Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardening Linux

Posted by CmdrTaco on from the you-know-you-should dept.

davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."

3 of 204 comments (clear)

  1. AppArmour by Shuntros · · Score: 3, Interesting

    I know people seem to find it all trendy to bash Novell these days, but AppArmour is a a pretty damn good tool for containing the behaviour of applications. Use a handy little utility to monitor your application (apache, bind, postfix, anything else..) being used in a controlled environment, then apply that ruleset at kernel level and if access isn't defined in the AppArmour profile, it ain't happening.

  2. Per-distro comparisons? by delire · · Score: 4, Interesting

    In this regard I'm very impressed with the work the Ubuntu developers have done: a netstat -tupa post-install reveals a very small attack-surface where ports are concerned. That said, it would certainly be interesting to see a per-distro comparison at some point.

    Anyone know of such a project - even if just comparing a few top-tier distributions?

  3. That's a good point. Thanks. by khasim · · Score: 4, Interesting

    It is often useful to run it locally, anyway, so that you can compare the output of `nmap localhost` and `nmap 0.0.0.0`, as often a machine will have services running that are only accessible locally.

    Yep. That's why I prefer hitting it from a different machine. Multiple machines if possible. One on the same LAN segment and one from somewhere on the Internet.

    That way you'll see what a would-be-attacker will see.

    Sure, I might be running SMTP on port 25, but bound to 127.0.0.1 instead of eth0. An attacker would have to FIRST gain access to my machine through some other means to be able to attack my SMTP service.

    Sure, that first hurdle might be set very, Very, VERY, VERY high, but if someone can get over it ... that's why patching is still important. But that's also why patching cannot be your only "defense". You will not know what vulnerabilities the bad guys have found that are not patched yet. Defense in depth.

    And that's what "security" is all about to me. It's the PROCESS of evaluating threats and reducing their effectiveness.