How to make Linux more secure?

Discussion in 'other software & services' started by bktII, May 5, 2006.

Thread Status:
Not open for further replies.
  1. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    This is not a post to discuss whether or not Linux is more secure than Microsoft Windows. Instead, I am curious to know what people have done in order to make their Linux workstations more immune to compromise and/or attack.

    If you believe that the various Linux organizations are just more proactive in generating and distributing patches than is Microsoft and all you do is apply patches as soon as they are released, just say so.

    I will go first:

    Devices
    SMC Router w/SPI
    No direct access to Windows partition (In Linux extended partition, created FAT32 volume to move files back and forth)

    OS Hardening
    No servers (file, database, web, mail, etc.) (MySQL/PostgreSQL started and stopped manually when needed)
    TCP services, /etc/host.allow and /etc/host.deny, allow for local access only
    No root logon
    Logon requires both login name and password
    Use sudo via /etc/sudoers and visudo command
    Apply kernel patches approx. twice per week
    /etc/fstab set so that /tmp and /home aare noexec and nosuid (I toggle /tmp when necessary, e.g., for Netbeans install)

    Applications
    Safe hex.
    Firestarter firewall GUI for iptables
    AIDE (Advanced Intrusion Detection Environment) runs daily and cron send me mail
    Periodically review system logs, services and running processes
    Thunderbird Bayesian filtering for spam
    Apply application updates approx. twice per week (Manually reinstall as necessary, e.g., Opera)
    Trojan-scan (A poor man's trojan detector in the form of a script)
    NMAP
    Weekly (approx.) rootkit scans with rkhunter and chkrootkit
    F-Prot Anti-Virus for Linux (Infrequent system virus scans along with scan of all manual downloads from web and email attachments)
    Update AV signatures manually every week or two
    Update rkhunter database manually every week or two
    Terabyte Unlimited's Image for Windows create partition images with frequency of 1 to 4 weeks
    Firefox and Opera clear history, cookies and cache on application exit.

    Regards,

    bktII
     
  2. dog

    dog Guest

  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  4. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    dog and TNT,

    Thank you both for your replies. However, I'm afraid I did a poor job of posing my question.

    What is was after was a Linux version of the current MS Windows OS thread at Wilders entitled "What is your security setup these days?" located here:

    https://www.wilderssecurity.com/showthread.php?t=111264

    Regards,

    bkt

    P.S. to dog I currently use AIDE in lieu of Tripwire. Are you recommending Tripwire over AIDE? Also, after installing Linspire 3-4 months back (I use Ubuntu and Fedora Core now), I tried Bastille and ended up locked out of both my root and non-root accounts! Clearly I am a klutz. I read an online review of Bastille beforehand where, after running Bastille, some guy was getting 25 emails per second coming into his mailbox! Clearly I am not the only klutz! There are at least two of us.

    P.S to TNT I will spend some time this weekend reviewing the links you provided.
     
  5. Lamehand

    Lamehand Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    428
    Location:
    the Netherlands,very near to the North sea
    The only things that i use at the moment are a router and spamassassin with evolution mail and no connection to the windows-partition
    I (try) to practice safe hex, but i've always done that, it's a powerfull weapon.

    Lamehand
     
  6. dog

    dog Guest

    I've never tried AIDE ... Bastille disables somethings you may not think of/consider, but the discriptions have to be carefully read, or you'll disable more than you want (Like mounting CDs/DVDs) ... I've never seen an option for any kind of emails with Bastille (Are you sure you're referring to the right program? I think you mean Tripwire) - Screenshot of Bastille Below).

    Currently I'm not using Tripwire, I'm using the Security Audits available in Mandriva - Which sends the odd email. I also use Kiosk for disabling settings for users, run WXChecksums once a blue moon in addition to the audits, and one or two that I can't think of ATM off the top of my head. But that's it really ... The Software Firewall I use is Guard Dog, and Clam is installed as an AV, but never used. Thats about it.

    Steve
     

    Attached Files:

  7. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    dog,

    Yes, I'm sure it was Bastille; however, my recollection is that the mail flood experienced by this user was a "consequence" of one of the Bastille options he selected rather than an explicit mail-related option in Bastille of which you correctly state there are none.

    I did a quick search to try and locate this user's review and came up empty. It may have been removed or I may not be using the same keywords I used to locate the review several months ago. If I find it I will post.

    Thanks for the information on Kiosk and WXChecksums, I'll take a look at these.

    Regards,

    bktII
     
  8. dog

    dog Guest

    Here's a screen of Kiosk ... the WXChecksums is the same as any other checksum utility ... it does have a nice frontend. ;)
     

    Attached Files:

  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, what do you do to "toggle /tmp" to noexec? i'd do the same if there's a one click solution.

    i've done loads of stuff to harden Ubuntu, but i can't rememebr it all. these are things i can remember.

    disabled/uninstalled un-needed stuff like bluetooth

    put ALL: ALL in deny.hosts although i have nothing in allow.hosts :rolleyes:

    added these lines to /etc/security/limits.conf to spot Fork Bombs
    @users soft nproc 100
    @users hard nproc 150

    run rkhunter on a daily cron, i think that's it's default

    i have a script to encrypt files
    http://rob.pectol.com/myscripts/encryption.sh.txt

    i'm thinking of installing Libsafe, although it's not maintained atm and there are some problems with libc5, but i don't have that lib.
    this is where i found alot of the stuff i've done
    http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html#contents
    alot of the stuff i like from above is mentioned here under Password hygiene and login security
    http://www.debianhelp.co.uk/security.htm

    i've got some nice network tools too.
    traceproto
    ethereal
    etherape
    there's some nice CLI tools i got but i can't remember them right now.
     
    Last edited: May 6, 2006
  10. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    dog,

    I found the article referenced above. My memory is more or less intact; you can decide whether it is more or less! On second reading, it appears to be more related to user error than Bastille. Here is an excerpt and the link:

    http://yellowbugcomputers.com/techdocs/lessonslearned.html

    Iceni,

    Thanks for the reply. I was playing with words a bit wrt "toggle". Here is an excerpt of my /etc/fstab file for the /tmp partition:

    # /etc/fstab: static file system information.
    /dev/sda8 /tmp ext3 defaults,nosuid,noexec 0 2
    #/dev/sda8 /tmp ext3 defaults 0 2

    My normal operating state for /tmp is currently uncommented (i.e., nosuid, noexec). If I need to do an install that must use /tmp, I comment the first one and uncomment the next one and reboot. Then I install the software (netbeans comes to mind, maybe Sun's jdk too?). Once installed, I reverse the changes in the /etc/fstab file and reboot again.

    I read in one of the many tutorials on securing Linux that /tmp left unsecured has been a significant security hole. This is probably more true for Linux servers than a workstation. I believe that another option would be to make /tmp ececutable only for root.

    Regards,

    bktII
     
  11. dog

    dog Guest

    A couple of other tips ... to shred files within a folder (ie temp folder - as it shred ever file within the folder you have ownership of) ... open console in that directory ... and use

    find -type f -execdir shred -u -v -z '{}' \;

    then

    rm -rf *

    EDIT: For single file shredding use shred command with whatever options (-u = remove -v= verbose -z find write zeros) and then the path/file (dthe default number of passes is 25 unless specified otherwise. ;) example: shred -u -v -z /home/user/documents/example.pdf

    *******

    Now if you're using a journaled FS ... simple shredding isn't enough ... you need to overwrite all free space - which has to be done from root because of the reserve held for it. Use either

    cat /dev/urandom > DELETEME ; sync ; sleep 1 ; rm -f DELETEME

    or

    cat /dev/zero > DELETEME ; sync ; sleep 1 ; shred -un1 DELETEME


    The second is slightly faster. ;)
     
    Last edited by a moderator: May 7, 2006
  12. Lamehand

    Lamehand Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    428
    Location:
    the Netherlands,very near to the North sea
    Now i'am confused, i've read this thread on the ubuntu forums about implementing a firewall and antivirus and the people 'in the know' say ; nonsense, you don't need it just keep your packages up to date because that is the way to keep the core protected against mishaps like bufferoverflows and such.
    They say outbound protection from a firewall is useless because in a standard install there are no ' strange' services running and antivrus is not needed because there are no viruses in the wild for linux, on top of that, if you get a virus it would take four or five contious steps to install it.

