Alk3

Linux System Security.

35 posts in this topic

I had a lot of fun implementing perfect-paper-passwords - another Steve Gibson project.

I used the pam module so I can use paper passwords with my ssh server. In addition to your user password you will have a one-time-use 4 character passcode.

samplepasscard.jpg

ssh.png

http://code.google.com/p/ppp-pam/

https://www.grc.com/ppp.htm

It works great and because I often want to login to my ssh server on a friends computer or at school I don't always have my public key.

0

Share this post


Link to post
Share on other sites
When setting up my router for OpenWRT, I used Shorewall as the front-end for iptables. It makes things so much easier to configure.

try dd-wrt or if u want real lightweight tomato

0

Share this post


Link to post
Share on other sites

I think things like firewalls, turn off services, etc...etc.. have been covered. I haven't seen these yet (but I didn't read everything in the threat).

- AIDE - Advanced Intrusion Detection Environment - http://sourceforge.net/projects/aide - This works a lot like tripwire (but is GNU/GPL). Basically, it takes a snap shot of the files on the system (using SHA1, MD5, etc..etc). On any system that I'm "worried" about, I'll use AIDE to take a snapshot of the system and I _store that on CD_. This way, if the system every gets compromised, you can pull the machine offline and run AIDE against the CD and determine what has been changed. If you leave the AIDE DB on the machines, the attacker can simply "update" the DB. Anyways, useful for checking the integrity of the the system. I've used this utility on "real system" and "honeypots".

- Snort - http://www.snort.org - This might be overkill. I run snort at a lot of sites. Even if it's overkill for your network, it's still sometimes interesting to see what it catches.

- PAX/GRSEC - extra security layers in the kernel. These are basically kernel patches that prevent (or try to) buffer overflows, heap overflows, various race conditions. They add several security features that the default kernel doesn't have.

- IBM Pro-Police - As a Gentoo user (No, I'm not a ricer) - I use the IBM Pro-Police GCC patches to build up most of my system(s). This adds things like "canary-on-the-stack" type protection amongst over things. Basically, again, It "helps" prevent things like buffer overflows, etc....

- Don't ignore syslog data. On critical sites, we have syslog stored locally and remotely. A typically attacker will attempt to "cover up" the intrusion by modifying the system logs (syslog) data. If the data is sorted off site (via syslog UDP over a VPN tunnel, or whatever), the attacker won't have access to those logs to "cover up". Sure, they can edit the local logs - but who cares.

- Speaking of syslog, utilities like "swatch" will allow for "real time" syslog monitoring. It seem to work pretty well, but I've always found it a bit "kludgy". I've been working on another project (code named "sagan") that's written in C. The idea is that it's "snort" for "syslog". The idea is that it uses the same rule set structure as "snort" and will even output to a Snort database (SQL). This enabled you to use tools that work with snort (oinkmaster, BASE/ACID, etc) to work with "sagan". Sagan can/will be able to output to ASCII flat files, Snort DB's, MySQL, Postgresql and various other formats. The rule sets allow you to "look" for events and be notified in "real time". I'll post here when I have the release version done.

Anyways, that's my 2 cents.

0

Share this post


Link to post
Share on other sites

i can't remember all the things i've done, but i configured apparmor and disabled unneeded daemons and i configured Aide too.

this is how i setup Aide -

how to setup. install, then in a root shell run this -

# aide --init

that will create the databse.

then rename the new database to make it active -

cd /var/lib/aide/

mv aide.db.new aide.db

the rules are kept here -

/etc/aide.conf

to re-run and check it run this from a root shell -

# aide --check -V2>>SOME_NAME.txt

0

Share this post


Link to post
Share on other sites
I had a lot of fun implementing perfect-paper-passwords - another Steve Gibson project.

I used the pam module so I can use paper passwords with my ssh server. In addition to your user password you will have a one-time-use 4 character passcode.

It works great and because I often want to login to my ssh server on a friends computer or at school I don't always have my public key.

Hey, that's pretty cool. Almost makes me think Mr. Gibson is less of a wacko. :)

I just have all my SSH stuff public key only. I tend to have my USB drives with me, so it's not a huge deal. But that does look kind of neat. Could use with a blank password and basically have it be one-time use passwords only. (Of course, don't lose the paper it's printed on, or have the ink smudge.)

