Slashdot Mirror

← Back to Domains

Domain: bastille-linux.org

Stories and comments across the archive that link to bastille-linux.org.

Comments · 64

  1. Bastille hompage by in2mind · · Score: 1 · on Hardening Linux

    http://www.bastille-linux.org/

  2. Re:Sorry, not even close by ak3ldama · · Score: 1 · on Why Desktop Email Still Trumps Webmail

    I think that I am the 'last guy' you refer to, and the class in college that I took on Network Security talked about Security through Obscurity as being a myth, not the other way around. It (the class/professor) presented cases of algorithms that were insecure even though they were designed by experts and kept secret, whereas others were designed by several and exposed to the masses (usually masses of experts) who were able to critique and in the end come up with an excellent and highly secure design.

    As for 'provide more objective data' it is common knowledge in the software industry that Security through Obscurity doesn't work, and that the contrary is true that you get Insecurity through Obscurity. Perhaps this article can clear some things up. The article even presents a case for security through obscurity but in a given context. You shouldn't go around saying that you won't believe what someone says just because they didn't present you any sources. I know that this is slashdot but this ultra lazy way to combat an argument doesn't work in the modern era of these things called search engines.

  3. Re:why arent they also upset at Mac? by giminy · · Score: 2, Informative · on McAfee, Symantec Think Vista Unfair

    I mean it has a built in firewall that is actually semi decent

    OS X's built-in firewall sucks. And I'm a mac user. Through the interface, click all the security options (and go into Advanced and check stealth mode, etc). Type in 'ipfw show' at the command prompt. Wow! Stealth mode blocks ICMP echo requests! The firewall *still* allows all UDP traffic in, so long as the UDP traffic *comes from* a specific port. In short, the firewall assumes nobody is spoofing packets to get through it, which is retarded. A firewall that makes that assumption may as well be turned off.

    Wouldnt that mean that OSX has been for a long time shutting out companies like this?

    Mac OS doesn't shut people out. It offers a free SDK, and (mostly) follows published standards. Bastille Linux is a fine example of a hardening system/firewall enhancer for OS X. Check it out.

  4. My MOTD? by inode_buddha · · Score: 1 · on Sysadmins - What's in Your MOTD?

    My MOTD? Check out the suggested default at Bastille Linux and modify it to suit. On most recent RH-based distros you can cun-n-paste the same msg into /etc/issue and /etc/issue.net (assuming runlevel 3), so all your users see it no matter what. You might want to have your legal department parse it first just to be sure.

  5. Comparing Secure Linuxes? by gbulmash · · Score: 4, Informative · on Trustix, a Worthy Contender?
    Has anyone done a comparison or testing of a "ground-up" secured Linux like Trustix with a linux hardener like Bastille? It would be interesting to see what the advantages/disadvantages of each are.

    - Greg

  6. Bastille-Linux by Ransak · · Score: 2, Insightful · on UNIX Security: Don't Believe the Truth?

    Maybe more distros should come with an install routine for Bastille-Linux. The FTA never mentioned this product, although it's more geared toward servers, not desktops. My guess is it wouldn't take much to turn this into a product for all *nix desktop operating systems.

  7. Just run bastille by jwd-oh · · Score: 1 · on Hardening Linux

    I don't need a 584 page book to tell me how to harden linux. Just run bastille: http://www.bastille-linux.org/

  8. Another EXCELLENT reason to use cross compilers by NZheretic · · Score: 2, Informative · on AMD Alleges Intel Compilers Create Slower AMD Code
    You've obviously forgotten (or more likely, never heard of) David Mohring.He was the guy that put forward the solution of using many third party C compilers and environments for the original bootstrap compiler build and compare the resulting code after the resulting compiler has rebuild itself for the third time. If the result greatly differs then manual inspect the generated code where it differs.

    He did it to show that even theoretical attacks, which have never been seen in the wild, can be effectively mitigated out of existence.

    Never forget that the Open Source development community have been working towards providing more secure environments, whether you make use what is available is up to you.

    maow.

  9. Re:Needs to be point and click. by Anonymous Coward · · Score: 1, Interesting · on Bastille Adds Reporting, Grabs Fed Attention

    The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

    From the Bastille-Linux OS X page

    1. Download the tarball from the source link: Bastille-.tbz2.
    2. Uncompress the file, like so:

    tar -xjvf Bastille-.tbz2

    NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week.
    3. Run the install script, like so:

    cd Bastille && sh ./Install-OSX.sh

    4. Confirm that you have perl-Tk installed.
    5. Start up an X Server.
    6. Run bastille -x.

    I'm thinking that anyone who doesn't have the skill to do that won't be able to implement the changes suggested by Bastille either, making the whole exercise pointless.

  10. re: Bastille Unix by BitterAndDrunk · · Score: 2, Interesting · on Bastille Adds Reporting, Grabs Fed Attention
    Just as an FYI -
    Bastille Linux is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

    It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

    Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
    And a bunch of other stuff. I just thought the root stuff was extra sexy.

  11. Re:Cool, but... by Dr.Opveter · · Score: 2, Informative · on Bastille Adds Reporting, Grabs Fed Attention

    It's not that ironic if you see what type of thing it actually checks.
    Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).

  12. Re:Hardening systems works! by jjb · · Score: 1 · on Linux Getting Harder To Crack
    First, Solaris 9 comes with 61 listening ports, as shown in the analysis here. I did the netstat on my VMware image of a completely virgin Solaris 9 system. I thought it was 60+ for TCP alone, but this is still over 10 times what Red Hat 9 was shipping with. Solaris 8 was worse, so Sun is improving.

    Next, tnamed is still active on Solaris 9. From the same box:

    # grep tnamed /etc/inetd.conf name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

    Finally, as another poster pointed out, Sun's got a great tool in JASS, a vendor-supplied tool. And we all owe a debt to Titan, the first majorly popular Sun hardening program. YASSPis also out there for Sun.

  13. Re:Hardening systems works! by Anonymous Coward · · Score: 2, Informative · on Linux Getting Harder To Crack
    There are several Linux hardening projects around. Interestingly enough, they are somewhat orthogonal to each other, and tend to complement one another.

    Here's a basic roundup of useful links:

  14. Hardening Linux works! by Anonymous Coward · · Score: 2, Informative · on Linux Getting Harder To Crack

    This is just another example of how hardening keeps your servers from getting compromised. Red Hat and SuSE Linux systems now ship with every remote service in xinetd deactivated and most have a default firewall active at installation. This partly reflects the lessons we've learned with Bastille Linux, a hardening program for SuSE, Debian, Fedora, RHEL, HP-UX, and OS X. What's interesting is that while new releases of HP-UX are shipping with Bastille pre-loaded and runnable at installation, giving the user easy hardening at install time, Sun's still been releasing servers with 50+ network ports listening, including deprecated services like tnamed (Trivial named). The Linux vendors have been leading the older Unix vendors, mostly because users influence them more. But hardening is becoming a more popular practice in all operating systems now... - Jay Beale

  15. Security through obscurity.. by Karamchand · · Score: 3, Interesting · on Internet Chess Club Security Defeated

    ..is not as bad as its reputation. Of course it is not enough and you should not rely solely on it. But it can be a helpful part of your whole security-plan. Read more in this interesting paper by Jay Beale, the Lead Developer of the Bastille Linux Project.

  16. This is an admin course: Hardening and backups. by grnbrg · · Score: 5, Informative · on What Should be Included in a Linux Crash Course?
    A linux box is easy to install. Much harder to maintain one that is safe and secure.

    They should know how to protect the system from disaster and attack. Tips on hardening should include:

    • Hardening a new install with the Bastille Linux scripts. What these are and what they do.
    • IP tables configuration. What IP tables is, why it's important, and how to configure it. This may or may not be in relation to Bastille.
    • Tripwire. A PITA to configure, but *really* useful in knowing what is happening on the server.
    • Kernel options. Do you need loadable modules on a production server? Disable them if not. Do you need USB or CDROM access? Remove them from the kernel. If it's not needed, don't include it.
    • Kernel upgrades. When and why. Just because the latest 2.6.87 kernel has been released is no reason to put it in. However, if there is a remote root 'sploit posted to Bugtraq for the current kernel, everything else is a lower priority.
    • BugTraq and other security lists. What they are and why they should be monitored.
    • Application security patches. Like kernel upgrades, guidelines on why and when production apps should or should not (or must) be upgraded.
    Also important would be a good understanding of how to set up a backup regime. This should include topics like:

    • tar, and it's more esoteric options, such as multi-volume tarfiles, dump levels, etc.
    • Rotation schemes. What is Grandfather, Father, Son? Why is it important to do this? What is the difference between a differential and an incremental backup?
    • Backup media. Redundant hard drive? CDR? DVD-R? Tape? Onsite vs offsite?
    • Recovery procedures. Ok, you've got a backup. What do you do if you need it? You have tested the tapes, right? :)
    Some thought on a disaster plan might be a good idea too.

    grnbrg.

  17. Re:It's kinda cool by michaelrash · · Score: 1 · on Combining Port Knocking With OS Fingerprinting

    What about the set of hackers (crackers) that have found 0-day attacks? Granted the number of people that fall into this category is extremely small, but the data on my personal system is just too important to risk it. I want an additional layer of security. Although security through obscurity is not good if it is the _only_ protective mechanism, having another layer always helps:

    "Security Through Obscurity" Ain't What They Think It Is

  18. Reminds me of Bastille linux by mentatchris · · Score: 5, Insightful · on NIST Issues Windows XP Security Guide

    I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
    There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
    It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.

  19. Re:Fun and games with statistics by Analysis+Paralysis · · Score: 4, Insightful · on The World's Safest Operating System
    The study chose to disregard "automated" attacks. A standard Windows system can be compromised within minutes of being connected to the Internet by such attacks so ignoring them means that only secured Windows systems are included. This makes the research unbalanced since it fails to apply a similar filter to Linux systems. Malware is not simply a UI/social problem - the Blaster worm and its variants needed no inside assistance.

    In addition the study only covered successful attacks. How many unsuccessful ones were there? The measure of vulnerability should surely be the ratio of successful/failed attacks, not just a raw number.

    Finally how were these attack figures reached? Where these based on government/company IT figures? (in which case factor in maturity of systems/staff and how much easier breaches can be discovered in Linux using free tools like Tripwire) Or packet sniffing of certain domains? (Linux is used by more domains, some of which are set up deliberately to be hacked).

    The only conclusion that can be safely drawn is that Linux appears to be a more popular target for manual attack - whether by necessity (automated attacks being far harder), desire (more of a challenge) or familiarity (easier to learn the internals of a free system, especially if you lack the money/connections needed for commercial counterparts). And security is hardly ignored on Linux either - with tools like ipfilters, tcpwrappers and Bastille, admins have little excuse for running a non-secure system.

  20. Bastille Linux works on Mac OS X by jjb · · Score: 4, Interesting · on New Remote Root in Mac OS X
    We've got Bastille Linux working on OS X 10.2.x. Within a couple weeks, we'll have 10.3.x support. We could prevent exploitation of this vulnerability (on systems running sshd) by disabling network authentication systems from getting data by DHCP.

    If this is interesting to you, please join our mailing list and/or e-mail me via jay AT bastille HYPHEN linux DOT org.

  21. Re:US Gov't on Linux by doodleboy · · Score: 2, Informative · on Linux in 2004?

    Actually, there already is a Tinfoil Hat linux. It's a bootable single-floppy distro for gpg-signing and/or wiping files.

    The NSA's version is called SE-Linux, for Security Enhanced Linux. It has a "strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel. The system provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. This allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications." Or some such.

    If you really need security and don't think running Bastille-linux is going to be enough, then ACLs a la SE-Linux might be the way to go. I suppose no OS is truly secure, but it's hard to imagine even talented crackers getting very far against it.

  22. Re:Easy Question to Ask by pompousjerk · · Score: 2, Informative · on Security FUD On Linux

    Damn straight.

    Although, one thing needs to stay clear: Linux is only secure if you know what the hell you're doing. 51% of all known successful root compromises occur under Linux. (Linux has more than 51% of the market share, IIRC, so it's not a very fair comparison. If anybody has market share data, please provide it so we can look at ratios.)

    I prefer running Linux, of course. At least I know I can secure it.

  23. Re:Worrysome? by Karamchand · · Score: 4, Informative · on Nmap Gets Version Detection

    While of course it is not good practice to rely on a single method to secure one's network and then dream about it beeing "unhackable", security by obscurity might be part of a good security concept.

    Jay Beale (from Bastille Linux) wrote a nice article about security through obscurity a while ago.

