I'll second chrootkit. I actually use it pro-actively on all of my servers and re-actively on ones people suspect have been hacked and want me to test. It has found problems and from what one of my friends tells me ... a hacker (They managed to find a "salesman" who was creating his own network for file sharing by root kitting company servers.)
James On Sat, 2002-11-30 at 12:01, J. Craig Woods wrote: > This posts warrants another posting. For all of you that are new to > security, i.e. firewalls, services binding to ports, and os level > securtity, these are good suggestions. Good job, Franki. > > I would, as well, add another level or step: this would include file > security, and rootkit checking. To watch for anykind of change to > *every* file on your harddrive, Tripwire can not be beat (IMO). Not only > do I use this program for my home network, I use it at work in a very > large enterprise environment (Verizon OnLine). Checking for a rootkit is > as easy as installing chrootkit at: > > http://www.chrootkit.org > > drjung > -- > J. Craig Woods > UNIX Network/System Administration > http://www.trismegistus.net/resume.html > Character is built upon the debris of despair --Emerson > > Franki wrote: > > Its not that hard to stay secure with any linux distro, especially if you > > are not running public servers.. > > > > Here are some steps you can look into. (I do all of these, except for > > hogwash) > > > > > > 1. Run a firewall like gShield to drop all packets to ports you want closed > > to the net. (all of them unless you are running servers.) test yourself by > > doing the full scans at http://scan.sygate.com make sure everything is > > closed, even high ports. (gShield does that by default.) (see other posts > > about gShield in expert tonight, its the best off the shelf linux firewall I > > have seen, and really really easy to setup.) > > > > 2. in /etc/hosts.deny put one line: ALL:ALL > > That closes all access to pretty much everything.. (man hosts_access) > > Then you have to allow those services that you want to provide to your > > network.. so add something like this to /etc/hosts.allow : > > sshd: 192.168.0.3 (which will allow ssh access to only > > 192.168.0.3) > > > > do that for all the stuff where you need to allow internal access. > > pop3, smb, telnet, imap etc etc etc... > > > > 3. tell your server apps to limit themselves to the internal interface. > > ------- samba: /etc/samba/smb.conf : > > interfaces = eth0 (where eth0 is your internal ethernet card.) > > hosts allow = 127. 192.167.0. (where 192.168.0.0/255.255.255.0 is your > > internal net) > > > > ------- xinetd (for pop3 and other similiar services) edit > > /etc/xinetd.d/ipop3: > > add to it: > > only_from = 192.168.0.0/24 (again where the above range is your internal > > network.) > > > > 4. (probably should be no 1.) keep your box up to date using MandrakeUpdate > > and join the security advisory mailing list at mandrake. > > > > 5. (optional, but handy) install portsentry and run it in stealth mode, > > (portsentry -atcp and portsentry -audp) > > This will automatically block any IP address's that scan you, (which is the > > way cracking usually starts.) > > If you want to go even futher, you could install hogwash as well.. which is > > like portsentry, but blocks nasty packets not the IP address itself.) > > > > Personally if you have done the first 4. then I'd say your far safer then > > most.. and keep a copy of the config files for next time you install.. you > > don't have to do all the work each time.. just install and copy the config > > files back in. > > > > I don't even use msec, never had, and unless it gets alot more intuitative, > > I probably never will.. > > > > but do all of the above, you are not going to have any issues.. > > > > If your internal services can only be accessed on the internal interface, > > and you explicitly allow each access to the box via tcpwrappers > > (hosts.allow/hosts.deny) and your firewall blocks any packets from spoofed > > internal IP's, (all good firewalls should), and you have no open ports.. > > (which is to say that everything not NAT (connection sharing) traffic for > > the internal network is dropped) you are very very hard to hack from > > outside, as there are no doors to open.. > > > > If however you host a dns server, or mail server, or apache web server, then > > you MUST make sure you keep them all up to date, and limit their access and > > rights. (mandrake 9.0 does a good job out of the box on this count, for > > example, postfix runs chroot by default, which means even if it is somehow > > hacked, it thinks the root directory of the box is /var/spool/postfix, so > > they can't do damage elsewhere.. > > > > As I have said many times above. the first four steps give you very good > > protection just by themselves.. setup like that, most crackers will give up > > pretty quick.. there are far to many easier targets out there.. > > > > > > I still have alot of mdk7.2 box's out there running happily with ipchains > > firewalls and none have been hacked thus far.. > > just because I follow the rules above.. > > > > for a home net server, thats all you need.. if you have a ton of users on > > your box, and you don't trust them all.. then there is alot of other stuff > > you can do.. (which i will leave for another discussion.) > > > > > > rgds > > > > Frank > > > ---- > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