0

Share this post


Link to post
Share on other sites

here are some links about securing linux -

http://www.linuxtopia.org/online_books/lin...uide/index.html

http://www.linuxtopia.org/LinuxSecurity/index.html

http://www.linux-sec.net/Harden/harden.gwif.html

http://www.debian.org/doc/manuals/securing...n.html#contents

http://www.debianhelp.co.uk/security.htm <--- this one is short and easy and good!

http://www.puschitz.com/SecuringLinux.shtml

http://www.linux-sxs.org/security/scheck.html <-- this is another short and easy to follow one

i wish there were more linux security forums, i love windows security but know nothing about linux security compared to windows!

Edited by iceni
0

Share this post


Link to post
Share on other sites

Another thing I'll add to the list is process isolation via virtualization. You can sandbox each of your main services, like web or email servers, into their own isolated segment. There are many ways to do this. Here's the one's holding the most promise:

1. OS-level virtualization with OpenVZ. This starts with a central, OpenVZ kernel and basically creates a bunch of kernel or OS instances for each VM. The VM must run the same OS, but the result is lightening-fast, provides moderate amount of security, and has a ton of useful features (like bandwidth limiting).

2. Host-level virtualization with VMWare Server or Xen. In this case, you have a host OS (e.g. Linux) running a "hypervisor" (VMWare or Xen) which runs a bunch of VM's. Each VM has a full operating system and services, like an actual computer. You would REALLY harden the host OS and carefully configure the virtualization layer. Then, you just create a VM for each software you want to run, removing all unnecessary components. I would use JeOS or DSL for the guest OS, possibly patched with SELinux or grsecurity. With addons like VMWare Tools, you can have better performance and integration with host, albeit potential security issues. This type of virtualization, is fairly easy to do and provides really good isolation. If sh1t happens, you just restore from snapshot.

3. Bare-metal virtualization. In this case, the hypervisor (virtualization software) runs directly on the hardware, with no host OS. VMWare ESX Server (ESXi is free) is the most popular of these. I like using these because it reduces the size of the "trusted computing base." In other words, there's a smaller amount of code for an attacker to try to exploit for kernel-level access. ESXi, with everything included, is under 50MB I think. Bare-metal's main drawback is hardware support, but if you get compatible hardware then you have a very fast, efficient, easily-managed, and very secure way to isolate your services.

Virtualization isn't a magic bullet. It has its own risks and problems. You definitely need to practice defense in depth and be careful like with anything else. However, used properly, it can be a valuable weapon in your security arsenal.

(Side note: don't try to use chroot for this. It wasn't really designed for it, and there are many attacks on it.)

Edited by army_of_one
0

Share this post


Link to post
Share on other sites

You can use a combination of SELinux RBAC and the latest in kernel hardening and anti-exploitation technologies, but still be safer on Windows Vista SP2 Beta.

0

Share this post


Link to post
Share on other sites

Vista is the safest version of Windows, but from a server standpoint I totally disagree. The main Vista security features are listed here:

http://technet.microsoft.com/en-us/library/bb629420.aspx

I'm aware of Server 2003's security, which is primary MS server OS until 2008 see's wider adoption. Looking at it all, I think a basic server is much more secure on hardened Linux, Solaris 10 (w/ Containers), FreeBSD (w/ Jails), OpenBSD, or VMS. MS Vista and Server 2003/2008 can't touch those in security and stability. If I was doing any important servers, I'd probably run them on top of VMWare ESX server. I'd separate security appliances, management, DNS and web server into separate VM's. I might even use different OS's: OpenBSD for firewall appliance; LFS or DSL(trimmed) w/ djbdns for DNS; hardened RedHat/CentOS w/ SELinux for production server. The management VM would monitor the others, do failover if necessary, etc. It's a bit more complex, but still very manageable for secure home servers. Additionally, you only need one set of security/mgmt. related VM's. You can have as many application-specific server VM's as you want from there. Even enterprises could use this model, as they have access to management tools that removes burden of complexity.

0

Share this post


Link to post
Share on other sites

Hmm,

I take the onion layered approach to security.

for a mere $300 one can easily pick up a Cisco asa 5505 and utilize ASDM to configure most traffic rules and ACLs,

even so I normally place a secondary security host right behind

mine .

Pfsense is a great router distro that runs on just about any x86 hardware and is pretty secure with snort and other packages available. IT also has a very clean and polished web administration interface

http://www.pfsense.org/

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now