TechSpot

Linux Security Tips

By Phantasm66
Jul 25, 2002
Topic Status:
Not open for further replies.
  1. Here's a great article on Linux Security Tips

  2. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

  3. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    source: http://linux.box.sk/newsread.php?newsid=441
  4. Elcarion

    Elcarion TechSpot Paladin Posts: 188

    I didn't see the most important step: 1) Unplug your network cable BEFORE doing a new OS install

    It's actually not unlikely that the system will be hacked while you are loading the OS if it's directly connected to the Internet. You shouldn't plug in the network until you've turned off all unnecessary and insecure daemons. I recommend that you do the following:
    1) Install the new OS
    2) Disable ALL services that are listening
    3) If you MUST run Xwindows then run it with the following command: startx -- -nolisten tcp
    4) Apply all vendor security patches or at least those for the services you wish to run
    5) Secure and start the services you desire

    Remember that Linux is no more secure than an other OS right out of the box...they're all insecure in that state.
  5. Elros

    Elros TS Rookie Posts: 34

    Great information guys. Really useful. My Mandrake was full of holes I had no idea about.

    Not any more though. :D
  6. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,916   +9

    One thing I'd do is editing /etc/inittab. There are lines like
    1:2345:respawn:/sbin/agetty tty1 9600
    2:2345:respawn:/sbin/agetty tty1 9600

    total of six, usually. That's how many consoles there are. When only one person is using the computer and remote access (via telnet for example) isn't needed, the number could be reduced. I had three consoles when I had not installed XFree86 yet, now that I have, I only use one.
    You can either delete the unnecessary lines or (safer method) comment out with '#'.
    To apply changes, type telinit q. It tells init to reread inittab without changing the runlevel.
  7. Goalie

    Goalie TS Rookie Posts: 703

    This is GREAT info guys. I've been looking for a good newbie-ized source of this information that tells you HOW and WHY instead of just "Go secure your box. Shut down services. Etc." This will be GREAT info for me to check, even if my box is no longer on a network. Good practices lead to good results after all, right?

    One thing I didn't see mentioned: While you recommend a firewall, it certainly can't hurt to configure hosts.deny/hosts.allow (whatever your appropriate file(s) are) to deny anything except connections you know should come in (as strictly as possible). As well as httpd.conf for apache, since it doesn't obey those rules. This applies to Red Hat at least, I think for many other distros as well. I know doing that saved my backend when I didn't have a firewall available for use. Edit: I assume this is what you meant by IpChain rules.. sorry for being dense... I'd never heard it in those terms..:eek:

    Again, though, thanks for a bunch of great info guys!!! Any extra suggestions are certainly welcome. :)
  8. XtR-X

    XtR-X TS Rookie Posts: 1,040

    Kind of new at doing commands at Linux, but how exactly do you disable the things running?

  9. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 6,504   +6

    Hmm.... best thing for you, if you are running Red Hat or Mandrake, is log in as root, and then run

    ntsysv

    this will let you control what services are loaded at startup.

    Make sure that you know WHAT you are turning off before you do it.
  10. XtR-X

    XtR-X TS Rookie Posts: 1,040

    Ok, gotcha.
  11. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,916   +9

     
  12. kaymastah

    kaymastah TS Rookie Posts: 63

    Thanx for posting this thread Phantasm. It's a pretty nice guide; even though it's a little old (ipchains has been replaced by iptables some time ago...) it gives quite a few good pointers.

    This stresses a very basic seecurity rule - run the bare minimum. kill all the services that you don't need.

    Someone also posted a suggestion to disable connections to X server, after "startx" command. A lot of new users to linux, are not familiar with X, and besides they use login managers, so they never actually run "startx". They might need to modify:
    /etc/X11/xorg.conf

    or xf86config depending on which way they're set up for X.
  13. fgaliegue

    fgaliegue TS Rookie Posts: 54

    This has been the default for quite some time AFAIK. None of the distros I've tried for at least 4 years left the X server authentication process open (they were at my school though, and that was "fun", kind of).

    To check this out, just run the xhost command with no arguments. It should reply this:


    fg@rtfm ~ $ xhost
    access control enabled, only authorized clients can connect

    If you see this message you're safe: no one can connect to your X server unless you type xhost +some_host.
  14. 2Sher2

    2Sher2 TS Rookie Posts: 21

    great tips thanks
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.