    So what to do?, who is right about this?

    regards
    Lamehand
     
  13. dog

    dog Guest

    No I'd agree generally, neither are all that important ... the AV I could do completely without. The firewall isn't important either, ip tables are more than enough. ;) I use the firwall more as a restriction ... only allowing connections out of certain ports.
     
  14. Lamehand

    Lamehand Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    428
    Location:
    the Netherlands,very near to the North sea
    Oke, i understand it, this would be getting more important if i where running a service of some kind with outbound connections, and then you want to keep tabs on those connections ofcourse.

    Lamehand.
     
  15. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    Lamehand and dog,

    This is my take and please understand that I am no security expert, but have read a bit about linux security, probably much like yourself. I am also a bit paranoid, perhaps a carryover from MS Windows.

    The vast majority of signatures in Linux AV products are for MS Windows. Only a very small, or even tiny, fraction are for Linux.

    I run an on-demand AV in Linux for three reasons:

    (1) to be a good "net" citizen as I may send out emails with attachments to others and I would not want to send an infected file and contribute to the spread of malware. Also, even if the recipient's ISP scans attachments with an AV, no AV is perfect.
    (2) to protect myself. Sometimes if I am surfing in Linux I run across I file that I will want to use in Windows and I download it. Ditto for email attachments. I scan the file immediately after downloading and before placing in my FAT32 shared partition. I also scan the same file again, with a different AV, when I return to Windows. This provides a bit better coverage than a single AV in Windows; again no AV is perfect.
    (3) to protect myself against the very small chance of encountering a Linux virus. Again, there aren't many of these.

    Your mileage may vary on this. It is purely a risk management decision.

    Regarding inbound protection, as you already have a router, I assume with SPI, a software firewall would be redundant. However, one of my two PCs that I use to multi-boot is a notebook. If I travel, I leave my router behind and use a dial-up modem to access the internet. In this case, I already have an iptables-based firewall up and running. There is not much of a memory or CPU hit. Of course, at home it is truly redundant. I also have it operational on my desktop PC (see below).

    Regarding outbound protection, my concern (and it may be pure paranoia) is MIRRORS and other download sites I visit via a web browser. Linux updates and installs hit mirrors located all over the planet. The Linux package mangers I use employ checksums which monitor whether a file has been modified or not. Thus, I believe that there is some substantial built-in protection. I also use MD5 checksums when I download a file from a web site, provided an MD5 value is available. But they are not always available.

    For outbound protection I do two things:

    (1) visually monitor TCP/UDP connections on my GUI front-end to iptables (Firestarter) with built-in WhoIs capability. An alternative is to periocially use the Linux command netstat.

    (2) monitor TCP/UDP connections with a script called trojan-scan that sends me local mail if executables unlisted in a config file (this is simplified) initiate TCP/UDP connections. This script is more of a very simple firewall log than anything else.

    Also, see TNT's post above (I have repeated here):

    Again, your mileage may vary on this. It is purely a risk management decision.

    Hopefully, some of the more knowledgable forum posters will respond to my take on this as well.

    Regards,

    bktII
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    No mention yet of the biggest Linux security tool, but more for experts/tweakers - GRSecurity.

    For outbound application filtering, TuxGuardian seems to be the only option in Linux. Such filtering still has a role in cases where you wish to control or limit an application's Internet access (e.g. restricting a browser to access via an anonymising proxy only to prevent any exploits that could otherwise cause it to make a direct connection with a website or blocking email clients from web access to prevent them from downloading embedded web bugs).

