-
December 6th, 2001, 09:02 AM
#11
Member
Yes, with the 2.4.x kernels came iptables to replace ipchains as the defacto packet filtering firewall tool. iptables && netfilter etc. are great! I do recommend a kernel patch like grsecurity/LIDS/OpenWall etc.. to secure the box a little better. *n?x exploits often involve executing code on the stack, so anything you can do to make such a thing hard/difficult/impossible greatly improves your security.
The other thing I would recommend is remove the setXid bit from anything that does not absolutely have to have it. setXid (setuserid and setgroupid) is the real killer on any flavor of *n?x if the system is compromised.
The default Linux install comes with a long list of setXid programs by deafult. I really do recommend auditing these.
A very simple way to find them is to type the following on the command line:
# find / \( -perm -02000 -o -perm -04000 \) -ls > setXid.txt
Then you can open setXid.txt in an editor like vi and see what you don't really need to be setXid.
Also, (while I am in the mood to post ) take a look at `chattr' and `lsattr', read their man pages and get to know them. I use `chattr +i program_name' on anything that could be of use to a hacker if they gain access to my system. This greatly reduces the threat of root-kits and other trojaned programs because the file can not be modified in *any* way. `chattr +a /var/log/logname' is another good one because it puts the log/file in append mode only. The hacker if successful will not be able to modify the logs to erase evidence that s/he was there.
(note: chattr & lsattr are only available on Linux, no Unix flavors have these binaries afaik )
Just a couple of ideas for you.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|