Securing linux

Discussion in 'other software & services' started by djg05, Aug 24, 2007.

Thread Status:
Not open for further replies.
  1. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I am thinking about trying out PCLinux on my other computer. I know that virus and malware do not currently post a threat, but how about tracking from the likes of DoubleClick, Google-Analytics etc. Does linux use a host file or similar?
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,
    Site threats are cross-platform. So the dealing with those is very simple. Make sure the scripts on those sites cannot run on your pc. The simplest method is to use Firefox with Noscript extension.
    Mrk
     
  3. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504

    Thanks

    Thought they would be. The preferred browswer is Opera - does that protect as well? I thought that it was more secure than the basic FF.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hell,
    Both are great, just a matter of preference.
    Regarding per-site control, FF / Noscript gives you the great possible flexibility you can have of all browser solutions. In Opera, you can accomplish the same, but sometimes there might be some glitches with a few sites.
    Try them both, see what fits your bill the best.
    Mrk

    P.S. I would not worry about double click, triple click, analytics and such.
     
  5. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    You would use what Opera provides.

    Host files in Linux are located in /etc

    Privoxy is in the PCLOS repo :)

    And what Mrkvonic said :D
     
  6. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504

    Thanks for that
     
  7. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks Mrk

    Just going through your tutorial (thanks for taking the time to do that), it seems to be more complex than when I installed Ubuntu a while back - from memory it was more or less automatic. The auto wizard in PCLos doesn't think 9.2 Gb is enough. I am now on my 3rd attempt as I made mistakes then it just froze. Seems to be doing more this time.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    The tutorial is more than just simple installation - it's also configurations afterwards, no less important. As to the complexity, I think I have described almost every step really in detail, so there would be no questions.

    One of the things new users need are 100% walkthroughs, not something like open synaptic and install x y - they need to know what synaptic is, where to find it, how to install etc, does seem a bit extra info, but it's for the best.

    As to your partitions, well I'm not sure what you're doing, but even 8GB should work, if not less.

    Mrk
     
  9. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks

    It is up and running now and got the browsers installed.

    It is really for my Wife. She only uses it for browsing and was getting fed up with all the pop ups from malware warnings and often clicking allow when she should not have, that I thought she would be safer off in Linux. So far she likes it.
     
  10. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    the hosts file is here -
    /etc/hosts

    i've no idea how pclos works, but you should be able to open the hosts file if you run these commands in a terminal -
    su (then enter your root password)
    kwrite /etc/hosts
    kwrite is a text editor, if pclos doesn't have kwrite try replacing it with gedit or kate

    rkhunter is a nice program for finding rootkits and helping secure your os, i'm not sure but it might keep checksums for important files then check those checksums when it's run in the future, if that's how it works run it as soon as possible like this -
    sudo rkhunter --update
    sudo rkhunter
     
  11. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    That is news to me.

    I have been spun a yarn about how safe Linux is and now you say you have to protect from rootkits.

    If you do not install Samba presumably there cannot be any connection to the Win machines, or is it easy to bypass?
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think one should start with the firewall, iptables/netfilter. Whether folks think it's unnecessary or not, i'm reading about it, and i think i'm getting the hang of it.
    I didn't like/understand Firestarter's rules, i'm confused somehow. I uses connection tracking in the OUTPUT chain, not the INPUT? Is it up to date with iptables??

    Anyway, reading material from the source, and from the Debian forum. There's also a document on securing Debian, which i'll read as soon as i can.

    Mrk, do you have any interest in making an article on iptables? I'd really enjoy reading you input on it. Cheers for you site.
     
  13. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    If you use a firewall, don't run around in root, install software from the repo, you won't get rootkits.

    But if you would like to be safe "Securing linux" rkhunter is in the repo.

    PCLOS isn't "sudo" to run rkhunter...

    Konsole
    su <enter>
    password <enter>
    rkhunter --update <enter>
    rkhunter --checkall <enter>
     
  14. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    Well, it's just an option if you want an additional security check. Linux is very safe - a typical linux box is alot safer than Windows with antivirus, antispyware etc. :)

    But there still exists some rootkits for Linux and different UNIX OSes, so you can use chkrootkit or rkhunter to scan.
    Probably the most likely way to get your linux box infected, is by running outated daemons with remote exploits. So to be safe: disable unneccesary daemons AND keep your box updated :thumb:
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Quick note, you have a firewall, configured or not, it's there. I'm starting to think nothing is better than iptables itself to configure iptables (kernel). :D
     
  16. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks All for the replies

    Pedro

    I think PCLos does install a f/w by default. Found what I think is the f/w and upped the protection from standard to next level. I really do not want to get into configuring IPTables. Tried it once before and did not make any sense of it.
     
  17. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    All the different firewall software for linux are basically just front-ends for iptables, so in the end it's just one firewall with lots of different GUIs. Personally I prefer to configure it manually with a simple script :)

    It's not very difficult, but on the other hand I haven't made a complex setup - i just block incoming traffic and don't bother with outgoing.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Me too, it's hard to get good info, from start to finish. But my suggestion is read form the links i gave.
    The post in Debian forum is very easy to read, and handles the most important commands for the home pc.
    The documentation from the iptables/netfilter website is very good, not too big, and from the author ("Networking Concepts HOWTO" , and "Packet Filtering HOWTO" are good for the home pc).
    For the OMG documentation, there's the "iptables tutorial by Oskar Andreasson" in the "Tutorials" section (it's really a book, 200+ pages), and of course the man pages (on the to read list for me).
     
