Slashdot Mirror
Hardening Linux
davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to
secure your server as well as how to solve them manually and via automated tools like Bastille."
yes but does it run my favorite rootkit?
It's a pretty reasonable 'how to' of a basic sort but I would expect most of the /. crowd to be well bwond this level of competance.
init 11 - for when you need that edge.
Hello 2001 when we all switched to iptables. My gran could write a linux security primer like this by rehashing a couple of google articles.
I know people seem to find it all trendy to bash Novell these days, but AppArmour is a a pretty damn good tool for containing the behaviour of applications. Use a handy little utility to monitor your application (apache, bind, postfix, anything else..) being used in a controlled environment, then apply that ruleset at kernel level and if access isn't defined in the AppArmour profile, it ain't happening.
Does the OS need a fluffer?
Those that are not 'bwond' this level of competance will be 'beyond' it. Sunday, bloody Sunday!
init 11 - for when you need that edge.
Only skimmed the article but it seems to be pushing Bastille more then anything else. Don't know of any installer that automagically starts services unless you specify them yourself. I'm pretty sure there are far better security tutorials and introductions. Better yet, your distro probably has one specifically for it. This seems more like advertising then anything useful. I could be wrong though.
For those not wanting to read the article, that "basic how to" is:
1) Disable unwanted services (done via the CLI in this day of GUIs)
2) Keep the OS patched
3) Install and run Bastille to do everything else for you.
I haven't read the article. Can someone please tell me what ports are left open on the default installations of some of the major Linux distributions? I'm running Ubuntu, and I was under the impression that the default installation doesn't leave any ports open.
Help! I'm a slashdot refugee.
Linux hardens You
http://www.bastille-linux.org/
Wincopy
I know that Mandriva tells you if you have any services installed that have open ports (SSH,Samba) when you do the install. There are some necessary open ports for most users, like samba. Having open ports doesn't have to be a bad thing, although I will agree that having them open without any reason is not a good idea. However, as long as you keep on top of the updates (very easy with Mandriva and most other distros), you shouldn't have too much to worry about.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
In this regard I'm very impressed with the work the Ubuntu developers have done: a netstat -tupa post-install reveals a very small attack-surface where ports are concerned. That said, it would certainly be interesting to see a per-distro comparison at some point.
Anyone know of such a project - even if just comparing a few top-tier distributions?
This is mainly for those who roll their own using LFS, but Hardened Linux From Scratch should give some tips, and practical advice, which critical areas need patching, plus proper practices.
Did you see where it mentioned nmap? No? Because it didn't. Wouldn't you expect it to tell you to run nmap from a different machine to you can what your outside profile looks like?
/etc/init.d/service_name stop? Just use the package manager to remove it.
It reads more like someone who's just discovered Bastille and now considers himself "informed" on "security issues".
Step #1. Limit the avenues of attack. This is where you'd use nmap.
Step #2. Remove anything you don't absolutely need. Come on, most people out there will be running some distribution now. At least he could have covered dpkg, rpm, etc.
What's this with the "Enter kill -9 xxx where xxx is the PID."? How about just
And editing xinetd.conf / inetd.conf? Again, just use the package manager to remove it.
And he doesn't even go into how each distribution handles package updates? What the fuck? Nothing about "apt-get update"? No "apt-get upgrade"?
No, this article is about someone's discovery of Bastille and how it helps an old, stock installation of Red Hat.
If your Linux distro is out-of-the-box "insecure with open ports and unpatched vulnerabilities", then change distro. If this is not an option, it's time to approach your vendor menacingly, clue bat in hand.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.
Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.
The article isn't very useful or accurate.
You DO realize what website you're on, right?
Seriously.
Peace sells, but who's buying?
Are you new?
Rule of Slashdot #0: You and people like you are not representative of the larger population. - A.C.
I think it was a joke. If not, I can't help but grin.
Um, I see you have a 20-digit UID or something, but how can you be surprised that /. is generally pro-FOSS, pro-Linux???
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
That is correct. By default, they are all closed.
But you may have changed that. If you've installed any P2P or such apps, you may have open ports from that.
As the other poster suggested, use nmap to determine what your outward profile looks like. Even better, have a friend scan your address from their location. That will tell you what your machine looks like from the Internet.
That's without a firewall.
Before making a claim like that, the writer should come up with at least three examples, from current versions of major distros.
