Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardening Linux

Posted by CmdrTaco on from the you-know-you-should dept.

davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."

8 of 204 comments (clear)

  1. Hmmmm by WizMaster · · Score: 1, Insightful

    Only skimmed the article but it seems to be pushing Bastille more then anything else. Don't know of any installer that automagically starts services unless you specify them yourself. I'm pretty sure there are far better security tutorials and introductions. Better yet, your distro probably has one specifically for it. This seems more like advertising then anything useful. I could be wrong though.

  2. Dude, that article sucked. by khasim · · Score: 4, Insightful

    Did you see where it mentioned nmap? No? Because it didn't. Wouldn't you expect it to tell you to run nmap from a different machine to you can what your outside profile looks like?

    It reads more like someone who's just discovered Bastille and now considers himself "informed" on "security issues".

    Step #1. Limit the avenues of attack. This is where you'd use nmap.

    Step #2. Remove anything you don't absolutely need. Come on, most people out there will be running some distribution now. At least he could have covered dpkg, rpm, etc.

    What's this with the "Enter kill -9 xxx where xxx is the PID."? How about just /etc/init.d/service_name stop? Just use the package manager to remove it.

    And editing xinetd.conf / inetd.conf? Again, just use the package manager to remove it.

    And he doesn't even go into how each distribution handles package updates? What the fuck? Nothing about "apt-get update"? No "apt-get upgrade"?

    No, this article is about someone's discovery of Bastille and how it helps an old, stock installation of Red Hat.

  3. Re:How To in summary... by Knuckles · · Score: 3, Insightful

    And yet if someone writes an article like this on how to secure Windows (where lets face it the advice, aside from #3 is exactly the same) it's proof that Windows is insecure.

    That's because the article fell through a hole in time, and actually belongs in 1997. They are already yelling to give their article back. No self-respecting consumer distro has shipped with open ports in ages.

    --
    "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
  4. Box? by wytcld · · Score: 4, Insightful

    Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities.
    That box must have a lot of dust on it, and an early 13-floppy Slackware distro inside.

    Before making a claim like that, the writer should come up with at least three examples, from current versions of major distros.

    Reminds me of a local woman who said "We must have a town-wide neighborhood watch, because there's a child sexual predator on every block." In the several years since she raised that hysteria, there's been exactly one serious case in town: one of her best friends had his extensive child porn collection found by the police. He hired the state's most expensive lawyers and got off with probation. She's still his best friend.

    Back to the topic. The article mentions telnet. Is there a single current distro that comes with telnetd enabled? Let's help the sloppy author. Has anyone here installed any current distro and found "open ports and unpatched vulnerabilities"?
    --
    "with their freedom lost all virtue lose" - Milton
  5. Re:Lots of linux stories on the front page by SplatMan_DK · · Score: 2, Insightful

    There is more to being an IT Geek than pushing Linux to the world.

    There are other kinds of FOSS products than Linux btw - so why is Linux the only one to get 30% of the index page?

    Allthough I like and use Linux, I think the point is valid.

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
  6. Re:Per-distro comparisons? by DrXym · · Score: 3, Insightful

    I think a dist security roundup would be an awesome thing. Do a default install of Mandrive, RedHat, Ubuntu etc. and then run nmap, examine their password policy, see what "dangerous" apps are installed by default and so on. Dists should be named and shamed if they have a single port open.

  7. Re:How To in summary... by Jessta · · Score: 4, Insightful

    I've alway found GUI tools to be slow and weird.
    gentoo has great service management /etc/init.d/ start /etc/init.d/ restart /etc/init.d/ stop

    GUI tools are seriously annoying, since this article is about security and disabling unneeded services having config tools that require the unneeded service X11 is pretty silly.

    --
    ...and that is all I have to say about that.
    http://jessta.id.au
  8. Use nmap? by verbatim_verbose · · Score: 2, Insightful

    Why do "security experts" like these folks always suggest using nmap to determine what services you are running? Have these folks never heard of netstat?