[Fedora] On Securing the Linux system from intrusions and attacks.

John Summerfield debian at herakles.homelinux.org
Thu Dec 27 22:55:07 UTC 2007 

Daniel B. Thurman wrote:
> John Summerfield and Tom Horsley wrote
>> Subject: Re: [Fedora] Seeing input on Securing the Linux system from
>> intrusions and attacks.
>>
>> Daniel B. Thurman wrote:
>>> I have finally got my F8 setup and running so now I am reviewing the
>>> security issues that needs to be taken into account.
>>>
>>> [snip!]
>>>
>>> Does anyone have any advice, links to great sites focused on security
>>> and how to secure your Linux box against intrusions and attacks?
>>
>> What you need to do depends on what you're trying to protect. 
>> [snip!]
> 
> Summary:
> 
> John: vpn, shorewall, don't use hosts.{allow,deny} because of iptables,
>       systems cannot be port-scanned, keep watching logs. Firewall to
>       control spam + use of "countermeasures" and manuall add block.
> 
> Tom:  ssh only. All other ports blocked(?).
> 
> ============
> 
> Well, what I am trying to protect against? Well some are
> identified below but not limited to these.  I found via
> iptraf, some of the things I added to the list below:
> 
> 1) General iptable schemes to otherwise block IPs, domains,
>    and general attacks such as those identified below.  I am
>    not well-versed in the use of iptables which is why I use
>    firestarter at the moment and I haven't yet learned how to
>    use shorewall as advised by John.
> 2) SYN/FIN/RST/CAN combo attacks
>    [Note:
>     I have seen a iptable "technique" to block various
>     forms/combinations of SYN/FIN/RST/CAN combos.  I
>     cannot forsee the end-results of these attacks but it
>     causes me some consternation.  I get reports daily
>     on these via my HW SonicWall firewall appliance and
>     have no idea what to do.  All I see are MAC addresses as
>     "they" hide their source/destination OR are using
>     packet schemes I do not recognize.  Are these harmful,
>     harmless, hog resources, or what?  Beats me.
>    ]
> 3) DDos/Spoof attacks
>    [Note:
>     My ports are "hammered" at times causing resource hogs.
>    ]
> 4) Foil Port-scanner intrusions (various schemes)
>    [Note:
>     You can see "them", "walking the dog".
>    ]
> 5) DNS attacks
>    [Note:
>     "They" are attempting to update/modify table entries.
>    ]
> 6) Sendmail Spams, viruses, ...
>    [Note:
>     I am learning, trying to find ways to greylist, blacklist,
>     regex, pattern/keyword blocks, ... but I am not there yet.
>     As it is, it is very time consuming manually identifying
>     spammer's IP/domain names and adding them to the block
>     list.  As it is, I get messages with [SPAM] marked and
>     yet I still have to deal with them (deleting them) instead
>     of not simply not wishing to receive them and some find
>     find ways around spamassassin/clamav anyway.

that's why I often block a large network when I identify a source of 
spam. The largest networks I block are in China - because that's where I 
find the largest networks assigned to a single organisation (such as a 
university).

Note, I do not automatically delete spam. If it gets past the 
impediments I place to its delivery, I then mark it up with 
spamassassin, and filter it (with procmail) into a special spam folder 
where users can choose for themselves whether to keep or delete. I find 
it easy to see, "There's no ham there today," and ^A[del] the lot.

>    ]
> 7) Database attacks (MySql, PostgreSQL, ...)
>    [Note:
>     "They" are probing for holes, trying brute-force password
>     cracking, and DDos attacks, or so it seems.
>    ]
> 8) Website attacks (Apache, Tomcat, and others...)
>    [Note:
>     The same as above (7) but with more tricks since there are a lot
>     of "doors" to attack.  Yes, I am being vague in the interest of
>     brevity.
>    ]
> 
> Anyway, this is my "short" list that I am working on right now, so I
> guess I have a lot of work to do.
> 
> No virus found in this outgoing message.
> Checked by AVG Free Edition. 
> Version: 7.5.516 / Virus Database: 269.17.9/1198 - Release Date: 12/26/2007 5:26 PM
Frankly, I don't value AV "sigs" such as this. What's to prevent my 
including it in my spam?
>  
> 

Let's use "hostile interface" to mean a network interface which the 
ungodly might attack. Typically, it's one's interface to the public 
internet, but it could be a wireless interface or even a local LAN.

A service (such as postgresql) that is not listening to a hostile 
interface is not subject to attack through it. If it's not providing a 
service to those on the other side of a hostile interface, the server 
should not be listening to it.

Some of those attacks attack only the kernel. Your only protection is to 
  keep your kernel up2date.

Websites are necessarily (most often) listening to a hostile interface. 
Keep the software up2date, keep an eye out for security concerns. Most 
likely-to-succeed attacks will attack your application - groupware, 
wikiware and such. Some of that will need access to your databases, and 
a successful attack against that might give access to other stuff such s 
your databases.

rate-limiting incoming connexions restricts enumerating accounts' 
passwords. I do that for ssh. imap, smtp (if you allow password 
authentication for out-of-office users) and ftp are also subject to 
this. If you don't run an ftp server, the ungodly can't use it to breach 
your security.

If you want a stable, secure system, start with your software selection. 
Fedora's not the answer, just look at how many people have problems 
after updating their software!

Next, buy and read and understand books dealing with installing, 
configuring & securing Linux. There's a lot of HOWTOs out there, and 
mostly they're good, but they don't provide a complete, well-considered 
course of study.

Speaking of which, a good course is hard to beat. I have the impression 
your own experience is rather limited.

I have a book here, "Linux Firewalls" that's about 560 pages. That's 
only part of what you need, you're not going to get all your answers 
here. I also have "Reliable Linux," "Maximum Linux Security" and then 
books on sendmail, tomcat, mysql, postgresql, LDAP and other topics 
deserve consideration, according to your specific needs.




-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list