Reminds me of a local woman who said "We must have a town-wide neighborhood watch, because there's a child sexual predator on every block." In the several years since she raised that hysteria, there's been exactly one serious case in town: one of her best friends had his extensive child porn collection found by the police. He hired the state's most expensive lawyers and got off with probation. She's still his best friend.
Back to the topic. The article mentions telnet. Is there a single current distro that comes with telnetd enabled? Let's help the sloppy author. Has anyone here installed any current distro and found "open ports and unpatched vulnerabilities"?
"with their freedom lost all virtue lose" - Milton
Dear Jalwin, Slashdot ID one billion. You said: "I just don't care." Yes. Do you somehow think that your opinion matters at all? :D
I am fully aware that they are pro both those things, but this level of stories when there is such a wide range covered seems excessive. Not to mention most of the stories are almost worthless even for people who like linux.
This article makes no mention of grsecurity. Surely closing off unused services and patching vulnerabilities can certainly prevent a penetration, but what happens if a penetration is successful? grsecurity is the answer.
Well, I think for many (most?) people, it's one of the reasons to be here. The quality of the stories is another matter ...
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Well, if you're looking for something that's "not linux", you can always enter this contest - there are already a few entries that cover "open ports" that have nothing to do with linux - and one (# 12) that really nails "hardening" pretty good.
"The purpose of this post is to see the reasoning behind so many linux fluff stories making front page "
Its Sunday, this is slashdot, not PC Magazine, CmdrTaco is stuck reviewing submissions over dialup, and the big news of the MONTH was SCO getting kicked in the nuts. - but at least they got more than the $20 that guy got. Hopefully one or two will also get prison, but I'm not holding my breath.
Maybe they can turn the whole SCO fiasco into a tv show, like this kicked in the nuts video, but in reverse - have Darl wear the orange clown wig and PAY people $699 each to kick him.
There is more to being an IT Geek than pushing Linux to the world.
There are other kinds of FOSS products than Linux btw - so why is Linux the only one to get 30% of the index page?
Allthough I like and use Linux, I think the point is valid.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
You can't complain about most of the Linux stories being worthless, when some many Slashdot stories in general are worthless. Welcome to the new vaporware, wonder drug, laws-of-physics breaking device, imaginary problem, or developer bickering of the hour. One doesn't read Slashdot for the quality of the stories, but to avoid doing other things.
I, for one, welcome our archaic security overlords!
I bet that 99% of Linux users are behind a NAT router (because as IT geeks they have tons of networked gear and a private network). The remaining 1% with a public IP directly on their Linux box probably know what they are doing. And don't give me the "what if there is port forwarding rules on the router" argument. If the user has port forwarding rules then he/she also knowledgeable enough to secure the target Linux box. I know a lot of IT geeks (being one myself) and I seriously don't know ANY IT geek who is not using a NAT router for their local machines. The few that do have a machine on a public IP (hobby mail servers, game servers, etc) already know what they are doing and don't need an article about open ports on a default-installed Linux box. - Jesper
My security clearance is so high I have to kill myself if I remember I have it...
If there's a bigger - and by bigger I mean more populated - Linux fanboy forum than slashdot, I'm not aware of it. All in all, I think it's probably a good thing though.
A-Bomb
Can you tell us the story about how you came to write this article?
Here's how I'm picturing it:
(editor) Mr. Williams, we need a techie article on Linux.
(mr. williams) Okay... I haven't touched linux since I played around with my RedHat 7.2 box 3 years ago.
(editor) Do you still have it?
(mr. williams) Yes, what would you like me to write about it?
(editor) Write something up on securing its "holes and vulnerabilities", and we'll sensationalize it a bit by making it look like Linux is insecure out of the box.
(mr. williams) I don't know how to do that.
(editor) Find something on google. Try it on your RedHat machine.
(mr. williams) I'm going to look really stupid.
(editor) You're a journalist.
Just disrupt the deflector shield with a tachyon burst.
what happens if a penetration is successful?
Pregnancy, in most cases. But in your case, it's probably just a gutteral moan as Inmate 266497 mounts you from behind.
Seems to me the article is just pimping bastille Linux. Years and years ago, most distros did indeed ship with some pretty crack-worthy options enabled by default. It took a small amount of prodding by the community, but most distros, these days, lean towards a default disable policy:
/etc/hosts.deny ALL:PARANOID
- [KU]buntu
All services off by default. netfilter rules are default allow however, but there is
nothing to connect to.
