Forgot your password?
typodupeerror
Linux Software

comp.os.linux.security FAQ 46

Posted by Hemos
from the more-security-then-you-can-shake-a-billyclub-at dept.
$kr1p7_k177y wrote to us regarding Daniel Swan's release of the comp.os.linux.security FAQ. It's what you'd imagine, but with the growth lately, this should be helpful tool. There's also an interview with him that sheds more light on the reasons behind the FAQ.
This discussion has been archived. No new comments can be posted.

comp.os.linux.security FAQ

Comments Filter:
  • by Anonymous Coward
    Actually, speaking as someone who regularly installs new distros/OSes just to try them out - a default win2k install is more secure than any linux distro I've seen. Remember, it's not based on win9x.
    It's also easy to further lock down - it's straightforward to block any TCP or UDP port or even protocol you choose (without additional software).

    Also, Zone Alarm is widely recognised as a kick ass personal firewall (though I'd always prefer to set up my own cheap box running BSD, and use it to block adverts and trojans also. Get it doing DNS caching etc, also - every little helps when you're restricted to modem like me).

    I realise you're just trolling, but I feel that I have to at least try to counteract your FUD.
  • by Anonymous Coward on Tuesday January 02, 2001 @07:04AM (#537611)
    Q: How do I secure Linux?
    A: Install BSD.
  • The best way to secure a computer is to disconnect it from the net and put it into a locked room. The only problem with that is that it makes using the computer that much harder. I know that is how the CIA secures their computers (Not the only way) is that to get at the CIA computers you have to get into the CIA's buildings, which require you to have a badge and get past the guard with a gun etc.


    The cure of the ills of Democracy is more Democracy.

  • Another oversight in ths FAQ is that there is absolutely nothing about PAM -- good, bad or indifferent.

    I'd offer to write the section myself, but beyond saying ``It appears to offer a finer granularity over file & executable permissions than UNIX's traditional xrw, the documentation included with the package appears to be fairly comprehensive, & it comes enabled by default in the RedHat distribution."

    Give me a few months with PAM, & I may be able to delete the qualifiers.

    Geoff
  • > PAM has NOTHING to do with xrw style permissions, this is something else, called ACLs (Access Control Lists).

    Well, having only the last 5-10 days to read the documentation, I was left with the impression that it could be used quite nicely to implement ACL.

    And the point of my original post was that I'm not qualified to add more the FAQ about PAM than to nicely ask the FAQ maintainer to add a section about it.

    Geoff
  • Just being a hacker does _not_ make you an engineer. IMO that is a much worse mistake than the hacker/cracker mixup.

  • by schon (31600) on Tuesday January 02, 2001 @06:10AM (#537616)
    Overall pretty good, but there are a few (minor) points..

    First, your firewall should always be initialized before initializing the network interface, not after... initializing it after your network comes up means that there is a period (however small) that your machine is vulnerable (or, more vulnerable than it could be :o)

    Second, blocking all inbound pings can (potentially) cause problems with things such as DHCP.. (most DHCP servers attempt to ping an address before they issue it, to determine if it's in use or not..) if the DHCP server's lease database becomes corrupt/invalid (because of a network/hardware failure, for example), it could give your IP address to someone else, because your machine doesn't answer the ping..

    Third, he misspelled Kurt Seifried's name (I think that Seigfreid is a magician from Vegas :o)

    Other than that, a pretty good start..
  • I didn't take that post as funny.

    These are "Frequently Asked Questions" about Linux security and you would expect that the FAQ would answer these. Yes there are good questions answered in the FAQ but you also want to answer the stupid ones too, so you are not answering them in the news group.

    Steven Rostedt
  • How far do you take it though, surely you wouldn't include the "what is this openlinuxbsdnix" question.

    Ok, the "what is Open Linux bsdnix" thing would go into the "funny" catergory, and has nothing to do with Linux security. But the following...

    • I can't telnet to my machine as root!
    • Process belonging to `nobody', have I been cracked?
    • `-- MARK --' in my logs, what's going on?
    • Should I DENY or REJECT in my ipchains rules?


    questions, are more legit, and have been commonly asked by newbies. The number of times I get someone calling me up and asking me why they can't log in as root is amazing. I would also add that not ever loging in as root (except for system admin stuff) should be stated in the FAQ.

    Steven Rostedt
  • will you fuck off sphincter breath. I have addressed [slashdot.org] your stupid comments already.
  • The answer to this question (and every question in that area) hasn't changed in 2 years. There are many linux viruses in existance and a number have been found in the wild. There are viruses that infect the PLT table of ELF binaries to intercept library calls. There are viruses that use ptrace to infect every running program the user has access to debug (yes, that's right, download some infected binary, run it and every process you have running is simultaniously infected, including your shell) and there are viruses that can jump su to root. These are the viruses that "follow the user". Hell, all this stuff has been in Phrack. There are viruses that act like worms, they look in your .ssh known hosts file and try passwordless connections to all of them. Virus proliferation on linux is a serious issue and should be delt with by FAQ's like this. Two years ago I sat here and said if virus research on linux was not encouraged it would develop underground and we would have people like this denying their existance until it is too late. Well it's not too late, yet.
  • How far do you take it though, surely you wouldn't include the "what is this openlinuxbsdnix" question.

  • Security-Enhanced Linux: http://www.nsa.gov/selinux/: - This isn't actually a distribution, but an add-on that facilitates "Flexible Support for Security Policies". Considering the source of this package, an American Intelligence Agency, careful consideration should be made before installing it on machines that store sensitive or proprietary information, at least until a rigorous code audit is done of it.

    That's the spirit ...
  • Just a quick correction:

    PAM has NOTHING to do with xrw style permissions, this is somting else, called ACLs (Access Control Lists).
    PAM authenticates users in a flexable manner, and allows much more fine grained control than the traditional /etc/passwd only system. RedHat uses this to allow authentication against Kerebos, NIS and the like. Furthermore RedHat's recent steps in their implementation of PAM in RedHat 7 allow global configuration of all PAM services from one file (/etc/pam.d/system-auth).
  • Well PAM does implement ACLs, just not in the file-permissions case, its ACLs are for logins and the like. (It does get into some file-permission stuff, for things like the console user permissions, but these are done by modifying the permissions on actual files).

    I agreee, it should be in the FAQ.
  • by Nailer (69468) on Tuesday January 02, 2001 @06:40AM (#537625)
    The FAQ uses `hackers' as its term for malicious attackers, rather than engineers.

    Surely the Open Source world knows of this distinction, and this could be reflected in the FAQ?

  • *) telneting as root is considered bad. Please replace telnet with OpenSSH [openssh.com]. It encrypts thing so that people can't spy on your sessions. If you want an example, learn how to use tcpdump, and see what happens. It's also a good idea to not ssh as root so that it requires another level of passwords to get total control over your box.

    *) Nobody is a generic dummy account on most UNIX systems. Its purpose is to allow you to run various daemons under the lowest priviledges possible (that of a user which can't login and doesn't own any files). A better practice is to create on user account per daemon, and have it own only the files it requires to write to.

    *) -- MARK -- is a generic placeholder put there every n amount of time (the default is 20 minutes.. man syslogd for more information).

    *) DENY and REJECT act slightly differently. If you are going to utterly blackhole a machine, or simply want to eat packets coming in, DENY is the option you want. REJECT simply sends back a connection refused packet (for TCP, UDP and other protocols have slighty different packets). If you're going to be filtering TCP ports, use REJECT -- DENY will show up as 'filtered' on nmap and any other quality scanner which notes the lack of a reply packet (despite the host being up).

    *) OpenBSD [openbsd.org] is an audited branch of the BSD family tree. This code can trace its lineage back to the original UNIX code. For many people, it's a great replacement for Linux on their firewalls because it's simple to setup, and secure out of the box. If you require SMP, or are going to be doing things like high volume web traffic, you may want to review the performance of it vs. Linux, or combine them via firewall + proxy network setup.

    If you have any other questions, head to #kuro5hin on slashnet (or irc.kuro5hin.org if you don't know what slashnet is ;)). We'll help you out.
    --
  • Frankly unsecured boxes should be tagged as tools for aiding and abetting crackers.

    By the way, "bent-up security 'focus'"...

    What your fingers are going to fall off typing a login/password pair?
  • It's also easy to further lock down - it's straightforward to block any TCP or UDP port or even protocol you choose (without additional software).


    What took them so long? There's no bloody difference between filling out a form and commenting lines in inetd.conf as well as firewall config files.

  • by yuggoth (85136) on Tuesday January 02, 2001 @05:39AM (#537629)

    Isn't this more of a server concern? I mean, even if my system was "compromised" (the official-sounding wording in the FAQ) why would I truly care? There is nothing on my system that denotes anything that would need to be truly secure (just some personal writing), and if things were deleted I keep regular backups. Privacy is not a concern (I keep no credit card or checkbook numbers on my box).

    Most crackers probably aren't interested at all in your private stuff, except perhaps your ISP data (login, password) so they can use your account to get on the net. The thing crackers are interested in is your box itself as a base for further attacks. A cracker with root access can easily manipulate your log files, so when an attack is traced back to your box, you have no proof that it wasn't you who broke in that government machine and downloaded top secret information...

    All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.

    If you have no net connection and no private data on the machine, security would't be much of an issue. But with an internet connection security simply has to be considered. If you live in a peaceful neighborhood with none or just a few break-ins a year, you probably would't care too much for a state-of-the-art alarm system. Now consider that some unknown guy from somewhere far away develops the Burgle-O-Matic(tm) which can ransack 1000 homes per minute, is operated from a safe haven outside your reach and is available for free to anyone who manages to find it. It also ruins your door even if it can't break in, and you can expect it to come around every other day. Would you just buy a wagonload of new doors every month, or would you rather install a Break-O-Burgle (Guaranteed To Stop Any Brand Of Burgle-O-Matic(tm) At Least Ten Yards Before Your Door)(tm)?


    --
  • darnit! i thought i caught this first, but if i had only read /. comments instead of the FAQ I wouldn't have emailed you about it ...

    ;)

  • I know that spelling criticisms are a low blow. But I love this sentence from section 3.7 of his FAQ:

    "There seems to be a widespread, but fellatious, belief that denying incoming pings will render your host invisible to the outside world."

    Do you need special hardware for that belief?
  • QUOTE:
    First, your firewall should always be initialized before initializing the network interface, not after... initializing it after your network comes up means that there is a period (however small) that your machine is vulnerable (or, more vulnerable than it could be :o)

    In environment that uses dhcp this is not easily done if you dont know what you are doing. First, when the firewall script starts, how do you know what your ip address is and thus, how do you know what kind of rules you wish to set if you are using ip based blocking ( not really sure if one can block packets from certain eth-adapter not just the ip address ). In such case, user has two possibilities.

    • The "unsecure way": just start your script when you know the acquired ip address.
    • The "secury way": Deny all packets except dhcp from the server, start the ether-device and after you have acquired the ip address, start the real rules.

    (btw, im using the unsecure way, im not *that* paranoid)

    Also, the faq titled one of te windows ssh clients wrong. Its Tera Term not Terra Term ;) Anyway, it is *superb* vt emulator for windows. Wouldnt want to live without it + its free and comes with the source. (ssh comes as a plugin and im not familiar if it comes with source too)
    --

  • Or rtfm.mit.edu?

    I know why. It's because the author hasn't bothered to format his FAQ according to the standard, nor has he bothered to get it approved for posting to news.answers et al.

    This link [faqs.org] tells you what you need to know to know to get a Usenet FAQ document posted to news.answers [news.answers].

    -Gerard

  • Ignoring the rest of your troll post (and I hope you're trolling...if not your ego needs to be wacked with a reality stick) you brought up a common misconception

    There are no processes running as servers because it's a default Win2K Professional box.

    Like its predecessor, Win2kPro installs with peer-to-peer networking (read shares) enabled by default -> the Server service is set to automatic startup. RPC and Remote Registry service are also ON by default. If they're listening, they're hackable

  • Second, blocking all inbound pings can (potentially) cause problems with things such as DHCP.. (most DHCP servers attempt to ping an address before they issue it, to determine if it's in use or not..) if the DHCP server's lease database becomes corrupt/invalid (because of a network/hardware failure, for example), it could give your IP address to someone else, because your machine doesn't answer the ping..

    My ISP yelled at me the other day for this very reason. I had to update the rule set to answer the pings from my ISP

  • of the Security FAQ? The way the intro is written it's as if there are many versions.?!? I read over it and it seemed pretty good.
  • (I'm a relatively new Linux user and probably speak from a largely Windows background).

    This FAQ looks a very good start....Writing a FAQ is extremely time consuming (I know, I've written the PGP DH vs PGP RSA FAQ [clara.net]) and this FAQ is a good foundation to build upon. It largely follows the content of the (also excellent....) book Maximum Linux Security by Anon.

    Anyway, I'd like the FAQ to be expanded with:

    1. GPG and PGP details
    2. Details of 'On-The-Fly' disk encryption schemes (EFS, BestCrypt etc)
    3. Implementing automatic 'wipe-on-delete'
    4. Swapfile encryption
    5. Free-space wiping
    6. IPSec
  • Morning Troll );, but in any case OpenBSD is more secure out of the box than most Linux distros this is true but trust me I have seen some *BSD boxes that are wide open (we are talking winders open here) this is because people think that they have OpenBSD and they are safe they then go ahead add a slew of ports and open up all kinds of stuff. The simple fact is while it might be harder to secure a initial install of most Linux distros (Debian is quite easy if you want to be security minded when you first install and you have host security as a goal) most of them can be made almost as secure as a OpenBSD box and of course if you would rather use that then *BSD (and I can think of several places where I would) then it is important to know how. The thing I do agree with you on is reading about why OpenBSD is so secure by default and understanding the thought process behind it can *really* help in securing your Linux boxen. In short winders is the enemy *BSD and Linux can and do live very well together. So get over it and lets all have some fun. :)
  • speak for yourself, not everyone agrees with your definition.
    I put crackers in my soup.

  • prisioner, I've never seen one© I've seen the comp©security©unix and comp©security©misc FAQ[1], though© Other then that, I did some quick searhcing on google, and nothing came up©

    ¥but they DID make it seem as if there were, didn't they?

    [1] - Yes, that was a shameless plug for my website© :-


    --
    Cognosco: To examine, enquire, learn
  • whoops, I guess my html didn't work properly, because the URL didn't come out for that FAQ©:

    http://cognosco©datablocks©net/txt/OS_Specific/U NI X_Linux_ect/comp©security©unix_and_comp©security©m isc_FAQ©txt

    --
    Cognosco: To examine, enquire, learn
  • I tried changing them in the user info page, but they come back© :¥ They're supposed to be periods© For me, they come out as % A 9 ¥with spaces ni there so the browser doesn't turn them into another wierd charector©
    --
    Cognosco: To examine, enquire, learn
  • Isn't this more of a server concern? I mean, even if my system was "compromised" (the official-sounding wording in the FAQ) why would I truly care? There is nothing on my system that denotes anything that would need to be truly secure (just some personal writing), and if things were deleted I keep regular backups. Privacy is not a concern (I keep no credit card or checkbook numbers on my box).

    There are no processes running as servers because it's a default Win2K Professional box. There is noone scanning my ports because I have set up a cheap version of ZoneAlarm (for my own benefit, to make sure my brothers and sisters aren't browsing to weird websites when I'm home for college).

    All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.

  • I wouldnt say its a server concern I would use it as a wake up call to those who don't know much about security.

    It wouldn't matter much even if you didn't have anything worthwhile on the machine should it be compromised however it can be leveraged as a gateway to attack other machines which can leave you in a bind if you were unaware that your machine is being used as an attack station.

    annoyance psychologically with the rest of the world ... ?

    Personally I think if your involved somehow on the net you should take any kind of precaution regarding security regardless if your running any services, using credit cards, etc., the more you know the easier it'd be to avoid having someone do anything to your machine in a case of not knowing or not giving a shit.

    SpeedyGrl.com [speedygrl.com]
  • Spelling flames are a low blow on usenet, but in this case, a formal document, they should be noted and corrected.

    In any case, this was an intentional corruption. A fellatious belief is one that sucks.

    Dan.
  • Excellent questions (Except for the last one). Several will likely make it into the next revision. I'll have to restrain myself from telling people that "mark" has hacked their computer, and left his calling card.
  • This wasn't an oversight, but is something that is still under consideration. I set out with the intent to integrate cleaning into the existing faq 'infrastructure', however, from what I read, this requires a plaintext faq (Please correct me if I am wrong... the news would be welcome). I have formatted the faq in such a way that it could easily be regenerated as plaintext, if I decide to take that route. I'm still keeping my options open. Please let me know if you've other thoughts on this matter... Best regards, Dan.
  • All of the above are in my 'todo' list. Take care, Dan.
  • Hehe... Windows 200 Professional, huh? Cheap Version of ZoneAlarm? It looks like you're all set! The next thing you should do is put your system outside your apartment complete with monitor and keyboard. Although running Windows kind of does that anyway...

    Wake up, Neo! Wake UP!!!
    --------------
  • Why the hell do you have all those copyright symbols in your posts? (I'm using Konqueror)
  • I AM a two-bit Kansis City whore! I'm here, I'm reading, I'm even damned well replying, what more can you ask for? Bl00d ? I Read at +2!
  • by Kiaradune (222032) on Tuesday January 02, 2001 @02:15PM (#537652)
    How about you post your IP address here and let the skr1pt-k1dd13z have a go :-)

    Anyhow, my Linux box is more secure than a run-of-the-mill BSD box as it is unplugged, in a fire-proof lead-lined steel box, encased in eight-foot thick cement, hidden in a secret location, (I'm thinking Batcave(tm)-type places), with an armed penguin on guard!

    In any case, I forgot to install TCP/IP support into my kernel :-)

  • Do you need special hardware for that belief?

    The special hardware comes standard on some humans. Others can have it installed, but only at considerable expense (and the old hardware has to be deinstalled permanently). Most fellatious believers will tell you, however, that the conversion is probably WELL worth it.
    --
    MailOne [openone.com]
  • Isn't this more of a server concern? I mean, even if my system was "compromised" (the official-sounding wording in the FAQ) why would I truly care?

    Section5.2 of the FAQ [linuxsecurity.com] covers this. Kind of. Do you want to explain to the police that you didn't know about the warez and child porn on your hard drive?

    All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not.

    Less so, maybe, does your 12-year-old brother never swap Word documents or games with friends? But then who would want to disseminate viruses and trojans, they serve no purpose, right?

  • by Soft (266615) on Tuesday January 02, 2001 @05:26AM (#537655)
    It looks like a good document about Linux security, but I thought the questions that were really asked often in comp.os.linux.security were of the kind:
    • I can't telnet to my machine as root!
    • Process belonging to `nobody', have I been cracked?
    • `-- MARK --' in my logs, what's going on?
    • Should I DENY or REJECT in my ipchains rules?
    • What is this OpenBSD Linux thing?

    No?

Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable. -- Gilb

Working...