On Dec 29, 2007 2:43 PM, John Summerfield <debian@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > Tod Merley wrote: > > On Dec 27, 2007 11:10 AM, Daniel B. Thurman <dant@xxxxxxxxx> wrote: > >> I have finally got my F8 setup and running so now I am reviewing the > >> security issues that needs to be taken into account. > >> I would like to focus on securing Fedora. I have tried snort w/Base etc., > >> Tripwire, Fam, nmap, Iptable techniques, and so on. > >> > >> Does anyone have any advice, links to great sites focused on security > >> and how to secure your linux box against intrusions and attacks? > >> > >> Thanks! > > > > Hi Daniel B. Thurman! > > > > It is late so topics only for tonight: > > > > 1. Turn off services you do not use. > > 2. Make your computer "silent" to all but those who use it - e.g. turn > > off ping - e.g. use a door knock protocol on a non-standard port for > > ssh to access ssh (give no reply to those who knock on the normal port > > and respond to only your special "knock" on your non-standard port), > > imv turning off ping is highly overrated, and introduces management > problems. > > My technique that I've already posted all-but prevents password scans. > But why let them know where you are in the first place??? > > > 3. Have a constant background scan done for virus, root kit, e-mail, > > changes in critical files, port scan, log files (logwatch), and > > audits for suspicious activity. This can and should be "niced" to not > > interfere with normal operations. > > One can't really trust a computer to diagnose itself. > I do agree! Yet why not use those "brains" on the machine that are uncompromised to see that we are compromised so we can start to do something about it? Thanks for the pointer though. I have considered containing all of the on box security in a virtual machine (well, most of it anyway). As well, why not have a separate box do the file scans, log checking, etc...? > > > 4. Google "pen testing". C/o osstmm. > > 5. Honey pots! > > Really! They may be useful for detecting the ungodly, but they do > nothing to add to one's security. Quite the reverse, you must assume > that the ungodly have a nest in your midst. > Do not soldiers train with live ammo? Do you find out if something is waterproof by exposing it to sunlight? I have noted with interest that Penetration Testing has become an expected part of any good security audit. I believe it is not only expected, it is practically required. I would rather find out that my car leaks in my driveway with a water hose than tragically on the highway! Any day! That way I find the leak in a way I can clean it up. Honey pots are more of a risk I would agree. Containment is a real issue since the goal of many exploiters is to use your machine to spread their wares. I guess I am hoping that the containment issues can be resolved so we can have them as a tool to see what got in - what it was and how it grows - hopefully to be able to go and deal with it's progenitor. > > > 6. Backup your "used" areas often and in a number of different ways. > > I use flash drives, CDs, and other portions of the local or remote > > hard drives. I also tend to put an occasional file in an obscure > > e-mail account. Be ready to "wipe and re-load" efficiently. I have > > played with the idea of using "ghosted" "snapshots" for this purpose > > but have only taken that to the idea level. Tar is becoming a friend. > > flash drives are too easy to corrupt. I'm fairly careful with such > things, but one of mine lost its partition table. In my case recovery > was easy because I knew that copying the first sector from an identical > other drive would repair it. > What I like about them is that they are convenient, espically for a laptop. Since they are fairly cheap what I do is always have and use more than two. Loose one, not happy with that but little loss. > > > 7. Do planned "wipe and re-loads" several times a year. For that > > matter, if you simply save your used areas and then wipe and load the > > new version of your distro when it comes out that is probably enough. > > Be ready to restore to where you were if you need to. > > That will cause more grief than it is ever likely to save. If you're > running a serious server, you're off the air for some time. A server > that's down isn't earning you money. > You yourself said: "What you need to do depends on what you're trying to protect. If you're not running any servers, then things are pretty cheesy - you only need to worry about invited data (websites you visit, email you receive and such)...." I certainly agree with the first part, but somewhere in the neighborhood of some six million compromised machines out there now doing the bidding of organized crime make me down right angry at the second part of the statement. I agree with Mr. Spafford: " The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. " -- Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security. If there were a dread disease amongst us, you would do well to keep your immune system maintained -- lest you be quarantined! > > > You will need to spend time reconfiguring stuff, and I don't know about > you, but I have better things to do. Probably, the reconfiguring will > result in unintended changes that need to be fixed. > > In my case I am learning Linux, having fun, and the time is not critical to what is happening. I would not consider introducing an untested and unapproved system into a commercial environment. I consider an "upgraded" box as untested. I absolutely agree with you about upgrades, they scare me too! In a commercial environment I believe that the upgrades should go into a test environment and get placed on the floor if they actually appear to make the grade, and slowly at that. > > > > > Ok, I lied - the one link I will give you has some very good ones at > > the end. Note the crazy quotes and the interesting message box near > > the end: > > > > http://en.wikipedia.org/wiki/Computer_security > > In Wikipedia, read the warnings, and consider the verifiable expertise > of the author(s). > Well spoken! > > Cheers > John > Have a great week John. I enjoy your many contributions to this list! With appreciation! Tod -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list