- Fedora/RHEL/CentOS
Choose during install what services you want enabled/open/firewalled.
SELinux enabled by default.
- Knoppix 5.1.1
Only Port 68 for dhcp client listener.
- Mandriva 2007 Bootable CD
Port 6000 is all that's open (X server. Ok this is dumb, why?)
Other distros follow similar suit. You can find out what's running on your linux box with:
- netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
- locate iptables; sudo iptables -nvL (show iptables chains for netfilter)
Chances are, if you've not mucked around with the default services things are pretty tight.
TFA is a bit inaccurate for linux systems these days.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Yep. That's why I prefer hitting it from a different machine. Multiple machines if possible. One on the same LAN segment and one from somewhere on the Internet.
That way you'll see what a would-be-attacker will see.
Sure, I might be running SMTP on port 25, but bound to 127.0.0.1 instead of eth0. An attacker would have to FIRST gain access to my machine through some other means to be able to attack my SMTP service.
Sure, that first hurdle might be set very, Very, VERY, VERY high, but if someone can get over it
And that's what "security" is all about to me. It's the PROCESS of evaluating threats and reducing their effectiveness.
Why is it, since registering an account at Slashdot, a half of your posts have been complaints about Slashdot?
100% of your posts have been anti-status quo. While this is not evidence in itself of trolling (lord knows there is value in all opinions) some of your blanket statements and emotional rhetoric do leave the question open.
The obvious problem with this article is they mention using "Bastille" and forget to mention grsec. I don't really care about Bastille, but I do care about using grsec. Just because you turn off some services doesnt mean someone is not going to pop an xterm off your apache web server from some random cgi vulnerability... At least when someone compromises your web server in this way (which is probably how most linux web servers get compromised these days anyway), the attacker wont be able to do anything besides navigate the directory tree maybe. The attacker wont be able to view processes that are outside their own uid. The attacker wont be able to execute binaries outside of the standard bin directories (so custom scripts/binaries wont execute), and stack overflows do not allow execution of arbitrary code.. Its not a very fun environment to work in, most attackers will just look around and exit when confined to this type of environment...
I was disappointed in the article as well. I expected more security in general and less distro/package specific advice.
I know enough about security to know I'm no expert but here are some of my personal tips:
Slashdotters should be able to add quite a bit, in fact hopefully this will turn out to be a discussion I reference later myself.
Back in my day when we chiseled our bits into stone and sent them by mule train from village to village...
Could you please stop to draw conclusions from a data set of one day? Frankly, it's sickening. Draw up a statistic and I suppose you will see that not every day has 30% linux kernel stories.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Linux this, Linux that...
Linux is marginal (abysmal market share), let's talk about Windows, I propose one week without Linux on front page.
Uh oh..
Is this the kind of slop Slashdot is peddling these days?
i wish i had mod point to givo to you, my friend
What ? Me, worry ?
i.e. with all ports closed and all services off, then take the installing user through
some wizards with a few different, and mostly conservative, minimalist options
for opening things up, explaining the cost-benefit of the options.
I suppose it's just inertia combined with Unix/Linux's pre-internet-malevolence
origins. The whole idea originally was for a number of socially responsible researchers
to have their computers maximally cooperating with each other (go figure). It wasn't designed
with human viruses (malicious crackers) in mind at the get-go.
But we've had net morons long enough now that you'd think a closed and incrementally
open up policy would be a no-brainer for the default installations of net-facing OSes like
Linux.
Where are we going and why are we in a handbasket?
True.
:-)
But I am sure those days don't have comments about "too many Linux stories" either. Right?
So we could say it is only fair to have that particular criticism on a day where there is also fact to back it up?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Which is basicly know what you're doing. Most of these websites simply ignore this very important sniplet. Take this website for example; it gives you a few pointers, some even very odd (Bastille hard to use? A kid can fill out yes/no questions) but never goes into any detail as to why.
For example the part about stopping Apache from running. I quote: "To achieve the second, use ps aux | grep httpd. As above, the second column is the PID. Enter kill -9 xxx where xxx is the PID. This stops the process running immediately.". But he doesn't go into any details which strikes me as odd since this is supposedly for inexperienced Linux users. PID? kill? All the newbie learns here is that "kill -9" is the way to immediatly stop a program, which is ofcourse utter bollocks. When people learn that as basis they might very well trash part of their system.
For the newbies reading: The why here is that -9 refers to the "KILL" signal (see the kill manpage) which forces a program to stop. This is hardly a clean way to stop your software, you don't tell it "hurry, finish what you're doing and get lost". No, instead you're telling it: "Drop whatever you're doing and get lost". If its in the middle of handleing certain events this might give you very unexpected results. I shudder at the idea of someone trying to "immediatly stop" a fsck process.
Still, the first step to security is to know what you're doing. Seeing a "kill -9" to stop a webserver immediatly tells me that the author doesn't fit into that category himself. Why this is important? Think about it: if you want to be secure, would you want to use some firewall script of which you're not sure what it does exactly? Sure, the author can tell you that the script blocks all dangerous ports so no one can access your system, but how safe are you really if you didn't check out for yourself?
Sorry, useless story and just a collection of nonsense IMVHO.
As long as the complaint is about that particular day, and not general :)
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Last time I looked (at least on redhat systems) chkconfig can show you which services are running
and disable the ones you don't want running.
chkconfig --list
chkconfig nscd off
I may not be a smart man, but I know what an inode is.
Almost all script kiddies work off the same theory: find an application that has not been updated, and which has a security vulnerability (un-updated versions of Wordpress or AWStats are always favourites), use this to run wget to pull a script, rootkit, etc. onto the server, then "break" the machine and use it as a spambot.
The simplest way, then, to prevent script kiddies from compromising your system is not only allow access to wget through sudo! Simply chmod it.
Now, this is no excuse not to ensure everything else is up to date, etc. But a simple chmod can make an enormous difference to the security of your system.
--- My dad's political betting
I set up a VPN connection for a co-worker last week. She was directly connected to the Internet through her ISP supplied cable modem.
Except that that particular cable modem automatically filtered the inbound connections. Checking her machine showed that everything was okay
Rather than waste time trying to determine all the possible combinations that COULD cause something
I used that patch for many years to secure Debian web/ftp/mail/shell servers. I also took great care to run only the safest possible daemons (e.g., qmail) and adopted a default-deny approach in general. Those systems never got cracked.
After a few years of that, I ended up moving to OpenBSD, because I got tired of managing all the security aspects of the OS myself. It's a matter of convenience and especially time... though I also happened to also be pulled-in by excellent OBSD documentation and all-around integration that Linux "distros" lack.
Yah, I reckon Slashdot ought to broaden its appeal a bit, let's follow Digg and start an expansion into Adam-Sandler-did-a-funnie-on-Colbert Celebrity Bullshit Non-News.
The best way to predict the future is to invent it
Maybe it does. Maybe it does not. But that is immaterial. This is about what an attacker would see. Not what your machine can see from itself.
It is possible to set up a system that allows access to those services from eth0 & localhost, but not from any other addresses.
You are not concerned about what you can see from your machine. You are concerned about what an attacker can see. They are NOT the same.
NO it will NOT.
Your statement is only accurate for the condition in which NO ports are open. That is a single scenario and does NOT account for the various possibilities. Therefore the ONLY way to know what an attacker would see is to scan the way the attacker would.
No. Again, the system can be set up so that the ports are visible from localhost and eth0. The only way to know EXACTLY what the attacker can see (other than in the specific scenario of all ports being closed) is to scan the way the attacker would.
No, the list given by nmap would not be accurate. Because the list given by nmap would show ports open (and therefore vulnerable) when there would be no way for an attacker to see those ports.
Again, the only time your statement would be accurate is the single case of all ports being closed.
I've given multiple, specific examples where such would not be the case. I've shown where your statement is correct ONLY FOR A SINGLE SCENARIO where all the ports are closed.
Again, I've provided specific examples that illustrate where the information gained by scanning from an attacker's position would be different than scanning from the machine itself.
You can claim that such is impossible all you want.
But the facts contradict you.
You are taking a single case and claiming that it is the same for ALL the possible configurations. It is not. The only way to know what an attacker will see is to perform the scan as an attacker would.
I thought that Linux was the answer to all the computing ills of society!!!!
http://www.itwire.com/administrator/ There should be an .htaccess at least...
The Internet isn't insecure. It may be unsecure.
Insecurity is mental state. The users of
the Internet may be insecure, and perhaps
rightfully so......Simson Garfinkel
"84.736/100 on Ubuntu. whoop de dooo." - by Anonymous Coward on Sunday August 12, @11:16AM (#20203099)
Ok, but... Do you have a legitimate, unfaked photo (yes, someone in those 26 url challenges to take the CIS TOOL did insinuate he could do that) of your proof of your score?
Thanks!
Because I did state I would like that type of evidence, here (in the post that is parent to your own no less):
http://it.slashdot.org/comments.pl?sid=267599&cid= 20203061
----
"Yes, I would preferably like to see a result photo (legit/unfaked, because I had someone insinate they would or could do that here once @ this site) someone using FreeBSD or SeLinux kernel hook addon bearing distros of LINUX (Ubuntu 7.04 onwards has this 'baked in' no less, & it's pretty widely used)."
----
That I would like to see, mainly because I want to see the areas tested (analogs to ones tested in Windows NT-based OS really) & discuss the areas YOU may feel it is "in error" in (as I found in the Windows Server 2003 model of this test, where I am 99% convinced the test "erred" on me, & owes me some points (minor areas))!
PLUS, discussion of techniques you use on your *NIX variant that that test MAY NOT ACCOUNT FOR!
(Things like these, which CIS Tool does not check: For LinkSys NAT true firewalling stateful packet inspecting hardware firewalls, OR even software firewalls &/or antivirus-antispyware programs (which are useful for security, LAYERED SECURITY, today/nowadays, especially online))!
Examples from the "*NIX FIEND WORLD", thereof/such as, perhaps:
----
1.) Using NetConfig to create a NAT "firewalling" subnet for you, from a dual homed/dual NIC bearing LINUX rig
2.) Using SeLinux's SOCKETS LEVEL CONTROL above & beyond IPTables usage
3.) Using SeLINUX "MAC (mandatory access control) label based security (analog to Windows ACL's & POSIX ACL's) usage for comparison to Windows' ACL level controls on the registry & filesystems via userrights assigned, above & beyond using std. *NIX tools like chmod/chown & yes, chroot (because programmatic "impersonation" as it is called in Windows can be used to circumvent & 'break out of' chroot jails for instance)
----
(That's for some examples I'd like to discuss with *NIX fiends here, & to see "layered security" in place on a *NIX rig (like I use on Windows Server 2003 here) above & beyond what say, for example, the *NIX hardening link urls I posted in my last reply here give folks & yes, myself).
----
HOWEVER, above all else - I do have a photo proof of my score, again here, for your reference which I provide, & expect the same from you *NIX guys as well, per my quoted statement above (from myself in the posting parent to THIS one):
http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg
AND, here are the steps I used on Windows Server 2003 SP #2 to get that score (95% of it applies to older Windows NT-based OS' (2000/XP) too, & it can even IMPROVE VISTA'S SCORE as well, when its techniques & concepts are applied):
APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA):
http://forums.techpowerup.com/showthread.php?s=3e7 8ea52bc119fb94a59e51abf7c47a5&p=375355#post375355
(I made that as easy of a "guide/roadmap" as possible, using tools native to Windows, so Windows users could be secure online, per the gauging done by the multiplatform test of online security, in CIS TOOL, noted by SANS no less as to its validity & intended purpose per proof of that I submitted in the post paren
"I've always wondered how hard it would be to get a Slashdot reader to download and install a root-kit on their Linux box. Thanks to you, now I know it's not hard at all." - by Anonymous Coward on Sunday August 12, @12:15PM (#20203457)
e s.php?vol=9&issue=36#sID302
m mand=viewArticleBasic&articleId=9018362&intsrc=hm_ list
/., no less, where it is noted by both SANS & COMPUTERWORLD as legitimate, not "bushwhack ware":
LOL, this evasion's (from another A/C, not myself mind you)?
"NOT TOO LEGIT"...
Especially in light of the fact, anyone can see below, that even SANS recognizes this test as legitimate & the organization who coded it as well:
----
(QUOTING EXCERPT FROM MY LAST POST, THE PARENT TO YOU OWN):
MULTIPLATFORM ONLINE SECURITY TEST CIS TOOL (NOTED @ SANS: CIS to Release Windows Configuration Assessment Tool (May 1, 2007)):
http://www.sans.org/newsletters/newsbites/newsbit
MULTIPLATFORM ONLINE SECURITY TEST CIS TOOL (NOTED @ COMPUTERWORLD):
http://www.computerworld.com/action/article.do?co
----
2 respected sources about computer information AND security, that are often cited here @
APK
P.S.=> This "evasion attempt"? I have seen it before, & this is HOW I "overcame that objection"... honestly? TOO easy... if you can't beat the score that I obtain on a custom hardened Windows Server 2003 SP #2 setup system of 84.735/100 on the multiplatform CIS Tool test of online security, & on your part, provide photographic proof (jpg, bmp, etc. et al) of your score VS. mine, using YOUR *NIX OF CHOICE?
