Securing Slackware
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Securing Slackware

  1. #1
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Securing Slackware

    Hey everyone,

    Besides doing a paper on Slackware Linux VS Free BSD I also run two Slackware machines here at home, and well, besides wanting to have a cool discussion for the front page, I'd like too see how others do it at well.

    So, how do YOU Secure your Slackware boxes?

    I am still searching for a good firewall / front end to IPTables, which I've yet to find. Anything I find seems to want X loaded. Well I don't.

    I don't always use X on my Slackware machines, and firestarter, shoewall, and most others either want KDE or GNOMe loaded to work. Firestarter I've used and found it easy to set up, but having to have GNOME loaded the whole time is just annoying. When you switch to Runlevel 3, it dies. And won't run in it.

    So what is a good firewall you've found that works without X? I'd like to find something like the application Firestarter that will continue to run when I take down X.

    I've just found something called GShield, which I'm looking at right now, and hoping it's actually good. There seems to be a real bad low amount of firewalls made for Slackware, and most of them are crap.

    SUSEFirewall2 remains the best firewall I've seen for Linux, even though it is just a front end for IPTables, but at least it stays up when you shut X down.

    Currently, I use Swaret, which before that I just used wget for my patches, and other than that I have nothing really in place but a hardware firewall. The only problem is, if I pop the box in my DMZ, poof, unprotected as hell.

    I have been looking for a GOOD paper on IPTables, but the ones I find are very boring, very long, and not very informative. I've never used IPTables directly, and even though I'd like to, I haven't got the time right now to actually sit down and learn them.

    This is a side effect of me working two jobs, going to college full time, and in the one day a week I get off, I have to do homework, and do things here at home, so I haven't had much time. Which is why I'd like to get a decent front end for IPtables so I can allow, say, SSH, Apache, and FTP through, and when I'm not using those, have all ports closed.

    I've been trying to talk Pat into making a firewall for Slackware, but I haven't gotten a reply. Maybe SUSE will make a port of SUSE Firewall2 too Slackware. I have yet to find anything better. It has an easy to use interface, but also has a lot of advanced stuff to set by hand as well.

    So has anyone here found something decent? What firewall do you use for Slackware?

    Ig I could pick to change something in Slackware, I'd take out ProFTPd, and replace it with PureFTPd, I'd put a Firewall like "slackwarewall", something like that in it, and I'd make Postfix the default over Sendmail.

    Heh, maybe one day I'll finally get good at C or ASM and make a tool for Linux called "SWAT" which I could say means "SlackWare Admin Tool". Damn I'm good with marketing lol.

    Anyway, Please, don't reply saying you have some Windows firewall you like, I want this to be a good clean thread with some humor, and a lot of information. If you find something or use something really good, and you want me too, I'll add you to my paper and give you credit for finding it. I'm obviously going to talk about anything I find that I like, and if you want I'll add you in there.


    A few minutes ago I found a bit in one of my books how to get IPtables going very easy, but of course it didn't work.

    iptables -A INPUT -i eth0 -s 0/0 -d MyPrivateIPForSlackwarebox -p tcp \ --dport telnet -j DROP



    I tried that but it says that the --dport is not valid. So like, does anyone know what is valid? I've looked at that command and it seems too me that a good guess is dport would be destination port, -i is interface, -p would be port, and -d would be destination. I'm only guessing here though.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  2. #2
    http://www.justlinux.com/nhf/Securit...es_Basics.html
    This is the tut I used to get the hang of IPtables before I went to harder stuff.

    I am a slapt-get fan, I haven't used swaret yet.


    Let's see some replies, Antionline Security Forum. This is a thread I have my eye on.

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    More important then a firewall are the services..
    Remove (#) as much as you can from /etc/inetd.conf
    Don't forget to /etc/rc.d/rc.inetd restart

    I tend to like DIY firewalls..
    A minimalistic NAT firewall like this

    Code:
    #!/bin/bash
    # Minimal NAT rules
    
    echo -n "Iptables "
       iptables --flush
       iptables --table nat --flush
       iptables --delete-chain
       iptables --table nat --delete-chain
    echo "flushed"
    
    echo -n "Iptables "
       iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
       iptables --append FORWARD --in-interface eth1 -j ACCEPT
    echo "nat"
    Another version I like is the one from adsl4linux (dutch).

    The firewall comes in an iptables and ipchains version and can be found here..
    http://cvs.sourceforge.net/viewcvs.p...nux/templates/

    You'll propably want the iptables version (unless you are running a 2.2 kernel)..
    Download both firewall.iptables and firewall.iptables.conf

    Copy the firewall.iptables.conf to /etc/
    Copy the firewall.iptables to /usr/local/sbin/
    And make it executable.. chmod +x /usr/local/sbin/firewall.iptables

    The .conf file has loads of info and help.. And isn't in dutch
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    450

    Re: Securing Slackware


    Heh, maybe one day I'll finally get good at C or ASM and make a tool for Linux called "SWAT" which I could say means "SlackWare Admin Tool". Damn I'm good with marketing lol.
    Gore - Not that good - few have beaten you too it: SWAT - Special Weapons And Tactics, Samba Web Administration Tool .... been done to death ... back to the drawing board .....

    gShield is good, I run that on Slack and Gentoo .... until I put life back into a little old computer and made it a dedicated firewall and shoved Smoothwall on it .... made life really simple with web interfaces for everything that needs doing.... a firewall that comes with Snort IDS, Squid Proxy Server, VPN, comprehensive log reports blah blah.... very easy to administer from a browser - and after a few easy mods (have to get dirty on the commandline here) its even running Dansguardian content filtering with clamv virus detection to stop the web nasties from getting in.

    Along with a "mod" called Guardian - port scan my IP > Snort detects the odd behaviour > Guardian mod jumps into action > slam dunk !! your IP is on the banned/blocked list .... automagically - love it....

    Smoothwall is worth looking at if you have an old box lying around and can afford to run a dedicated firewall.

    But getting away from this sales pitch for Smoothwall - Bastille offered commandline "set up" for hardening a box, never did have any joy getting it running on Slack but didn't try that hard either once gShield was on.

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Thymus' Securing Slackware Guide. Granted it's 8.1 but should cover most of the important areas.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018

    Re: Securing Slackware

    Originally posted here by gore
    iptables -A INPUT -i eth0 -s 0/0 -d MyPrivateIPForSlackwarebox -p tcp \ --dport telnet -j DROP
    Tried this?

    iptables -A INPUT -i eth0 -s 0/0 -d MyPrivateIPForSlackwarebox -p tcp --dport 22 -j DROP

    Steve

    Oh, and -p is protocol
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    135

    Re: Securing Slackware

    Originally posted here by gore


    I don't always use X on my Slackware machines, and firestarter, shoewall, and most others either want KDE or GNOMe loaded to work.
    Are you referring to shorewall? Just curious, cause I didn't think it needed any desktop environment, unless you are using webmin to configure it. Only thing I believe I needed to do to get it running on Slack was grab the iproute utility (I had used a default install). I currently use it on both my slack boxes, and it has never complained when I'm in the console only.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Besides doing a paper on Slackware Linux VS Free BSD {..}
    I can only tell you how to secure FreeBSD
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604

    Firewall

    My favorite *nix tool for firewalls is by far Firewall Builder 2.0. The latest revision of this great tool has been completely rewritten to use QT 3 for the gui API replacing GTK. This tool allows you to organize interfaces,networks,rules,policies and more into objects and templates which can easily be reused to create new firewalls or modify existing ones with ease. Firewall builder then creates the ruleset for the platform you require and supports all my favorites. (iptables,ipchains,ipfilter,pf,pix,and even custom linksys firmware!) FWB even checks all your rules for rule shadowing and other configuration errors and will then produce a script to install the new firewall and will connect via SSH to the target machine (which of course does not require X) and install the new firewall for you. This is easily the most kick ass firewall tool I am aware of and I reccomend anyone who is involved in building or maintaining firewalls (or anyone who would like to learn, the scripts provide an excellent way to study the diffrent rulesets) check this tool out. It is of course a sourceforge project.

    http://www.fwbuilder.org/
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #10
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Wow, this got more replies than I thought it would, heh. I'll check out everything here and see if there is something that stands out.

    Heh, I can use IPFW with Free BSD but the Linux based one doesn't want to work. (IPFW was what made IPTables if my reading is correct). Thank you all, very good information here, and most likely when I start doing Firewalls for Slackware in my paper I'll point a link to this so you all get some credit for helping me out.

    I've wanted to get a 486 and set it up as a firewall,. but I don't have a 486 yet. I'm thinking I'd use Slackware for that with an upgraded Kernel, because The Linux Kernel was the first Kernel to have a fully RFC Complient TCP stack. So I'd use that.

    Thanks again guys, you certainly have given me quite a bit of reading to do.

    I'm trying to talk my college into letting me have a copy of Sun Screen. I need the experience. Heh.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides