I would, as well, add another level or step: this would include file security, and rootkit checking. To watch for anykind of change to *every* file on your harddrive, Tripwire can not be beat (IMO). Not only do I use this program for my home network, I use it at work in a very large enterprise environment (Verizon OnLine). Checking for a rootkit is as easy as installing chrootkit at:
http://www.chrootkit.org
drjung
--
J. Craig Woods
UNIX Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson
Franki wrote:
Its not that hard to stay secure with any linux distro, especially if you are not running public servers..Here are some steps you can look into. (I do all of these, except for hogwash) 1. Run a firewall like gShield to drop all packets to ports you want closed to the net. (all of them unless you are running servers.) test yourself by doing the full scans at http://scan.sygate.com make sure everything is closed, even high ports. (gShield does that by default.) (see other posts about gShield in expert tonight, its the best off the shelf linux firewall I have seen, and really really easy to setup.) 2. in /etc/hosts.deny put one line: ALL:ALL That closes all access to pretty much everything.. (man hosts_access) Then you have to allow those services that you want to provide to your network.. so add something like this to /etc/hosts.allow : sshd: 192.168.0.3 (which will allow ssh access to only 192.168.0.3) do that for all the stuff where you need to allow internal access. pop3, smb, telnet, imap etc etc etc... 3. tell your server apps to limit themselves to the internal interface. ------- samba: /etc/samba/smb.conf : interfaces = eth0 (where eth0 is your internal ethernet card.) hosts allow = 127. 192.167.0. (where 192.168.0.0/255.255.255.0 is your internal net) ------- xinetd (for pop3 and other similiar services) edit /etc/xinetd.d/ipop3: add to it: only_from = 192.168.0.0/24 (again where the above range is your internal network.) 4. (probably should be no 1.) keep your box up to date using MandrakeUpdate and join the security advisory mailing list at mandrake. 5. (optional, but handy) install portsentry and run it in stealth mode, (portsentry -atcp and portsentry -audp) This will automatically block any IP address's that scan you, (which is the way cracking usually starts.) If you want to go even futher, you could install hogwash as well.. which is like portsentry, but blocks nasty packets not the IP address itself.) Personally if you have done the first 4. then I'd say your far safer then most.. and keep a copy of the config files for next time you install.. you don't have to do all the work each time.. just install and copy the config files back in. I don't even use msec, never had, and unless it gets alot more intuitative, I probably never will.. but do all of the above, you are not going to have any issues.. If your internal services can only be accessed on the internal interface, and you explicitly allow each access to the box via tcpwrappers (hosts.allow/hosts.deny) and your firewall blocks any packets from spoofed internal IP's, (all good firewalls should), and you have no open ports.. (which is to say that everything not NAT (connection sharing) traffic for the internal network is dropped) you are very very hard to hack from outside, as there are no doors to open.. If however you host a dns server, or mail server, or apache web server, then you MUST make sure you keep them all up to date, and limit their access and rights. (mandrake 9.0 does a good job out of the box on this count, for example, postfix runs chroot by default, which means even if it is somehow hacked, it thinks the root directory of the box is /var/spool/postfix, so they can't do damage elsewhere.. As I have said many times above. the first four steps give you very good protection just by themselves.. setup like that, most crackers will give up pretty quick.. there are far to many easier targets out there.. I still have alot of mdk7.2 box's out there running happily with ipchains firewalls and none have been hacked thus far.. just because I follow the rules above.. for a home net server, thats all you need.. if you have a ton of users on your box, and you don't trust them all.. then there is alot of other stuff you can do.. (which i will leave for another discussion.) rgds Frank
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com