January 13th, 2003, 11:17 PM
Trying to Secure a linux box
I want to set-up a webserver on my linux 7.3 box. Soo i have doing some secruity checks running things like nessus and saint.And then i read somewhere to see if i have "world writable directories" by running this command
find / -perm -2 -type -d print <------- Good idea or is there a better way?
And here is the output:
Can someone explain what this means and how can i make thses more secure and not writable? Would i just run
chmod u=rwx "each directory" or do some of these files need different permissions?
Here is another command:
find / -type f\(-perm -04000 -a -user root\)-print
Im just a newbie to the linux world and still learning soo r these commands a good idea to run or ... I am running iptables my firewall too.
January 13th, 2003, 11:54 PM
Here is a tutorial written by problemchild on this very subject
hope it helps
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
January 13th, 2003, 11:55 PM
Well, you really want to leave all the stuff in /tmp and /var/tmp directories alone. They are world writable for a reason, so that apps and users which need temporary space can write to them. If you tighten those permissions down, you will probably find that a good many of your services and apps fail spectacularly.
None of those directories should be available to an outsider through your webserver anyway, unless it is grossly misconfigured.
Keeping an eye on world writable directories is definitely a good idea, but, be careful in /tmp and /var/tmp.
January 14th, 2003, 12:25 AM
I would also suggest that you download the hardening scripts called Titan. Here is a link.
Keep in mind that these scripts are written for the purpose of hardening any *nix OS for the use of a Firewall. But it is easy enough to customise your own hardening script for the use on a webserver.
Also, be sure to obtain security scripts for the webserver you are using (ie. apache).
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
January 14th, 2003, 08:39 AM
Cool, thanks guys for those tips...
Now another quick question.
I want to know what each service does when my Redhat system starts up for exmaple:
Soo for this infomation i tryed /etc/services... and then went to google well www.google.com/linux . In the search field i type
But what im looking for doesnt come up. Can you guys give me some examples if you were looking for this information where would u go? "google" proabably and what would be the search string, to see what the app. does and if i need it to start-up Thanks
January 14th, 2003, 03:32 PM
keytable loads your locale-specific keymap.
atd carries out commands at times scheduled by the at command. This can be killed if you don't need or use the at command.
apmd enables apm and battery status readings, so you can kill this service.
random creates high-quality pseudo-random numbers, and can be killed.
ntpd syncs your system clock with a specified ntp server, and can be killed too.
January 17th, 2003, 05:40 PM
You can also try looking at /etc/fstab and seeing if you have lines for /var and /tmp .....
if you do you can change the options to include "nosuid" and "noexec" separated by commas then remounting with "mount /var -oremount" and "mount /tmp -oremount".
If you dont have lines for /var and /tmp you should investigate how to build a secure linux box.. the idea behind using different partitions is that you can mount them with different options as above.
I reccomend :-
even though it is designed for Redhat, you can apply the principles to any linux OS.
.....Brain Failure....dumping core.... z z z
January 28th, 2003, 10:46 PM
It would be a good idea if you have / , /usr, /home and /var in different partitions, so that you can use krang's tip. By setting partitions nosuid and noexec, noone will be able to run stuff from them. And also, having distinct partitions for /home and /var (I usually have /tmp as a link to /var/tmp) means easier management, faster fsck, and if the var becomes full, you won't lose your work you are saving in /home. . AFAIK, the nosuid/noexec flags only work on ext2 (correct me if i am wrong), and this trick can be fooled.. (I've never tried to, but...) :/ Anyway, it is quite interesting anyway.
Well, what else? have a look at /etc and make sure that files like syslog.conf can't be either read by anyone, nor be written to. Update your server often, dont run any other server you wont use (like apmd, lpd- if you are not going to print from this machine, forget it, etc). Services can be run standalone or by inetd, xinetd or similar. inetd's configuration file is /etc/inetd . Every line that begins with # is a comment, and will not mean anything to the program. So, to disable stuff you won't run, just add a # to the beginning of the line..
January 29th, 2003, 04:47 PM
I'm flattered somebody linked to one of my tuts. <sniff>
Funny enough, I have also written a tutorial on this topic as well. It is here.
It would be a good idea if you have / , /usr, /home and /var in different partitions
I usually don't advise this because mounting /var noexec can mess up some package managers, like RPM. But /tmp definitely needs to be noexec because about 90% of the SK exploits will attempt to run some kind of malicious code from /tmp.
I usually have /tmp as a link to /var/tmp
Yes, it can be gotten around by using indirect paths. But the vast majority of attacks will come from SKs who have no idea what they are really doing, and that will stop them dead in their tracks.
and this trick can be fooled
I have several tutorials linked from my profile on topics like chattr and lsattr, find, the wheel group, and other basic hardening techniques.
Do what you want with the girl, but leave me alone!
January 30th, 2003, 05:07 PM
Hmm haven't seen your tuto before, problemchild. Great one!
About the link, I never realised this.. last programs installed were from tarballs..
And I use debian at home. Well, something else to bear in mind, didnt know that. Thanks for the info .
Ah, and sure.. I was also thinking about the lowscript kiddies.. but if one succeeds to fool it, he will know the reason.