  19. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    pf is so much easier in my experience, since it uses an actual ruleset instead of a series of commands for example, see this ruleset that gets rid of all bad packets, enables SPI on TCP, UDP, and ICMP, changes up the TCP header to a more secure and random one, allows only people from trusted ip's to connect to my computer, and blocks all other connections:

    Code:
    ext_if = "tlp0"
    
    table <goodGuys> { someipsthatiwonttellyyou }
    
    scrub in
    block return
    
    pass quick on lo (netbsd's version of pf doesn't have set skip on lo so I just pass all of the packets instead on not analyzing them)
    pass out on $ext_if proto { tcp, udp, icmp } all flags S/SA modulate state
    pass in on $ext_if proto tcp from <goodGuys> to port ssh flags S/SA keep state
    
    As for iptables, well, I haven't done much with it at all (only configured my router to allow incoming connections for ssh which involved editing the firewall script to forward ports), but it seems so much more complicated, but that is probably just me and being biased and all :D .


    As for security, don't run as root, keep your machine up to date, ensure that no daemons are running unless you absolutely need them, and if they don't need to accept remote connections configure then to listen only on localhost, install packages from official repositories, and you should be good to go.

    Cheers,

    Alphalutra1
     
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ah, it's a file that contains the rules, and also where you edit them. Nice.
    But one also has to know what those arguments mean in order to edit them. :)
     
  21. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Sorry for taking this a bit off topic (expanding linux to other *nix's), but the rules are readable by humans if you ask me (no switches like -j -z etc. like iptables uses). And the openbsd faq for pf (which is actually more like a guide and complete authority on the matter while being very easy to read), explains everything, and is linked in my signature.

    Let me dissect my ruleset to show you how easy it is.

    Code:
    ext_if = "tlp0"
    This is what is called a "macro", which is just a fancy way of saying defining a variable. So wherever I write $ext_if, it substitutes "tlp0", which is the name of my ethernet card. This is very convenient, since I can use my ruleset anywhere and just change the macro instead having to replace every instance in my ruleset (which isn't bad for my small one for a workstation, but for some people's it may get quite complex).

    Code:
    table <goodGuys> { someipsthatiwonttellyyou }
    This just sets up a table that contains every ip that I trust to connect to my pc via ssh (will still have to authenticate with a password though ;) ) I use a table instead of a list since it is much faster, and this keeps me from having to repeat every ip for every rule in my list, which is very convenient and leaves my rules very easy to adapt to a situation.

    Code:
    scrub in
    This clean up every packet so that malformed packets and fragmentation which helps protect the system.

    Code:
    block return
    This tells it that it should block everything unless permitted in the ruleset, and that if it blocks something it should return a packet saying it was blocked instead of just dropping the packets. Most firewalls just drop the packet, which makes the ports seemed "stealthed". I prefer to conform to regulations and return a packet making my ports seemed "closed", but that is preference and each method has pros and cons.

    Code:
    pass quick on lo
    This allows every packet to be passed on loopback right away without being submitted to the other rules (hence the quick). However, on newer versions of pf, one usually does "set skip on lo" which means that the packets aren't even filtering which helps in performance.

    Code:
    pass out on $ext_if proto { tcp, udp, icmp } all flags S/SA modulate state
    The allows out all tcp, udp, and icmp from my computer to any address and keeps state on them (basically keeps track of each connection and allows returning packets from the connection, this is better known by the abbreviation SPI). The beauty of pf allows me to condense this all to one line, so even though udp and icmp don't have flags for SYN and SYN ACK (the S/SA), it tells pf only to keep track of connections with those flags (they are the flags that start connections). Also, the modulate randomizes the tcp header, which keeps things nice and secure to prevent leaking too much information.

    Code:
    pass in on $ext_if proto tcp from <goodGuys> to port ssh flags S/SA keep state
    This allows incoming ssh connections to my computer from only the IPs I list in my goodGuys table, and it also keeps track of the connections via SPI.

    Hopefully that helps a bit, but the faq is much better at explaining then me. Also, as you saw how condensed the file is, I will show you how it actually gets expanded by pf after it is loaded:

    Code:
    scrub in all fragment reassemble
    block return all
    pass quick on lo all
    pass out on tlp0 proto tcp all flags S/SA modulate state
    pass out on tlp0 proto udp all keep state
    pass out on tlp0 proto icmp all keep state
    pass in on tlp0 proto tcp from <goodGuys> to any port = ssh flags S/SA keep state
    Cheers,

    Alphalutra1
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    Pedro, I have written a bit about it in my Slackware tutorial, but noted, it's another thing on the todo list.

    Alpha, would you like to write a guest article? I'd be glad to post it.

    Mrk
     
  23. tlu

    tlu Guest

    Well, I haven't tried pf at all so I can't draw any comparison. On the other hand I found iptables not complicated if you configure it with the GUI Firestarter. ;)

    Has anyone tried Firewall Builder?

    This said, at least in Ubuntu a firewall is actually unnecessary as this distribution doesn't have open ports by default. It's a different situation, though, if certain server applications are installed.
     
    Last edited by a moderator: Aug 25, 2007
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    IMO easiest solution is a cheap router and leave the firewall out of the software...
     
  25. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Hi:

    My (not necessarily correct) understanding is that you need to enable the iptables in PCLOS from the control center by unchecking the "allow everything" box. It will then install shorewall and you check the boxes that you want to allow. Since I am using a basic setup, I unchecked all the boxes and so far, so good. I'm behind a router/FW, so this has more to do with playing around than with security. Replies, comments, or brief tutorials?
     
Loading...
Thread Status:
Not open for further replies.