Slashdot Mirror
comp.os.linux.security FAQ
$kr1p7_k177y wrote to us regarding Daniel Swan's release of the comp.os.linux.security FAQ. It's what you'd imagine, but with the growth lately, this should be helpful tool. There's also an interview with him that sheds more light on the reasons behind the FAQ.
Actually, speaking as someone who regularly installs new distros/OSes just to try them out - a default win2k install is more secure than any linux distro I've seen. Remember, it's not based on win9x.
It's also easy to further lock down - it's straightforward to block any TCP or UDP port or even protocol you choose (without additional software).
Also, Zone Alarm is widely recognised as a kick ass personal firewall (though I'd always prefer to set up my own cheap box running BSD, and use it to block adverts and trojans also. Get it doing DNS caching etc, also - every little helps when you're restricted to modem like me).
I realise you're just trolling, but I feel that I have to at least try to counteract your FUD.
Q: How do I secure Linux?
A: Install BSD.
The cure of the ills of Democracy is more Democracy.
Erlang Developer and podcaster
Another oversight in ths FAQ is that there is absolutely nothing about PAM -- good, bad or indifferent.
I'd offer to write the section myself, but beyond saying ``It appears to offer a finer granularity over file & executable permissions than UNIX's traditional xrw, the documentation included with the package appears to be fairly comprehensive, & it comes enabled by default in the RedHat distribution."
Give me a few months with PAM, & I may be able to delete the qualifiers.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
> PAM has NOTHING to do with xrw style permissions, this is something else, called ACLs (Access Control Lists).
Well, having only the last 5-10 days to read the documentation, I was left with the impression that it could be used quite nicely to implement ACL.
And the point of my original post was that I'm not qualified to add more the FAQ about PAM than to nicely ask the FAQ maintainer to add a section about it.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Just being a hacker does _not_ make you an engineer. IMO that is a much worse mistake than the hacker/cracker mixup.
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
Overall pretty good, but there are a few (minor) points..
:o)
:o)
First, your firewall should always be initialized before initializing the network interface, not after... initializing it after your network comes up means that there is a period (however small) that your machine is vulnerable (or, more vulnerable than it could be
Second, blocking all inbound pings can (potentially) cause problems with things such as DHCP.. (most DHCP servers attempt to ping an address before they issue it, to determine if it's in use or not..) if the DHCP server's lease database becomes corrupt/invalid (because of a network/hardware failure, for example), it could give your IP address to someone else, because your machine doesn't answer the ping..
Third, he misspelled Kurt Seifried's name (I think that Seigfreid is a magician from Vegas
Other than that, a pretty good start..
The answer to this question (and every question in that area) hasn't changed in 2 years. There are many linux viruses in existance and a number have been found in the wild. There are viruses that infect the PLT table of ELF binaries to intercept library calls. There are viruses that use ptrace to infect every running program the user has access to debug (yes, that's right, download some infected binary, run it and every process you have running is simultaniously infected, including your shell) and there are viruses that can jump su to root. These are the viruses that "follow the user". Hell, all this stuff has been in Phrack. There are viruses that act like worms, they look in your .ssh known hosts file and try passwordless connections to all of them. Virus proliferation on linux is a serious issue and should be delt with by FAQ's like this. Two years ago I sat here and said if virus research on linux was not encouraged it would develop underground and we would have people like this denying their existance until it is too late. Well it's not too late, yet.
How we know is more important than what we know.
The FAQ uses `hackers' as its term for malicious attackers, rather than engineers.
Surely the Open Source world knows of this distinction, and this could be reflected in the FAQ?
*) telneting as root is considered bad. Please replace telnet with OpenSSH. It encrypts thing so that people can't spy on your sessions. If you want an example, learn how to use tcpdump, and see what happens. It's also a good idea to not ssh as root so that it requires another level of passwords to get total control over your box.
;)). We'll help you out.
*) Nobody is a generic dummy account on most UNIX systems. Its purpose is to allow you to run various daemons under the lowest priviledges possible (that of a user which can't login and doesn't own any files). A better practice is to create on user account per daemon, and have it own only the files it requires to write to.
*) -- MARK -- is a generic placeholder put there every n amount of time (the default is 20 minutes.. man syslogd for more information).