    With regard to file shredding, those who consider themselves at risk of forensic examination (which is what shredding addresses) should find encrypting their entire filesystem (and swap partition) a more secure option which would likely involve fewer overheads. A script that constantly writes data to disk can have its downsides.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I'm by no means a great Linuxian, but I find that firewall and av are more than enough security. I use built-in firewall product with Suse 10 and BitDefender / AVG anti-virii, more out of habit than anything else.
    Mrk
     
  18. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    For me SELinux is the way to secure Linux machines. You can create your own rules for it, and compares with "behaviour blocking" on Windows.

    You need some knowledge of Linux to integrade it in your favorite distribution. Red Hat (Fedora) include SELinux in their official releases. I've managed to equip Ubuntu with SELinux some months ago.

    http://www.nsa.gov/selinux/
     
  19. dog

    dog Guest

    Never tried TuxGuardian ... it seems interesting, for now GD does what I need it to ... I'll give it a try eventually. Thanks :)

    P2K ... even encrypted files need to be shredded. (I could be forced to give up the key :ninja: ) ;) Yes what I mentioned isn't a daily task, but a monthly one for me.
    I have FC5 installed to play with it. :) We'll see how it goes.
     
    Last edited by a moderator: May 7, 2006
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I can just picture the interrogation session: :D

    "Here boy! Nice big bone for you if you drop that key! No, don't bury it, just drop it there - gooooood doggie!" *pat pat*
     
  21. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    A question regarding TuxGuardian:

    From the TuxGuardian link, package requirements for tuxguardian are as follows:

    For the most recent Ubuntu Linux kernel, 2.6.12-10, I have all required packages except for the kernel-source. The kernel-source file I do have is kernel-source-2.6.11-7, for an older version of the kernel. Is there a lag between the kernel and the kernel-source?

    Which is more secure, staying with the current kernel w/o TuxGuardian or going back to the 2.6.11-7 kernel and implementing TuxGuardian?

    I am inclined to stick with the most recent kernel w/o TuxGuardian as that includes recent patches as well. SecurityFocus.com has lots of issues wrt the linux kernel that generally get patched pretty quick.

    bktII
     
  22. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i've looked at GRSecurity but it looks like it needs to be build using a 'vanilla' kernel and could conflict with the Ubuntu patches, i'm too scared to try it out incase i have problems. have you ever tried it with a debian based distro?

    there are other kernel patches too like paxctl which is used in GRSecurity and has an Ubuntu version, i might try that.
    http://packages.ubuntu.com/breezy/admin/paxctl
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    No, you will need to update your kernel source to match your kernel. If TuxGuardian needs to compile against the source, this has to match the code you are running or things will likely break.
    Not done anything with grsecurity aside from perusing its documentation and cowering at its possible complexity... :) That's why I've suggested it here, to let others do the hard work of installing and testing it! :D
     
  24. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    iceni,

    I've had libsafe installed for awhile now on Ubuntu; forgot to mention it.

    Here's some output:

    $ ldd /bin/ls
    /lib/libsafe.so.2 (0xb7fde000)
    linux-gate.so.1 => (0xffffe000)
    librt.so.1 => /lib/tls/i686/cmov/librt.so.1 (0xb7fc7000)
    libacl.so.1 => /lib/libacl.so.1 (0xb7fc0000)
    libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e92000)
    libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7e8e000)
    libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7e7b000)
    /lib/ld-linux.so.2 (0xb7fe7000)
    libattr.so.1 => /lib/libattr.so.1 (0xb7e77000)

    bktII
     
  25. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hmm, it seems we had the same idea :D

    it's quite hard getting help for Linux security, most users are just happy with the defaults. when i do searches at Ubuntuforums for a security program i've found half the time there are no search results. although the mailing list seems to have more knowledgeable people.
    https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

    thanks, i might try it then if you haven't found any problems using it. i'll do some reading. it would be good to know when it's being used to test it out. does it look like it's used alot, or with just afew things like ls?
     
Loading...
Thread Status:
Not open for further replies.