Staying protected on the Internet
Hi all,
I'm still new to linux. I'm using Fedora and want to access the internet.
With Windows it's easy to keep protected using firewall and antivirus software, but with Linux it seems FAR more complicated. How do I setup my system to make sure no-one can hack into my computer? I don't want anyone to be snooping around my data files without me knowing about it. But at the moment I don't know enough about security to stop them. Any help appreciated.
Thanks,
Freerider.
I'm still new to linux. I'm using Fedora and want to access the internet.
With Windows it's easy to keep protected using firewall and antivirus software, but with Linux it seems FAR more complicated. How do I setup my system to make sure no-one can hack into my computer? I don't want anyone to be snooping around my data files without me knowing about it. But at the moment I don't know enough about security to stop them. Any help appreciated.
Thanks,
Freerider.
Unless you specifically disabled it, Fedora would have installed a default local firewall that allows you to access Internet resources, but prevents an Internet host from accessing anything on your system. So in that respect it is far less complicated. Probably the most important issue with a Linux system is religiously keep it up to date w/respect to security updates as soon as they are released. It's been a long time since there was an active exploit for a Linux box that the fix wasn't available at least a month before the exploit surfaced. For example the security fix for the Slapper worm as available from all Linux vendors over a month before the exploit surfaced, but still something in excess of 20,000 systems were compromised by Slapper.
And, you can't neglect internal security. Right now Stanford is fighting a problem where user names/passwords have been captured, used to log in to Linux an Solaris systems, and local elevation of privlege exploits are being used to crack the systems "from the inside". Obviously, if those systems were completely up to date, such an attack wouldn't be possible. There's a tendancy to overly trust a firewall and neglect updates on machines behind the firewall, or allow machines behind a firewall to use insecure protocols, like telnet, FTP, rlogin, etc.
And, you can't neglect internal security. Right now Stanford is fighting a problem where user names/passwords have been captured, used to log in to Linux an Solaris systems, and local elevation of privlege exploits are being used to crack the systems "from the inside". Obviously, if those systems were completely up to date, such an attack wouldn't be possible. There's a tendancy to overly trust a firewall and neglect updates on machines behind the firewall, or allow machines behind a firewall to use insecure protocols, like telnet, FTP, rlogin, etc.
ASKER
Thanks both.
I downloaded and started reading the documentation for gShield. It says at the start "gShield requires iptables in order to work it's magic." I noticed at bootup I get an "OK" after the configuration of iptables. Does this mean the "default local firewall" has been configured? How do I make sure?
Also jlevie, something I have wondered about for some time concerns the open source idea where almost anyone can improve the Linux kernel. What is there to stop anyone writing some kind of virus which could be mistaken as an "upgrade"?
Freerider.
I downloaded and started reading the documentation for gShield. It says at the start "gShield requires iptables in order to work it's magic." I noticed at bootup I get an "OK" after the configuration of iptables. Does this mean the "default local firewall" has been configured? How do I make sure?
Also jlevie, something I have wondered about for some time concerns the open source idea where almost anyone can improve the Linux kernel. What is there to stop anyone writing some kind of virus which could be mistaken as an "upgrade"?
Freerider.
It is easy enough to cehck to see it the default firewall is running and has a restrictive rule set by executing 'iptables -L'. An empty rule set would show:
wilowisp> sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and an active firewall would look very different, e.g.:
praetorian> sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
...
Well, OpenSource doesn't work exactly that way. While anyone can contribute a patch or feature for consideration to, say the kernel, there's an extensive code review that goes on before that contribution makes it into the release version. So it is highly unlikely that malicious code could wind up in something critical like the kernel. And in the case of something sponsored or provided by a commercial Linux vendor RedHat's Fedora, RHEL, Mandrake, SuSE, etc., the Linux vendor also conducts code audits and runs test suites against anything they distribute.
wilowisp> sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and an active firewall would look very different, e.g.:
praetorian> sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,
tcpflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
...
Well, OpenSource doesn't work exactly that way. While anyone can contribute a patch or feature for consideration to, say the kernel, there's an extensive code review that goes on before that contribution makes it into the release version. So it is highly unlikely that malicious code could wind up in something critical like the kernel. And in the case of something sponsored or provided by a commercial Linux vendor RedHat's Fedora, RHEL, Mandrake, SuSE, etc., the Linux vendor also conducts code audits and runs test suites against anything they distribute.
You can get the bastille rpm for fedora here -
http://download.atrpms.net/production/packages/fedora-1-i386/atrpms/bastille-linux-2.1.1-1.rhfc1.at.i386.rpm
This is a set of scripts which will interactively guide you through securing your pc. Installation instructions -
* install the Bastille RPM, like this:
rpm -ivh Bastille-2.1.1-1.0.i386.rp
* Install perl-Tk (for our GUI) or perl-Curses (for console/text mode).
Get the right one by consulting this table.
rpm -ivh perl-Tk-a.b-c.i386.rpm
or
rpm -ivh perl-Curses-d.e-f.i386.rpm
Note: you can also install perl-Tk/perl-Curses via CPAN, if you know how. On Red Hat 8.0, this is definitely the easiest way to get perl-Tk (GUI) right now.
Running
Type: "bastille" to start the full custom hardening script.
Don't forget: Reboot the machine when you're done!
http://download.atrpms.net/production/packages/fedora-1-i386/atrpms/bastille-linux-2.1.1-1.rhfc1.at.i386.rpm
This is a set of scripts which will interactively guide you through securing your pc. Installation instructions -
* install the Bastille RPM, like this:
rpm -ivh Bastille-2.1.1-1.0.i386.rp
* Install perl-Tk (for our GUI) or perl-Curses (for console/text mode).
Get the right one by consulting this table.
rpm -ivh perl-Tk-a.b-c.i386.rpm
or
rpm -ivh perl-Curses-d.e-f.i386.rpm
Note: you can also install perl-Tk/perl-Curses via CPAN, if you know how. On Red Hat 8.0, this is definitely the easiest way to get perl-Tk (GUI) right now.
Running
Type: "bastille" to start the full custom hardening script.
Don't forget: Reboot the machine when you're done!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Bob Gunzel