  24. Re:Missing the point by BiggerIsBetter · · Score: 1 · on Linux Most Attacked Server?

    I'm just saying if you're paranoid enough to get into SE Linux, you might want to look at OpenBSD. As it happens, I'm actually a Linux Geek, so here's some tools/docs to make your boxen more secure: http://www.bastille-linux.org/

  25. Re:Something to think about: by BroncoInCalifornia · · Score: 1 · on Is Linux as Secure as We'd Like to Think?
    There are Perl scripts with GUI wrappers to harden a Linux installation. These are available here: Bastille Linuxe

    The srpipt will help to shut down uneeded daemons. It will configure things to minimize the attack surface presented by the computer.

  26. Re:Well that's good and all, but by LinuxHam · · Score: 1 · on FSF FTP Site Cracked, Looking for MD5 Sums

    why don't you set up a unique machine for that purpose and put it outside the firewall where it belongs?

    Servers never belong outside the firewall. Perhaps in a DMZ, but never completely unprotected. If you don't have a choice, at least improve the security on the box with something like Bastille.

  27. Re:bastille script More info and link by maggotbrain_777 · · Score: 3, Informative · on Linux Security Cookbook

    For those of you who aren't familiar with Bastille, check out it site at Bastille Linux site They have links for Redhat, Debian distors as well as HP-UX and Mac OS X.
    There is also some info out at Bastille-Linux Scripts to Secure Linux and HP-UX

  28. Re:hmmm by EvilAlien · · Score: 5, Insightful · on Review Mandrake Linux 9.1 Power Pack Edition
    Ya, I think I missed the memo. Are we all supposed to hold Debian up as the One True Linux? I thought Slackware was the distro we were all supposed to mindlessly acknowledge as the most l33t.

    Are we also supposed to chant "Mandrake is for newbies, Mandrake is about Ease-of-Use" repeatedly, or has it finally become fashionable to recognize their ties with clueful things like Bastille, Prelude, and other security-related projects?. Sorry, I'm a little behind on my groupthink ;)

    Linux is what you make of it, any distribution can be installed and configured to promote ease-of-use, security, maximum customization, and fine-grained control.

  29. Bastille Linux by Kojo · · Score: 2, Informative · on Getting Started in Network Security?
    I forgot about this; at the "Locking down a Linux Box" level, there's Bastille Linux.

    Not only will it secure your box, one of their major goals is to "teach" you how as it does it. Here's a quote from their site:

    Bastille Linux has been designed to educate the installing administrator about the security issues involved in each of the script's tasks, thereby securing both the box and the administrator. Each step is optional and contains a description of the security issues involved.

    Seems like a good source of info to me. Teach a man to fish and all that...

  30. Re:Security tools are awesome, but.... by jjb · · Score: 3, Insightful · on Nmap Security Tool Survey
    I totally agree. But they're tools, not "solutions."


    Anyway, Defense in Depth is always good -- if an attacker penetrates the firewall, it's good to have hosts that are harder to crack. If the host gets cracked, you'd want to have an incident response plan and policy so that you can contain the damage.


    In Bastille Linux's defense, we try very hard to educate the sysadmin/user so they'll make better decisions. Bastille tries to educate the user, to help her build a good hardening policy for her hosts and hopefully her site.


    And that education is one of the few things that will actually keep your sysadmins or users from blowing the entire site's security away with a bad decision... Who cares if you're proactively scanning for open ports when you don't know why some of those open ports are worse than others? Your admin has to know that allowing Samba/CIFS/Windows filesharing through the perimeter firewall is asking to be hurt badly. Your admin has to know that setting every Unix box to give root via rsh from a particular (spoofable) IP addess is asking for a domino effect.


    Education, unfortunately, is the hardest step.

  31. Comments on the page . . . by xyrw · · Score: 1 · on Too Cool For Secure Code?

    Anyone else read the comments on the page?

    This is the most idiotic text i have ever read. Next time you lack a topic to write about, by all means drop a note to bugtraq, i'm sure that collectivelly we can come up with something more compelling than this mindless rambling of fighter pilots and "coders".

    . . . and . . .

    Not sure what exactly you are suggesting would be better than C/C++? Java? PHP? PERL? C#?

    These comments entirely miss the point: I think Lasser's main point is that programmers need to focus more on security instead of being lulled into a false sense of security, and that it is the quality of code and not the tools used that make a system secure.

    A related note on Linux security vs Windows security: yes, Linux is `inherently more secure' than Windows; no, Linux is not inherently secure. (I know most /. readers know this, but there is sometimes the tendency to fall into a `security high ground' trap.)

    In short, carefully consider what Lasser has to say-- he's no fool on the subject of security.

  32. Re:Learn the command line by $rtbl_this · · Score: 3, Informative · on Getting Started In Linux

    How could you possibly deal with, for instance, securing Linux without the CLI?

    Bastille Linux. I'm not saying that it's a complete solution to every security issue a Linux user may come across, but it's a very newbie friendly way of locking down a box in the first place.

  33. Bastille Linux by agnosonga · · Score: 5, Informative · on Jay Beale On Overcoming Linux Security Holes
    Linux.com: What's going on with Bastille Linux right now? Where's the project at?

    Beale: Well, for readers who don't know, Bastille Linux is a hardening program. Basically, it's a tool that increases the security of a system in every way that we've thought to automate. This includes steps like reconfiguring DNS, Web, FTP and Mail servers for better security, but also includes single-machine or single network firewalls and port scan detection tools.

    Now, our most recent piece of good news is that we're officially supporting HP-UX, making our name just slightly inaccurate. Then again, we probably started that trend a few years ago, naming ourselves after a defeated French jail!


    you can get it here
  34. actually yes by johnjones · · Score: 2 · on Additional Security in the Linux Kernel?

    the major problem today is people useing tools

    to this end you can use a mac
    (big endian so defeats alot of stack smashing targeted at x86)

    use bsd
    (THE network stack -problems in MS TCP/IP stack have been solved years ago in BSD)

    and dont run any silly daemons

    http://www.

    does a nice job of sorting out things config wise where most problems live

    regards

    John Jones

  35. Re:Bastille - No Kernel Patches by RadioheadKid · · Score: 5, Informative · on Additional Security in the Linux Kernel?

    Bastille Linux is user space hardening (e.g. changing file permissions, disabling telnet and other vulnerable services, setting up IPTables and various other security features), no kernel patches as far as I remember.

  36. Re:Which are more successful? by Col.+Panic · · Score: 2 · on More Attacks on Linux than Windows

    a long list of security issues for Linux (as many, if not more, than Windows)

    The Linux kernel has more issues? No. Applications that run on Linux? Possibly. Now compare the number of apps on each platform. Linux is more secure than Windows if you:

    a. do not install tons of server programs that you are not going to run

    b. use tcpwrappers to initiate programs that can use it and use hosts.[allow/deny] to control access to those programs.

    c. use Bastille to harden the box

    d. use ipchains/tables to control access to your PC or network - don't feed me crap about a personal firewall; this is an actual firewall.

    just my $.02

  37. Re:No thanks by Mr.+Flibble · · Score: 2 · on OpenSSH Gets Even More Suspicious

    No, you are out to lunch.

    Sorry, but Telnet is a severe security hole.

    Take a look at this link. The program Hunt can crash through a Telnet session and steal it. It is also possible to use a simililar attack on systems using SSH 1, which is why you should not use it.

    Also, if you have ever heard of anything such as dsnifff you know that Telnet is practically useless in terms of security. Combine dsniff and hunt and you have one crappy method of defense. I don't care how strong your password is if I can:

    1) Read it and capture it. (dsniff)

    or

    2) Simply steal the sesion, and thus have no need to type the password at all. (hunt)

    Don't take anything in security for granted. For example I know of an admin who recently decided to implement backups to a remote NFS system, thus he opened up NFS, and thus portmap (port 111) to the world through his firewall. He still has no idea why this is bad, which explains why I will be completely reinstalling his servers in a few days.

    You might not know why portmap is bad - but it is - you might also assume Telnet is ok. It is not. I have watched over 25 machines get compromised by Telnet, and I was the one who had to fix them. (I always get called in AFTER the fact - never before which I think is dumb.)

    So, operate like OpenBSD - trust no one. Trust no protocol until you have a reason to trust it to some degree. And if you don't know why portmap / port 111 is bad, you may want to look that up at the same time.

  38. Bastille script hardens Redhat by elucidus · · Score: 1 · on Battle of the Secure Distros

    Bastille is a script that asks you questions, and proceeds to tighten down your Redhat or Mandrake installation, extra effort has been put into explaning the choices, and making sure you understand WHY something was done.
    Here's the summary:
    The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:

  39. Re:LinuxMandrake SNF by RadioheadKid · · Score: 2 · on Captain Crunch's New Boxes, Part II

    Sorry to be redundent, but I must agree, couldn't get port forwarding to work. Althought, I must say the DSL support with PPPoE was great, install was a little confusing (could never get it to set up each card with the correct interface parameters) but once you get it to the point where you can use the web interface its easy. I also had problems with Smoothwall, but that was with the PPPoE support which was still in beta (this was almost a year ago) probably much better now. I'm happy now just using Bastille-Linux and then tweaking the rest myself. (end 2 cents)

  40. Re:Another globbing bug? by fanatic · · Score: 3, Informative · on Wu-ftpd Remote Root Hole
    I run my own box for personal use, and learning anything more than basic security takes more time than it's worth.

    Maybe to YOU, how about all the other people who will get nailed when YOUR box is hacked and used in Distributed Denial of Service attacks? How about the emabarassment of discovering your box being used as a drop point for many megs of porn for sexuality other than your own? How about all the webmasters who have to put up with probes (at least) from your box after it catches the latest worm? How about your ISP being notified that you've committed criminal activity against another computer because a cracker cracked you and used your box as a springboard?

    If you can't be bothered, take your box of the internet, PLEASE.

    Steps to a (more) secure box:
    1. issue netstat -apn (adjust for parms allowed in your netstat, but if -a doesn't work, get a new one; if -p doesn't work and you're running a recent version of Linux, you've probably *already* been cracked). Understand every single tcp or udp entry. Turn off any you don't need.

    2. set up a firewall on your machine. Deny all incoming connections by default, then permit only the protocols you need from the endpoints you need to permit them from. For example, I permit http from anywhere. I permit ssh on my home box only from the outer address of the firewalls at work - and this is a good thing because ssh at one point had a hole, so I'd cut my vulnerability way down.

      Turning off unneeded services, then firewalling (actually, packet filtering) to allow only known-good protocols is 'defense in depth' - the odds of screwing up in both places the same way are smaller than for either one singly.

    3. if you're using Linux, Bastille Linux is a useful script (or set of scripts) that will help you secure your machine and teach you about the process at the same time.

    4. Subscribe to a security mailing list or two (CERT and Bugtraq are good). When you see something you're using there, fix it.


    Interesting story: I was doing work on a box for a guy who only had *dial-up* access and only used it to send/receive email and browse a little. He was cracked, which I discovered when his netstat wouldn't take the -p option (his version had been replaced after he was cracked, which is common - the crackers replace common utilities with versions specifically written to *not* show their activities on your machine). Ooops - time to reformat and re-install. The fact that you are on a slow link or you are obscure doesn't help much - the script kiddies pick a block of IP addressess at random and scan them all for their vulnerability du jour - if you have it, you're toast.
  41. Bastille Linux Webpage by ctar · · Score: 0, Redundant · on Migrating from IPChains to Netfilters?

    Bastille Linux's Webpage has a nice 2.4 Netfilter Firewalling document... I also used this GUI which can create rulesets for ipchains and iptables/netfilter. And, yes, if you upgrade your kernel to 2.4, netfilter can still read your ipchains rulesets, so its not necessary to immediately rewrite your rulesets for ipchains/netfilter.

  42. Re:Hardly the first step by badzilla · · Score: 1 · on Big Brother To Watch Judges?

    This is just boilerplate and not worth worrying about; when I used Bastille to harden my Red Hat 6.2 box I let it install a pretty much identical motd. People do it because there is a slight possibility that the warning could make it easier to litigate if you could ever actually prove an attempt to crack your box.

  43. Re:It can happen by Col.+Panic · · Score: 2 · on Don't Forget That Worms Happen Everywhere

    Yes, *nix presents at least as much of a target as Win boxes, if not more since the services running on a default install are likely to include daemons like ftp and telnet. However, it is also really easy to run a perl script like Bastille to tighten security fast and with little technical know-how. Try that on an NT box.

  44. Re:About time! by SuiteSisterMary · · Score: 1, Flamebait · on Code Red: the Aftermath

    Are you stupid? The first rule of system hardening is 'turn off services you don't need.' Pretty much every network operating system (except, I believe, certain variants of *BSD) tends to run daemons which generally aren't necessary. And I'll note that Bastille Linux turns off unneeded daemons as part of it's hardening routine.

  45. Red Hat 6.2 (basic install lockdown) by Mr.+Flibble · · Score: 2 · on Honeynet Project: Blackhat Attack Stats

    For RH 6.2, before you even connect it to a network, I reccomend you have a copy of Bastille Linux (Which is actually a script, not a distrobution) on hand. This is great for newbies.

    As a general rule:
    run the "ntsysv" tool, and disable portmap, httpd, bind... hell disable EVERYTHING, and begin turning on things as you need them. (If you don't know what it does, turn it off, if something stops working, you know what that was and can turn it back on.)

    Comment out everything in the /etc/inetd.conf file (which only appears in a server install).

    Have nmap on hand, and scan 127.0.0.1 (yourself) with it, to make certain your ports are closed. Nmap should only find port 113 (and 22 if you install SSH). Sure, you can have more open ports after that - but that is providing you know what they do.

    There is no way I can give you enough advice on how to secure a machine on a simple /. post, but the above is a good start for Red Hat 6.2.

  46. Re:Distros by ct · · Score: 2 · on Honeynet Project: Blackhat Attack Stats

    Bastille is a set of Perl scripts that walk you through the process of securing/'hardening' your system. Very much like a wizard, it asks you if you want to do 'A' with an quick explanation of why you should an when you shouldn't do so.

    http://www.bastille-linux.org/

    Mandrake 8.0 does include a GUI front end for it, however it does have a text mode 'menu-ish' system if you don't want the Graphics.

  47. We've seen this class and scale of problem before by rleyton · · Score: 2 · on CAIDA Released Code-Red Worm Post Mortem
    The Code-Red worm is a wake-up call

    It's worth remembering that this sort of problem has been seen before, with the Robert Morris Worm is 1988. The similairities in terms of spread are clear, although the damaging affect (Morris brought down a large percentage of the then mainly academic based Internet) was much more severe - so far. The article makes clear that we need to be aware that things could be worse, when script kiddies start playing with this virus

    Lessons were learnt then, and it probably makes sense to revisit them and ensure we haven't missed anything.

    Those of us with machines at home running services should all be careful (be it Windows, Linux, Solaris, *BSD or whatever), and review our presentation to the world. Check out Bastille Linux for a start.

  48. Re:Is this softwarre realy neccessary ? by linzeal · · Score: 1 · on Zero-Knowledge Ceases Linux Support
    Freedom's software was for people who really did not know how to do half or any of these things by themselves. Since most new linux users use a redhat type fs and layout (mandrake etc). The best option would be something like Bastille-Linux

    The anonymous web and email will have to wait for a large p2p system to support all that proxying about the net...

  49. Re:security/installation features by Turo+T+Lamminen · · Score: 1 · on Dueling Distros - It's All Good, Apparently

    Try Bastille Linux. It does a very nice job on securing Red Hat distributions and even some others, perhaps Mandrake. I haven't personally tried it because I use Debian, but I've heard very positive comments. However Debian asks you during the install if you want to enable services, something the other distros seem to somehow forget.

  50. Re:firewall? by Dr.+Sp0ng · · Score: 2 · on Mandrake 8.0 Comes Out

    How is the newbie firewall setup compared to the redhat 7.1 tool to setup simple firewalls?

    Mandrake 8 ships with Bastille, a hardening and lockdown tool. It's a bit of a pain in the ass to set up, since you have to sit there and answer questions (some of them fairly complex) for half an hour.

    However, I did some contract work for MandrakeSoft a few weeks back and wrote a few things which are included in Mandrake 8, one of which is a program called TinyFirewall - it's a program which creates a configuration file for Bastille with a few easy questions (but it obviously far less powerful than the full Bastille). It's meant simply to firewall a single machine rather than a network.

    I also wrote a program (although I don't know what they're calling it in the release) which has the same basic idea (answer a few questions to configure Bastille) but rather than creating a small configuration file it chooses one from a bunch of premade config files (server paranoid, server moderate, server lax, workstation paranoid, workstation moderate, workstation lax). The premade configurations were made by Jay Beale, lead developer for Bastille.

    I know that Mandrake's guys have hacked my code up quite a bit, so I make no guarantees about it anymore, but it worked when I gave it to them :) I believe (although I could be mistaken) that the configuration chooser script is run by Mandrake's installer now.
    --