FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-27-2007, 07:42 PM
John Summerfield
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

Daniel B. Thurman wrote:

I have finally got my F8 setup and running so now I am reviewing the
security issues that needs to be taken into account.

I have looked into trying many things to protect and harden my systems,
but I thought I'd ask members what they are doing/using to defend their
systems against attacks and unwanted intrusions? Would it be neat
if there was an automatic non-human defender to do it for you while you
sleep? Dream on.

I would like to focus on securing Fedora. I have tried snort w/Base etc.,
Tripwire, Fam, nmap, Iptable techniques, and so on.

Does anyone have any advice, links to great sites focused on security
and how to secure your linux box against intrusions and attacks?



What you need to do depends on what you're trying to protect. If you're
not running any servers, then things are pretty cheesy - you only need
to worry about invited data (websites you visit, email you receive and
such)....


I don't run Fedora for anything important. I don't know how serious the
Fedora project is about security, but I see the the need to keep
upgrading to be a security hazard in itself. Where I want updates for
an extended period, I prefer a RHEL clone or Debian.


I content myself with a vpn (openvpn) to secure remote access, shorewall
for my firewall. I don't use hosts.{allow,deny} - I don't see that they
offer anything much that iptables can't do.


Typically my firewalls allow ssh from those IP addresses I might use
(only Australian, not all), and rate-limited from others (in case I got
it wrong).


I also limit access to remote sites; my systems cannot be used to
port-scan others.


I also keep an eye on my logs; I've spotted some virus-infected Windows
laptops over time.


Finally (I think) I use the firewall to help control spam; if spam gets
through my other countermeasures, I often block entire /24 (and larger,
up to /11 in one case) networks from which I receive spam.





Thanks!


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM





--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 04:48 PM
Frank Cox
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

On Sat, 29 Dec 2007 06:24:26 -0700
Karl Larsen <k5di@zianet.com> wrote:

> From my own experience I learned you need to use real good passwords
> on EVERYTHING. I thought my user password was safe because no one can
> get to that. WRONG. A ssh connection can use your weak user password to
> get in.
>
> So use passwords that include letters upper and lower case and
> numbers. Then sleep well at night.

Better solution:

Specify only the usernames and IP addresses allowed to log in through ssh
in /etc/ssh/sshd_config

Disallow password logins completely in /etc/ssh/sshd_config and use keys
instead.

Add the appropriate entries to /etc/hosts.allow and /etc/hosts.deny to deny
remote access to ssh (and all other services)

--
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 07:49 PM
"Dean S. Messing"
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

Frank Cox wrote:
: Karl Larsen <k5di@zianet.com> wrote:
: > From my own experience I learned you need to use real good passwords
: > on EVERYTHING. I thought my user password was safe because no one can
: > get to that. WRONG. A ssh connection can use your weak user password to
: > get in.
: >
: > So use passwords that include letters upper and lower case and
: > numbers. Then sleep well at night.
:
: Better solution:
:
: Specify only the usernames and IP addresses allowed to log in through ssh
: in /etc/ssh/sshd_config

How does one get into one's system from one's laptop if one is traveling
and forced to use the local hotel internet connection?

: Disallow password logins completely in /etc/ssh/sshd_config and use keys
: instead.

Agreed! Also, I (and many others) have found that moving sshd off of
port 22 completely stops the script-kiddy attempts that fill one's
/var/log/messages

: Add the appropriate entries to /etc/hosts.allow and /etc/hosts.deny to deny
: remote access to ssh (and all other services)

Again, how does this impact remote access when traveling?

Dean

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 08:49 PM
Tom Horsley
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

On Sat, 29 Dec 2007 06:24:26 -0700
Karl Larsen <k5di@zianet.com> wrote:

> So use passwords that include letters upper and lower case and
> numbers. Then sleep well at night.

Or better yet, don't allow password authentication at all. I only
allow public key from outside my local net.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 08:51 PM
Tom Horsley
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

On Sat, 29 Dec 2007 22:35:07 +0800
Ed Greshko <Ed.Greshko@greshko.com> wrote:

> You forgot one very important item.
>
> Whatever you do, don't be paranoid...unless someone is really out to get you.

All you need to do is leave an unsecured box hooked up to the internet
for 5 or 10 minutes to discover that someone really is out to get you :-).

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 08:57 PM
Tom Horsley
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

On Sat, 29 Dec 2007 12:49:11 -0800 (PST)
"Dean S. Messing" <deanm@sharplabs.com> wrote:

> How does one get into one's system from one's laptop if one is traveling
> and forced to use the local hotel internet connection?

