal.com/article/6222

Software to checkout
http://www.intersectalliance.com/projects/Snare/
http://www.chkrootkit.org/ (its in the repos)

And check out the gentoo iptables guide. Very helpfull.
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

I run chrootkit, iptables, strong passwords, and check my system every friday using tips found on the articles above.

I would recomend using this password strength meter to see strong your password really is.

If your really paranoid or use arch for production check out the LIDS kernel patches and try building them on arch.

kozaki · 2006-03-11 21:09:14

_Gandalf_ wrote:

i don't really care now about soem intruders, even if they could enter my network, there's a Good password to hack which i think it's impossible with
FAIL_DELAY              60
in /etc/login.defs

Gandalf > is that normal that entering the wrong password let me re-type it & succesfully login instantly, even after i have edited this login.defs file then rebooted ?
I tried that on both my gateway (by SSH) & my home computer jsut after reading your post.

Arch Linux

#1 2006-03-07 13:51:07

What do you do for security?

#2 2006-03-07 14:39:50

Re: What do you do for security?

#3 2006-03-07 15:20:44

Re: What do you do for security?

#4 2006-03-07 20:36:31

Re: What do you do for security?

#5 2006-03-07 21:04:45

Re: What do you do for security?

#6 2006-03-07 21:44:33

Re: What do you do for security?

#7 2006-03-08 00:06:21

Re: What do you do for security?

#8 2006-03-08 00:13:28

Re: What do you do for security?

#9 2006-03-08 17:50:30

Re: What do you do for security?

#10 2006-03-09 13:43:12

Re: What do you do for security?

#11 2006-03-09 14:30:40

Re: What do you do for security?

#12 2006-03-09 22:21:05

Re: What do you do for security?

#13 2006-03-09 22:47:41

Re: What do you do for security?

#14 2006-03-10 08:24:10

Re: What do you do for security?

#15 2006-03-10 09:29:14

Re: What do you do for security?

#16 2006-03-10 21:53:32

Re: What do you do for security?

#17 2006-03-11 13:56:45

Re: What do you do for security?

#18 2006-03-11 20:32:23

Re: What do you do for security?

#19 2006-03-11 21:09:14

Re: What do you do for security?

Board footer