April 9th, 2004, 08:25 PM
Hey all, (1st post)
I'm trying to secure my new slackbox, we wanted to disable just about everything except apache (2.x) , ftp, and sshd.
The box is behind a BSD box that we're using as the firewall.
Basically, just looking for some tips on what to lock down and what to leave alone. I know apache (i'm only using apache as an example) needs to locked up (currently using the default settings). I don't even know where to start (total noob), I'd sure appreciate any help you all could share
> apache (perl and php)
> 1ghz, 528 ram, 80 gig HD
> slackware 9.0
-I\'m sorry, for a second I thought some one cared!
April 9th, 2004, 08:27 PM
Thymus' PDF Guide to Securing Slackware would be, IMHO, the best place to start.
April 9th, 2004, 08:38 PM
Just one little question why slackware 9.0 and not 9.1 (or current) ??
You have to make sure your software is up to date..
I use SWareT ( www.swaret.org ) for that task..
That little tool can easily upgrade your slack 9.0 install to the current state (with minimal risk)
One pointer, take it one step at a time..
Read up on apache (here at AO there's lots of info)
When you are done tightening your httpd.conf, go read up on proftpd etc..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
April 9th, 2004, 08:44 PM
-I\'m sorry, for a second I thought some one cared!
April 9th, 2004, 10:18 PM
First off, welcome to the forums! I hope you enjoy your itme here, teaching us what you know while you learn from others here
Just a side note since they already finished instructing you on security (good link Ms), I would like to recommend a GUI for your slackware release. 9.0 and 9.1 compatible.
Dropline Gnome. (http://www.dropline.net) It is a release version of gnome that has been hacked and compiled to give slackware a taste of heaven, while remaining fast. From a fellow Slack user, please give it a look. Not only does it allow you to get comfortable and into a gui that looks decent (stock gnome 2.6 is disgusting), but it has a variety of tools to help make the long process of securing your box at lest more enjoyable.
That is an image of my current slack 9.1 box, and as you can see, it is a very clean release of gnome. Give it a shot, and it won't let you down. Just feel free to ask questions on their very friendly forum, or right here. I'll answer what I can.
April 10th, 2004, 06:56 AM
Re: securing slackware
this is the best slackware paper ive read on how-to harden and secure it
have phun reading it http://www.c2i2.com/~dentonj/system-hardening
April 10th, 2004, 06:22 PM
Just a thought:
I would advise using ftp ONLY for anonymous access, as the passwords are transmitted in clear text.
If you are using ftp for file transfer for web page upkeep, I recommend using ssh and a client that can do SFTP throufh a ssh2 tunnel (FileZilla for Windows is a very good example and I wouldn't dream of transferring files any other way)
Its easy to overlook this fact as I hadn't known this until I got heavily into security.
Hope this helps.
-Those are my principles. If you don\'t like them, I have others.
April 11th, 2004, 02:07 AM
Thought I would offer a few more security tips for a fellow slackware user
1. Partition setup:
hda1 = / = rest of hd space, do some math to work it out
hda2 = /home = I use 10Gigs here, you may want more or less. This allows my users to have music and movies
hda3 = /var = I give 3Gigs here, because I don't think I will ever see my httpd server or the logs reach 3gigs.
hda4 = swap = twice the size of your ram. In fact, it isn't nessessary and that rule is only a fake rumor, but for security reasons this rule does help defence against RAM overflows.
Partition reasoning: First, calculate how much space hda2,3 and 4 will take up, then subtract that from your total disk space. Use that new figure for hda1. The reason I'm suggesting the math first is because you want to make hda1 before anything else. /home is a seperate partition because we don't want someone possibly breaking into a user account and attempting a DoS with it. If a harddrive fillup is attempted, only the /home is affected and not the entire system.
The /var is also on a seperate partition for the same reason. If someone decides to DoS you and fill up your log directory, the /var partition will stop it from taking up the entire HD space.
2. Keep up to date:
I either recommend looking into getting swaret (a program that helps keep slack up to date) or manually downloading everything in the slackware-current directory, and apply them.
However, you have to make a decision first.
A. Do I want a bleeding edge, quickly responding slackware?
B. Do I want a stable, solid, secure slackware?
If you indeed choose A, then you need to update your computer by hand, using the newest released software of slackware, that we all know as slackware-current. Getting there is simple:
If you choose B (what I pick) then I recommend either using swaret (http://www.swaret.org/) or manually downloading and applying the patches via (ftp://carroll.cac.psu.edu/pub/linux/...ches/packages/), and then running updatepkg *.tgz in the directory you downloaded them too (similar to above). However, if you are honestly considering total security, I can not recommend slackware 9.1 enough. Sure, it is only a release behind, but the packages/patches for 9.0 still won't bring it safely up to where 9.1 even starts out as. Seriously, it's only two CD's (one, if you are like me and don't need gnome or kde, but use dropline gnome instead).
3. Look into using the 2.4.25 kernel. It's the newest 2.4.x release and has more stability than the current 2.6.5 in terms of solidness and stability. I also recommend patching the kernel (read the README in the source dir to learn how to patch) with the grsecurity patch (http://www.grsecurity.org), and then in make menuconfig setting the grsecurity level to at least medium. You can set it to high if you like, but you will need to disable a thing or two to allow X to work. In short, grsecurity is similar to SELinux, a security patch placed on a kernel level to help prevent buffer overflows, chroot improper usage, improper chmod usages, etc etc.
So, you could get the tgz for the bare 2.4.25 kernel here : ftp://carroll.cac.psu.edu/pub/linux/...5-noarch-2.tgz
And the headers for it here: ftp://carroll.cac.psu.edu/pub/linux/....25-i386-2.tgz
And simply installpkg both of them. After that, grab the 2.4.25 grsecurity patch from the grsecurity site, apply the patch, and have fun. Of course, you would need to enable grsecurity in the make menuconfig, but keep in mind to use the Medium setting. I recommend high, personally, but there are 3 settings which breaks Xfree and x.org completely. IF you end up wanting that extra bit of security, post here and let me know. I'll be more than happy to help you on this.