Well... "Run, Forrest: RUN!!!"... apk
Services run from inetd/xinetd have their port and interface bindings managed externally, and since UNIX systems have run multihomed almost from the start, there are few if any deamons that can't be run bound to localhost, so if you have to run a local webserver for some purpose it can be unconditionally protected from remote exploits simply by running it on localhost... so as far as an attacker is concerned it doesn't exist.
I would install a Debian server using the minimum install cds and then apt-getting just the services I need from the mirrors (which should have current patches). I mean, if it is going to be a server it should have a somewhat fast internet connection, right?
Why do "security experts" like these folks always suggest using nmap to determine what services you are running? Have these folks never heard of netstat?
I type Undo then middle click it (though it's already present by default) (acme)
Middle clicking on any executable command and have it execute is also pretty neat. (acme, send menu item in the wm, rio)
I can also send arbitrary strings for matching against a list and the match executes, that's a boon as well. (plumber which is a system service (though it runs in userland as you, obviously - this is plan9 there are rules)
I write a pallette of commands for my current problem domain which are just txt files so I can even put them in the repository.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
"SANS and Computerworld are not that respected in the computer security world." - by Anonymous Coward on Sunday August 12, @03:28PM (#20204797)
i ntsCISToolResult84735.jpg
WELL, "OK" if YOU say so... you must be more respected than they are as far as 'authorities on the matter' then, my fellow "A/C"!
(lol... not/whatever! Somehow, this evasion of yours does not wash here @ all, especially considering you're using it to evade posting a testscore on a multiplatform gauge of online security via the CIS TOOL)
Perhaps searching the term SANS here will yield proof, otherwise? I don't know... but, it's a decent chance that IS the case, for that, on that account!
Rotflmao... I'll tell you 1 thing though, for sure:
Apparently my score of 84.735/100 on the multiplatform CIS Tool test gauge of online security that is not 'bushwhack-ware' (ala virus/trojan/malware/spyware etc. et al), per SANS & COMPUTERWORLD:
http://img.techpowerup.org/070618/APK14SecurityPo
IS respected enough...
(So much so, that no "Penguins" or "BSD Devils" here on their *NIX rigs can beat my score pictured above, & this is the 28th time now I have heard some b.s. evasion... "Run, Forrest: RUN!!!").
Personally? I can't believe this has happened here that much, in you *NIX people evading taking this CIS Tool test, OR rather, omitting posting your scores That's what the evasions are typically like & I overcome each one, in each post, regarding CIS TOOL here (where I challenged *NIX fiends to this test, whenever posts state something along the lines of "(Insert *NIX version here) is more secure than WINDOWS" - PROVE IT THEN! Put your monies where your mouths are))... Talk's cheap... apk
i.e. with all ports closed and all services off, then take the installing user through
some wizards with a few different, and mostly conservative, minimalist options
for opening things up, explaining the cost-benefit of the options.
I suppose it's just inertia combined with Windows' pre-internet-malevolence
origins. The whole idea originally was for a number of socially responsible researchers
to have their computers maximally cooperating with each other (go figure). It wasn't designed
with human viruses (malicious crackers) in mind at the get-go.
But we've had net morons long enough now that you'd think a closed and incrementally
open up policy would be a no-brainer for the default installations of net-facing OSes like
Windows.
------
There, I fixed that for you.
i just keep the cup-holder closed, and keep the screws on the back of the case tightened ... seems secure enough to me ...
"Seeing as how they 99.999% of Slashdotters are still running under the delusion that teh Lunix is secure (especially compared to Windows Server 2003), your assumption is wildly (and unrealistically) optimistic. A good question might be that, if hardening a system is so simple and basic... why doesn't it just install that way? Yet another reason teh Lunix isn't ready for prime-time. - by Anonymous Coward on Sunday August 12, @12:56PM (#20203755)
/. in fact:
= 20203061
/., especially. One would think they'd take that test & BLOW MY SCORE, away - not a one of 28 or more of those challenged, have to date.
Amen, to that... &, for proof of your statement?
Refer to RIGHT here, in this URL below, where those that stated (Insert *NIX variant here) is more secure than Windows", OUTRIGHT RUN from a multiplatform test of online security (noted by SANS no less) called CIS TOOL, by the CENTER FOR INTERNET SECURITY, 28 times now here @
http://it.slashdot.org/comments.pl?sid=267599&cid
LOL! Man... I tell you:
It's actually FUNNY: The sheer volume & types + number of outright "evasions" I had to overcome in the list of the 28 times now I have challenged the *NIX crowd here to that test (I want mostly to see a SeLinux OR FreeBSD result VS. the one I posted for Windows Server 2003 SP #2 fully "custom-hardened for security" by yours truly @ a 84.735/100 score)...
HOWEVER, it's actually pretty sad too - I would like to see feedback from "the other side of the fence" in the *NIX users here, on THAT test, in particular & ESPECIALLY from FreeBSD &/or SeLinux kernel hook addons for more security for LINUX!
I can only lead a horse to water, but, when that horse seems to have rabies & fears water? What can one do, except wonder, for all the "UNIX UBER ALLES" stuff here on
APK
P.S.=> Heck, I actually LIKE Kubuntu 7.x too... but, I want to see & learn more from someone better than I am @ securing *NIX's, however, that's going to be tough!
Why? Well - All I see, & so will this topic's starter, is a pack of *NIX fiends that 'talk big'... but when the chips are down & the monies are on the table?? NO PROOFS SUPPLIED OF THEIR USUAL STATEMENTS OF "(Insert *NIX variant here) is more secure and securable than WINDOWS" etc. et al...
They won't put their monies where their mouths are, & post a valid photo of a *NIX variant's score on the multiplatform CIS Tool test of online security... which I would like to discuss, even IF my score is surpassed, to increase my personal understanding of *NIX "security + hardening" better than I currently do, IF possible.
A multiplatform VALID test is the best thing/way to test this, & only thing that I have found that does so that runs on BOTH *NIX variants of many kinds (Solaris, FreeBSD, Linux variants, & Windows) that tests analogs between them (noted in the init. url I point you to)... & AS WELL + COMPREHENSIVELY AS IT DOES.
Hilarious, & "talk"? It's cheap - proof's what I'd like to see, + a discussion of techniques used to overcome the test's suggestions/objections (which there will doubtless be many on totally UNSECURED rigs from both camps, *NIX & Win32, & this I am certain of) & so would this article post's starter as well probably! apk
Is there anyone, anyone at all, who doesn't think that hardening linux and hardening windows are the same exercise in futility?
Now from those people, should they exist, is there anyone actually skilled in security?
From this now impossible subset, why aren't we just moving to openbsd?
I'm a windows based engineer, and every time I look at linux I see the same great gaping security holes as the core system I use and less usability. So I stay with windows, where its easy. And strangely enough all my bastion hosts are Theo's work.
... couldn't resist.
ROOTKITS ORIGINATED ON *NIX SYSTEMS GENTS... NOT WINDOWS!
_ of_Malware_and_Cybercrime_/2
/.", in a MultiPlatform test of online security (noted by SANS, no less):
e shold=1&commentsort=0&mode=thread&cid=20203061
/. & how many times now (28++ now, & growing), from my score on it, ME the "lowly Windows user", no less!)
/., in a lot of statements I see here like - "(Insert *NIX variant here) is more secure or securable than Windows is" etc. et al!
http://www.cio.com/article/116250/A_Brief_History
----
"Rootkits
When it began: 1970s-80s. Originally developed by hackers to hide traces of intruders on Unix computers, rootkits for all types of networked computers are packaged and sold on the Internet by the emerging malware development community. Perhaps the king of these programs is the open source rootkit FU, which can be downloaded freely here."
----
Thought I'd share the "little historical tidbit" with you all... in case you did not know that (I am sure you did, but I can be 'sarcastic funny', too!)...
And, while you're (imo @ least) apparently trying to make Windows users "look bad" & Microsoft + Windows as well?
All I can say is, try this: A CIS TOOL "Challenge to *NIX users @
http://it.slashdot.org/comments.pl?sid=267599&thr
See you there, & GOOD LUCK, you will need it, OR some decent skills @ securing a *NIX variant running rig!
(+, While you're @ it, you'll be witness to HOW MANY *NIX HEADS RAN FROM THAT TEST HERE @
APK
P.S.=> BOTTOM-LINE: WELL, I guess, all I can say is this - Beat the score of 84.735/100 I obtained on the multiplatform CIS Tool test (noted by SANS, created by THE CENTER FOR INTERNET SECURITY) of online security with me using a Windows Server 2003 SP #2 setup, VS. your *NIX OF CHOICE, if you intend to "rib on windows", as is common practice here @
(Note - My setup was fully custom hardened by yours truly, & I'd like to see your score results in a photo, vs. mine which is already @ that url above, with any of you folks & your *NIX rigs (hopefully, ALSO hardened for security as BEST YOU CAN!))...
Now - IF you somehow manage to do so (OR NOT, because I strongly think nobody here can by now, you will see what I mean by that in the URL of the test challenge I posted)??
Win vs. Lose? Not REALLY important to me, honestly - Fact is, I'd just like to discuss your methods, from a proof of result posted photo PREFERABLY from a SeLinux OR FreeBSD user, & what you agreed with, or could & could not solve, based on the CIS Tool's suggestions (everyone can learn here, *NIX fiends AND Windows folks, including myself)... thanks! apk
You not only have to limit the ports but who you accept connections from (AllowUsers file) and if you can where you accept connections from. If they don't have a reason to talk the machine shouldn't be listening
> Mandriva 2007 Bootable CD
> Port 6000 is all that's open (X server. Ok this is dumb, why?)
Well, if it's a bootable CD, maybe the idea is you boot to it, and then do a remote X session to it? With no HD in the box, there would be no risk to your data.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I wasn't too worried about shell access because I had "seriously" trimmed-down the suid files on the system, to the point where there were only a couple of them left that normal users had access to. Stuff like traceroute and such that only admins needed were had perms like 4750, with the file's GID being "wheel". That was done in addition to limiting filesystem access using grsec's mandatory access controls, which admitedly were complex to setup (thus the suid thing was a failsafe/backup plan). I also enabled all the PID/IP/etc. randomization features in grsec, as well as its extra chroot hardening. All the daemons ran under their own UID/GID and most were chroot'd. The iptables ruleset was so tight that a local user couldn't even sneeze unless the associated outbound port was open. I also configured the applications/daemons with the same level of care, and had a few other things setup, like filesystem integrity check monitors/alarms (using static binaries on ro media, or via a remote ssh process), and various other things.
All that worked pretty good, but it was a PITA to setup and maintain. So gradually those machines got migrated to OpenBSD, and then it was mostly a matter of keeping up with security patches, avoiding the use of ports (which don't get audited much), and making sure the firewall rules are tight and the daemons are configured right. Quite a few of the features that grsec offers are enabled by default in OBSD, and in fact it has a few other tricks up its sleeve. About the only thing missing is mandatory access controls, which would be nice, but again are a PITA to setup and maintain.
I hope you don't use Windows, with that comment about forcing others to use.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Don't worry, hackers respect people with unix systems
I thought this was pretty light content wise, until I noticed it was from the publication that includes Stan "ISO" Beer among its staff writers .... (can't find any references to the "What's an ISO image ?" article, but those of you who remember the article will no doubt remember this guy fondly).
Servlet v2.4 container in a single 161KB jar file ? Try Winstone
"Maybe they don't want to take your challenge because they can't parse your post.
/., so... back it up!
... & all I am asking the *NIX folks here to do? Simple - Put your monies where your mouth is, exceed by 84.735/100 score on the CIS TOOL security test...
I mean, it just took me about 15 minutes.
Just sayin'." - by jotok (728554) on Monday August 13, @12:35AM (#20208399)
Well, you "made it thru it alive", will wonders NEVER cease?
AND, I beg to differ...
Every one of their objections was overcome thru all the 30 or so times I challenged *NIX folks here per the post that is parent to yours (& even to the point one of the *NIX repliers stated CIS TOOL, a multiplatform test of online security noted by SANS no less, might be "malware", lol... SANS & COMPUTERWORLD BOTH NOTE IT, & I SUPPOSE THEY ARE MALWARE MAKERS TOO?
I.E.-> I see a lot of "(Insert *NIX variant here) is more secure or securable than Windows" type statements here @
E.G.->
(Put up, or shut up, basically. Not a lot to ask... & I would like to see a *NIX user's results screen photo, ESPECIALLY from SeLinux &/or FreeBSD users!)
No one has put a higher score up than mine, point blank.
APK
(Sorry, couldn't resist)
There's no place I could be, since I've found Serenity...