Hardening Fedora...

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Sun Apr 25 15:30:49 UTC 2004 

Am So, den 25.04.2004 schrieb Peter Santiago um 16:46:

> Hi Alexander,
> 
> Well,  by hardening, I mean, enhancing the security of my Fedora
> installation.  I'm just doing this to gain more experience in setting up
> Linuxes boxes.  I could install Fedora Core 2 test release (kernel 2.6.3
> with SELinux), but I'd rather want to see what I can achieve using Bastille
> or other methods to make a fedora installation more secure... =^^=  Hope I
> didn't sound way out of my depth....

> Peter Santiago         peters at psinergybbs.com

Ok Peter,

on a test machine and for learning purposes Bastille might be one way to
understand better which problem in security might appear. Taking the RPM
version I would be cautious there is no comment how good it fits for
Fedora.

Maybe Bastille is helpful for a Linux beginner to understand some risks
and learn some "switches" for a valid security. In general I doubt it
improves security at all if you did not already did something bad with
your Fedora installation.

It's not that easy to suggest anything specific as the range of possible
experience in Linux administration is wide and there are lots of topic
you might care about. Given that you did not accidentally open up your
system into an insecure state (like using telnet server across WAN
connections, giving users too much permissions with i.e. suid, setting
your mail server being an open relay ...) there are several concepts and
tools to "improve security". Will say, put the administrator/root into a
situation where he gets non standard information about trials hacking
the system or on the other side by prohibition of specific actions. That
may take place with:
-setting up a good set of iptables rules, securing the services you
need, and after switching off services you do not need but which run by
default (like on many Fedora installations the portmapper on port 111 is
open to the worldwide net)
- controlling network/host scanning with portsentry or psad
- restricting user and even root permissions by using kernel based
policy sets: SELinux or grsecurity
- restricting permissions and information of the administrator by using
an IDS like lids (kernel based too)

All that said, the costs of all that is time and efforts to manage these
things: you do not need just one time setup but all security functions
need constant administration and control.

I do not know whether that helps you seeing a bit clearer what you
consider to try. In any case it is good to care for security and it is
even worth to take a test machine/installation and to test the available
tools and switches. And certainly there are good books on the market -
not Fedora specific, but for all Linux users/admins - which cover this
topic; i.e. Linux Administration by O'Reilly.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
Sirendipity 17:04:37 up 6 days, 23:50, load average: 0.06, 0.22, 0.28 
                   [ Γνωθι σ'αυτον - gnothi seauton ]
             my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040425/abd57198/attachment-0001.sig>

More information about the fedora-list mailing list