If you can't know where you'll be connecting from, you probably can't
use the IP address restrictions, but at least you can allow only
public key access which will make things more secure.

Actually, I once considered building a automated system so I could
send my computer an email (which it would poll for every few minutes)
to tell the system to enable external access, so I could leave the
system closed off most of the time, and only open it when I wanted
access, but that seemed to be way too much trouble. The public key
only scheme is pretty secure.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 09:19 PM
"Dean S. Messing"
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

Tom Horsley wrote:
: > How does one get into one's system from one's laptop if one is traveling
: > and forced to use the local hotel internet connection?
:
: If you can't know where you'll be connecting from, you probably can't
: use the IP address restrictions,


That's what I thought.

: but at least you can allow only public key access which will make
: things more secure.

Completely agree. The only time I allow an ssh password entry is on a
new machine to which I will connect from another machine, both of
which are behind a firewall, and only when I first bring the new
system up. (It has no public key files at that point.) The first
thing I do is copy keys onto and then turn off password
authentication.

Besides, I don't think you can forward password credentials via
ssh-agent / ssh-add, only public key credentials. ssh agent
forwarding is one of the nicest features of public key authentication.

Dean

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 09:20 PM
Karl Larsen
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

Tom Horsley wrote:

On Sat, 29 Dec 2007 22:35:07 +0800
Ed Greshko <Ed.Greshko@greshko.com> wrote:



You forgot one very important item.

Whatever you do, don't be paranoid...unless someone is really out to get you.



All you need to do is leave an unsecured box hooked up to the internet
for 5 or 10 minutes to discover that someone really is out to get you :-).


I was got after I joined this list and said I was not worried. After
that I got worried. And last week someone was knocking at my door but
this time the password for user karl is not larsen :-)


Karl


--

Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
PGP 4208 4D6E 595F 22B9 FF1C ECB6 4A3C 2C54 FE23 53A7

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 09:41 PM
Frank Cox
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

On Sat, 29 Dec 2007 12:49:11 -0800 (PST)
"Dean S. Messing" <deanm@sharplabs.com> wrote:

> : Specify only the usernames and IP addresses allowed to log in through ssh
> : in /etc/ssh/sshd_config
>
> How does one get into one's system from one's laptop if one is traveling
> and forced to use the local hotel internet connection?

This is appropriate only where you have static addresses at both ends. When
you have static addresses, it's a good addition to ssh security.

> : Add the appropriate entries to /etc/hosts.allow and /etc/hosts.deny to deny
> : remote access to ssh (and all other services)
>
> Again, how does this impact remote access when traveling?

See above.

Incidentally, is there any way I could persuade you to get rid of the colons
and use > (which have been a de-facto standard for quote marking ever since my
days using Opus and msged on Fidonet)? Your colons mess up the colorized
highlighting that my email client uses to distinguish quotes from original
content and therefore makes your messages more difficult read.

Of course, that's just me, but I suspect there are a lot of others who use mail
clients with similar capabilities. Colons instead of > will break them all.


--
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-29-2007, 09:50 PM
Karl Larsen
 
Default Seeing input on Securing the Linux system from intrusions and attacks.

Frank Cox wrote:

On Sat, 29 Dec 2007 12:49:11 -0800 (PST)
"Dean S. Messing" <deanm@sharplabs.com> wrote:



: Specify only the usernames and IP addresses allowed to log in through ssh
: in /etc/ssh/sshd_config

How does one get into one's system from one's laptop if one is traveling
and forced to use the local hotel internet connection?



This is appropriate only where you have static addresses at both ends. When
you have static addresses, it's a good addition to ssh security.



: Add the appropriate entries to /etc/hosts.allow and /etc/hosts.deny to deny
: remote access to ssh (and all other services)

Again, how does this impact remote access when traveling?



See above.

Incidentally, is there any way I could persuade you to get rid of the colons
and use > (which have been a de-facto standard for quote marking ever since my
days using Opus and msged on Fidonet)? Your colons mess up the colorized
highlighting that my email client uses to distinguish quotes from original
content and therefore makes your messages more difficult read.

Of course, that's just me, but I suspect there are a lot of others who use mail
clients with similar capabilities. Colons instead of > will break them all.



Using a pgp key is a good idea but getting it into the server at
pgp.mit.edu is right now not possible. But after Christmas brake it will
work. I have one and it is handy.


Karl


--

Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
PGP 4208 4D6E 595F 22B9 FF1C ECB6 4A3C 2C54 FE23 53A7

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 09:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org