*) DENY and REJECT act slightly differently. If you are going to utterly blackhole a machine, or simply want to eat packets coming in, DENY is the option you want. REJECT simply sends back a connection refused packet (for TCP, UDP and other protocols have slighty different packets). If you're going to be filtering TCP ports, use REJECT -- DENY will show up as 'filtered' on nmap and any other quality scanner which notes the lack of a reply packet (despite the host being up).
*) OpenBSD is an audited branch of the BSD family tree. This code can trace its lineage back to the original UNIX code. For many people, it's a great replacement for Linux on their firewalls because it's simple to setup, and secure out of the box. If you require SMP, or are going to be doing things like high volume web traffic, you may want to review the performance of it vs. Linux, or combine them via firewall + proxy network setup.
If you have any other questions, head to #kuro5hin on slashnet (or irc.kuro5hin.org if you don't know what slashnet is
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Isn't this more of a server concern? I mean, even if my system was "compromised" (the official-sounding wording in the FAQ) why would I truly care? There is nothing on my system that denotes anything that would need to be truly secure (just some personal writing), and if things were deleted I keep regular backups. Privacy is not a concern (I keep no credit card or checkbook numbers on my box).
Most crackers probably aren't interested at all in your private stuff, except perhaps your ISP data (login, password) so they can use your account to get on the net. The thing crackers are interested in is your box itself as a base for further attacks. A cracker with root access can easily manipulate your log files, so when an attack is traced back to your box, you have no proof that it wasn't you who broke in that government machine and downloaded top secret information...
All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.
If you have no net connection and no private data on the machine, security would't be much of an issue. But with an internet connection security simply has to be considered. If you live in a peaceful neighborhood with none or just a few break-ins a year, you probably would't care too much for a state-of-the-art alarm system. Now consider that some unknown guy from somewhere far away develops the Burgle-O-Matic(tm) which can ransack 1000 homes per minute, is operated from a safe haven outside your reach and is available for free to anyone who manages to find it. It also ruins your door even if it can't break in, and you can expect it to come around every other day. Would you just buy a wagonload of new doors every month, or would you rather install a Break-O-Burgle (Guaranteed To Stop Any Brand Of Burgle-O-Matic(tm) At Least Ten Yards Before Your Door)(tm)?
--
Cthulhu fhtagn!
I know that spelling criticisms are a low blow. But I love this sentence from section 3.7 of his FAQ:
"There seems to be a widespread, but fellatious, belief that denying incoming pings will render your host invisible to the outside world."
Do you need special hardware for that belief?
Q:How many libertarians does it take to stop a Panzer division? A:None. Obviously market forces will take care of it.
(I'm a relatively new Linux user and probably speak from a largely Windows background).
This FAQ looks a very good start....Writing a FAQ is extremely time consuming (I know, I've written the PGP DH vs PGP RSA FAQ) and this FAQ is a good foundation to build upon. It largely follows the content of the (also excellent....) book Maximum Linux Security by Anon.
Anyway, I'd like the FAQ to be expanded with:
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Morning Troll );, but in any case OpenBSD is more secure out of the box than most Linux distros this is true but trust me I have seen some *BSD boxes that are wide open (we are talking winders open here) this is because people think that they have OpenBSD and they are safe they then go ahead add a slew of ports and open up all kinds of stuff. The simple fact is while it might be harder to secure a initial install of most Linux distros (Debian is quite easy if you want to be security minded when you first install and you have host security as a goal) most of them can be made almost as secure as a OpenBSD box and of course if you would rather use that then *BSD (and I can think of several places where I would) then it is important to know how. The thing I do agree with you on is reading about why OpenBSD is so secure by default and understanding the thought process behind it can *really* help in securing your Linux boxen. In short winders is the enemy *BSD and Linux can and do live very well together. So get over it and lets all have some fun. :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
There are no processes running as servers because it's a default Win2K Professional box. There is noone scanning my ports because I have set up a cheap version of ZoneAlarm (for my own benefit, to make sure my brothers and sisters aren't browsing to weird websites when I'm home for college).
All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
I AM a two-bit Kansis City whore! I'm here, I'm reading, I'm even damned well replying, what more can you ask for? Bl00d ? I Read at +2!
This space for rent.
No?