Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardening Linux

Posted by CmdrTaco on from the you-know-you-should dept.

davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."

4 of 204 comments (clear)

  1. How To in summary... by IBBoard · · Score: 5, Informative

    For those not wanting to read the article, that "basic how to" is:

    1) Disable unwanted services (done via the CLI in this day of GUIs)
    2) Keep the OS patched
    3) Install and run Bastille to do everything else for you.

    1. Re:How To in summary... by tomhudson · · Score: 5, Funny

      The summary is ... strange.

      "... many Linux systems are insecure with open ports" ... "...how to secure your server ..."

      Remember all those internet ads about "YOUR COMPUTER HAS OPEN PORTS !!!"

      Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

      Next we'll read another story about how some "1337 hacker hacked into another person's machine" at IP address 127.0.0.1, erased all their files, and somehow, the "other person" was able to hack their machine and do the same thing ...

      Followed by a nostalgiac look at "Punch-the-monkey" ads.

  2. Article not very informative by Anonymous Coward · · Score: 5, Informative

    The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

    Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.

    The article isn't very useful or accurate.

  3. Re:Huh? by Zocalo · · Score: 5, Informative
    As root, run the following command:

    netstat -plutn
    That will list all the listening services on a Linux box, complete with the program/PID that is associated with it. It's faster than just running something like NMAP, plus it will identify whether a program is binding to a specific external IP, a loopback IP and so on, not all of which an external port scanner is going to be able to report on.
    --
    UNIX? They're not even circumcised! Savages!