Re: [Fedora] On Securing the Linux system from intrusions and attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel B. Thurman wrote:
John Summerfield and Tom Horsley wrote
Subject: Re: [Fedora] Seeing input on Securing the Linux system from
intrusions and attacks.

Daniel B. Thurman wrote:
I have finally got my F8 setup and running so now I am reviewing the
security issues that needs to be taken into account.

[snip!]

Does anyone have any advice, links to great sites focused on security
and how to secure your Linux box against intrusions and attacks?

What you need to do depends on what you're trying to protect. [snip!]

Summary:

John: vpn, shorewall, don't use hosts.{allow,deny} because of iptables,
      systems cannot be port-scanned, keep watching logs. Firewall to
      control spam + use of "countermeasures" and manuall add block.

Tom:  ssh only. All other ports blocked(?).

============

Well, what I am trying to protect against? Well some are
identified below but not limited to these.  I found via
iptraf, some of the things I added to the list below:

1) General iptable schemes to otherwise block IPs, domains,
   and general attacks such as those identified below.  I am
   not well-versed in the use of iptables which is why I use
   firestarter at the moment and I haven't yet learned how to
   use shorewall as advised by John.
2) SYN/FIN/RST/CAN combo attacks
   [Note:
    I have seen a iptable "technique" to block various
    forms/combinations of SYN/FIN/RST/CAN combos.  I
    cannot forsee the end-results of these attacks but it
    causes me some consternation.  I get reports daily
    on these via my HW SonicWall firewall appliance and
    have no idea what to do.  All I see are MAC addresses as
    "they" hide their source/destination OR are using
    packet schemes I do not recognize.  Are these harmful,
    harmless, hog resources, or what?  Beats me.
   ]
3) DDos/Spoof attacks
   [Note:
    My ports are "hammered" at times causing resource hogs.
   ]
4) Foil Port-scanner intrusions (various schemes)
   [Note:
    You can see "them", "walking the dog".
   ]
5) DNS attacks
   [Note:
    "They" are attempting to update/modify table entries.
   ]
6) Sendmail Spams, viruses, ...
   [Note:
    I am learning, trying to find ways to greylist, blacklist,
    regex, pattern/keyword blocks, ... but I am not there yet.
    As it is, it is very time consuming manually identifying
    spammer's IP/domain names and adding them to the block
    list.  As it is, I get messages with [SPAM] marked and
    yet I still have to deal with them (deleting them) instead
    of not simply not wishing to receive them and some find
    find ways around spamassassin/clamav anyway.

that's why I often block a large network when I identify a source of spam. The largest networks I block are in China - because that's where I find the largest networks assigned to a single organisation (such as a university).

Note, I do not automatically delete spam. If it gets past the impediments I place to its delivery, I then mark it up with spamassassin, and filter it (with procmail) into a special spam folder where users can choose for themselves whether to keep or delete. I find it easy to see, "There's no ham there today," and ^A[del] the lot.

   ]
7) Database attacks (MySql, PostgreSQL, ...)
   [Note:
    "They" are probing for holes, trying brute-force password
    cracking, and DDos attacks, or so it seems.
   ]
8) Website attacks (Apache, Tomcat, and others...)
   [Note:
    The same as above (7) but with more tricks since there are a lot
    of "doors" to attack.  Yes, I am being vague in the interest of
    brevity.
   ]

Anyway, this is my "short" list that I am working on right now, so I
guess I have a lot of work to do.

No virus found in this outgoing message.
Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM
Frankly, I don't value AV "sigs" such as this. What's to prevent my including it in my spam?

Let's use "hostile interface" to mean a network interface which the ungodly might attack. Typically, it's one's interface to the public internet, but it could be a wireless interface or even a local LAN.

A service (such as postgresql) that is not listening to a hostile interface is not subject to attack through it. If it's not providing a service to those on the other side of a hostile interface, the server should not be listening to it.

Some of those attacks attack only the kernel. Your only protection is to keep your kernel up2date.

Websites are necessarily (most often) listening to a hostile interface. Keep the software up2date, keep an eye out for security concerns. Most likely-to-succeed attacks will attack your application - groupware, wikiware and such. Some of that will need access to your databases, and a successful attack against that might give access to other stuff such s your databases.

rate-limiting incoming connexions restricts enumerating accounts' passwords. I do that for ssh. imap, smtp (if you allow password authentication for out-of-office users) and ftp are also subject to this. If you don't run an ftp server, the ungodly can't use it to breach your security.

If you want a stable, secure system, start with your software selection. Fedora's not the answer, just look at how many people have problems after updating their software!

Next, buy and read and understand books dealing with installing, configuring & securing Linux. There's a lot of HOWTOs out there, and mostly they're good, but they don't provide a complete, well-considered course of study.

Speaking of which, a good course is hard to beat. I have the impression your own experience is rather limited.

I have a book here, "Linux Firewalls" that's about 560 pages. That's only part of what you need, you're not going to get all your answers here. I also have "Reliable Linux," "Maximum Linux Security" and then books on sendmail, tomcat, mysql, postgresql, LDAP and other topics deserve consideration, according to your specific needs.




--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux