OK *NIX groupies

I've stayed out of it til now. I use both types of OS for starters.

I can lock down a windoze box pretty damn tight(like a virgin before prom night)
Everyone talks about how much more "secure their NIX boxes are, so lets talk methodology here..........how do you lock down your NIX b0xx33ns?


C'mon NIX groupies lets hear your methods since you are so secure.

PS....this isnt a challenge that I can r00t u. This is about learning. You all claim that your boxes are so secure....time to play SHOW and not just tell.

I believe that you should look at it this way.

Windows...although somewhat secure...when a flaw is found...the fix doesn't become available until Mickey$oft makes one.

On open source *NIX software...you have more people working on security and providing more patches at a faster rate. A patch is usually found in 24 hours for *NIX compaired to days and days and even months for M$. That is why open source *NIX is more secure. There is less time to exploit the security hole before a patch is produced.

Lastly...Security is only as good as the person in charge. For the most part I have found that M$ users are less knowledgeable of their systems than *NIX users. But this is just an observation.

As for virgins on prom night....there were no virgins the mourning after. :D

Thats exactly what I am saying.......you NIX groupies who say that windoze sucks..........can't back up how you secure your NIX boxes. I SAID SHOW NOT TELL.


Sure I know that *NIX is a more secure OS. Thats the nature of the beast. I bet 1/2 the people who responded in that other topic(windows is insecure) use windoze but are just saying use *NIX.

I want proof of your concept.....not some cut and paste from a how-to.

Neophyte: my anger is not pointed at you. I am just tired of hearing all of this bitching about windows when everyone uses it.

Hell as long as it doesn't start in X-Windows its more secure because most people get confused by the login screen.

As far as security is though, I disable most of the services, in the /etc/service and /etc/inetd file such as FTP and such.

Has anybody that says windows is insecure used a policy editor?

Just wondering. besides from a network standpoint windows is fairly easy to secure, other than the fact that you can use Lopht to get passwords.

but there are ways to fix that too! :dunce:

And you say Windows is not secure tell me what insecurities you've been able to do to windows, you don't have to explain how you did them, just what area of windows is "insecure"

Come on put your money where your mouth is! :blast:

I want proof....not some lame ass explanation of "why windows is insecure"

oh.....
I use policies :D.........

I don't want to talk in circles and this thread is going that way...so

Here is a list of some of the known security risks associatied with Mickey soft

http://www.windowsitsecurity.com/Art...partmentID=752

thats what I thought.....I'm just lookin for some of the NIX users to show me how they secure their boxes. If they can't than they should shut the **** up about windoze being insecure.

My main problem with Windows is that it crashes constantly. Its the person or people running the comps responsiblility to secure the comp, not the OS. If you just install an OS and not a firewall and/or virus detectors/protectors, and if you download files from people you don't know and do other stupid things, than its your fault for anything that happens.

This is just as I thought..................................no one can respond to this question correctly. Can anyone read?:duh:

hehe...get em' hog. Talks cheap mother ****ers!

you start locking down nix box durring instalation.
install only the stuff you need (if it is not there it cant be exploited).
make sure you know what services are starting and why.
try to run services with accounts that have minimum premisions neceseary to function(if you dont have to run it as root then dont).
know group memberships(floppy,mail,etc).
know why to know group membership.
limit access users have to system utilities.
you can run something like tripwire and monitor all file modifications.
change banners deamons display(let suckers think they are dealing with some old buggy vesion of sendmail).
use firewall (iptables rocks).
spend some time evey day browsing security formus.
try to hack the hell out of your box.
do not run stupid services (telnet).
smartly mange your users(if your users need ftp access do not give them shell).
limit access by ip numbers (if you are only one using ssh than put that down in hosts.allowed).
change default file locations, settings, etc (as much as reason allowes).
review your logs.
set up honey pots and alerts.

ok this will probibly save you from script kidies and the most of malicious users. there is no such thing as total security.

on personal note:
i am new to linux (it started as hoby couple yers ago) and microsoft was my primary OS. what huge waste of time. windows 2k compering to nix is nothing more then advanced calculator. I guess it is up to induvidual to chose if he wants to control its system or to be just a dumb user.

was that so hard everyone? decent response ethx.

First off, i should mention something that you all should know. Any good admin/engineer needs to know both windows and at least one flavor of unix, thats the reality, deal with it.

on the security tip.

its less about methodology than it is about flexibility and dollar for dollar value.

for starters:workstations or servers.
turn off all uneeded services/ports(uucp/telnet)
deny icmp relay
turn off identifyers/banners (uname -rc.local)
NO X-windows(servers)
should we mention the lack of unix worms/viruses??
for servers use tcp wrappers.
Understand what needs to be run as root and what doesnt
Do a custom install and dont install nothing you dont need. period. and dont let your users have permissions to install either.
Like ethx mentioned use ipchains/iptables...its there, why not.

simple little things that i take for granted like a Tripwire, Snort and md5sum checks run thru crons are FREE FREE FREE. Which as an engineer mean i can trash it if its crap and not get **** from my CFO

runner ups...NIS Kerberos (thank god win2k includes), SATAN/SAINT etc etc.

i know ive forgotten a ton of stuff...oh freeBSD is where its at, if you're really serious.

~push~

I'm fairly new to linux, but this is how i would secure my box.


-Obtain the latest version of whatever flavor i wanted.
-Make sure the machine is disconnected from the internet and use another box (most likely windows) to gather the latest patches & bug fixes.
-Disable all unnecessary services (telnet, apache, finger etc.)
-Configure IPChains/IPtables
-Install Hostsentry, Logcheck, Tripwire, & an antivirus utility.
-Install Nmap to audit my system for holes.
-Routinely check my logs for suspicious activity.

Just a thought, but does any version of *nix have a "lock computer" feature similar to Win2k's?

xscreensaver lock

There is if you run a desktop. I'm sure there is if you just run text-mode but I havent found it.

Quote:

---

Originally posted by Marine06
Just a thought, but does any version of *nix have a "lock computer" feature similar to Win2k's?

---

Type exit...log in when you return.

I don't want to start another OS war here, I only have one remark:

A lot of stuff you guys propose to secure your boxes, sounds pretty familiar to me (there actually where some good tips amongst them, things I hadn't thought of yet) and not only because I'm running Linux too. Hey, maybe I've heard of them a decade ago, when I was into DOS (that's DOS, not DoS) and the last few years, when I was into Windows.

Oke, the jargon may differ, but hey, that's why there's something like copyright...

I randomly chose some of your tips:

Quote:

---

install only the stuff you need (if it is not there it cant be exploited).

---

Same with Windows... Don't install the file-and-print services if you don't need them, for example. Or the VPN, or better, don't install the Communications part at all. Bet you won't have to deal with trojans anymore ;-) (if it is not there...)

Quote:

---

make sure you know what services are starting and why.

---

Start --> Run --> msconfig will do the trick.
If you want to know why, there's the MS Knowledge Base.

Quote:

---

limit access users have to system utilities.

---

No prob, especially not with NT. And there's tools for that in Win 9x.

Quote:

---

you can run something like tripwire and monitor all file modifications

---

Agnitums Tauscan and Taumonitor will do the trick...

Quote:

---

use firewall (iptables rocks).

---

No prob.

Quote:

---

spend some time evey day browsing security formus.

---

Yups.

Quote:

---

try to hack the hell out of your box.

---

Been there.

Quote:

---

do not run stupid services (telnet).

---

It's just as easy in Windows as it is in *nix. Blocking telnet ports also is.

Quote:

---

limit access by ip numbers

---

No prob.

Quote:

---

simple little things that i take for granted like a Tripwire, Snort and md5sum checks run thru crons are FREE FREE FREE

---

Simple little things that I take for granted like ZoneAlarm, Tauscan, Taumonitor, IP-tools and associates are FREE FREE FREE ;-)

Quote:

---

-Make sure the machine is disconnected from the internet and use another box (most likely windows) to gather the latest patches & bug fixes.

---

Make sure the machine is disconnected from the internet and use another box (most likely LINUX) to gather the latest patches & bug fixes.


Damn, there must be a point in all of this stuff I said. Maybe something like: Windows may not be the most secure OS out there, but there's some pretty good FREE FREE FREE stuff out there to lock your Win-machine... That is, if you know what you're doing, of course...

As for my Win-machine, here's my tips / configuration (for WinME, the most-hated version out there ;-)

- Password-protected BIOS of course, combined with a general boot password.
- A 'Do not modify my boot-sector without my permission' proggy.
- StartUpMonitor (monitors all programs that are executed upon boot - Anti-Trojan)
- ZoneAlarm and Tiny Personal Firewall (if you set them up properly, they won't interfere with each other).
- Tauscan (Anti-Trojan) and Taumonitor.
- NukeNabber.
- Tambu UDP Scrambler.
- Jammer (Monitors all running applications, services, registry and netstat-options).
- IP-Tools, SamSpade, Cyberkit.
- Network Sniffer.
- Veracity ('do not modify my files without my permission').

A whole bunch of course: it's eating my memory, and it's not easy to configure to work together peacefully, but it does the job.

Of course one thing remains: a secure OS doesn't need all of this FREE FREE FREE (well, most of it) stuff...

Quote:

---

Originally posted by Marine06
Just a thought, but does any version of *nix have a "lock computer" feature similar to Win2k's?

---

"vlock" will lock the console and let you get right back to where you were when you type the password back in. Much better than just exiting.

And where can we get this this VLock?

Quote:

---

"There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence." --Jeremy S. Anderson

---

There are a lot of major products that come from Belgium: pralines, Belgian Sprouts, Belgian Endives, Belgian Waffles, BELGIAN fries (yes, I know it's called french fries, because the lame-ass that landed in Belgium did think he was in France). And not to forget: Bastard Operators From Belgium!)
And beer! (I know Butt ,- is the main beer distributor in the world, but that won't take long.
Butt beer actually is beer with +++++++++censore,.............. in it).
InterBrew actually is the number 2 in the world, so here we come with real beer, Butttttttttassbeer, like Celis White, Duvel, Stella, Jupiler, Maes, (and about 400 others)

And Technotronic's Pump Up The Jam?
And 2Unlimited?
AND New Beat? AND Lords of Acid?


I don't believe this to be a coincidence neither...

vlock was created by RedHat. You can select it in a custom installation of RedHat. Otherwise you can get the rpm off of RedHat's download site or the source here (link is to freshmeat in case new version comes out or something):

http://freshmeat.net/projects/vlock/

You sure do like my quotes, don't you Negative? :)

Quote:

---

You sure do like my quotes, don't you Negative?

---

I'm a big fan of theirs.

BTW: anybody can tell me how to install a Alcatel Speed Touch USB on SUSE 7.2? Never tried it with a USB modem before.

I'd say that only thing you have to do is to rebuild kernel with USB suport and USB modem support.
there are lots of linux-usb-HOWTOs out there

Yeah I know, I installed the hotplug stuff again but it doesn't seem to work. BTW, SUSE 7.2 supports USB. It just doesn't seem to recognize my modem (and yes, I downloaded the drivers). Strange...

I'm an NT admin by trade and a linux hobbyist, i tend not to get involved in arguments over which is best, in my opinion they both have thier merits and faults, linux is free though...
If your interested in how people secure thier boxes, here's what i do:
firstly, as has been said before, don't run services you don't need, thats just common sense, i prefer though to have a tight gateway box and you can relax a bit on your other pc's here's a script i knocked up using the brilliant iptables from the 2.4.x kernel:

#Declare Constants
LOCALNET="192.168.0.1/24"
INT_IF="eth0"
INT_IP="192.168.0.1/32"
EXT_IF="eth1"
EXT_IP=""

LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/24"
# Switch on ip forwarding
echo Turning on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush all rules
echo Flushing rules
iptables -F
iptables -X

#Masquarade for local lan
echo Setting nat for $LOCALNET
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
iptables -A FORWARD -i $EXT_IF --source $LOCALNET -j ACCEPT
iptables -A FORWARD -m state --destination $LOCALNET --state ESTABLISHED -j ACCE
PT

#Create a new table for logging/dropping packets
iptables --new DROPME 2>/dev/null
iptables -A DROPME --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
iptables -A DROPME --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
#iptables -A DROPME --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
iptables -A DROPME -f -j LOG --log-level emerg --log-prefix "Frag Drop "
iptables -A DROPME -j DROP

echo Building hack attempt rules
iptables --new HACKER 2>/dev/null
iptables -A HACKER --proto ALL -j LOG --log-level warn --log-prefix "Hacker Atte
mpt: "
iptables -A HACKER --j REJECT

#Deny MySQL
echo Denying mysql connections apart from $LOCALNET
iptables -A INPUT --protocol tcp --dport 3306 --source ! $LOCALNET -j HACKER

#Deny X Connections
echo Denying X Connections apart from $LOCAL_ADDRS
iptables -A INPUT --protocol tcp --dport 5900:6100 -i $EXT_IF -j HACKER
iptables -A INPUT --protocol tcp --dport 5900:6100 -i ! lo -j HACKER

#Deny Other Ports
echo Denying SMB from outside $LOCALNET
iptables -A INPUT --protocol tcp --dport 135:139 --source ! $LOCALNET -j HACKER
iptables -A INPUT --protocol tcp --dport 23 --source 0/0 -j HACKER
iptables -A INPUT --protocol tcp --dport 111 --source 0/0 -j DROP
echo Denying udp upto 1024
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j DROP
#Allow related connections back in
#iptables -A $EXTER_IF -m state -d $
iptables -L

Obviously this is something you couldn't do with windows, i'm curious to see what the built in firewall in XP is going to be like, if its anything like microsofts last foray into security (ISA) then i wouldn't trust it.

You know... I think part of the reason some people use *nix semi-exclusively is so they can feel smart because of the 'only smart people use *nix' myth that seems to be involved.

I would change that to 'only people with enough extra time on their hands use *nix'.

I mean, it's funny. I've not found many (although some exist) *nix-only users who are dedicated to their OS, but don't seem to faintly exude a sort of 'I use it, you don't, I'm smarter' kind of attitude.


As if OS matters quite so much now with the advent of :halo: TCP/IP :halo: .
:cool:

Actually the screen lock in X is only good for security if your box is in run level 5.
If its in run level 3, then you can use Ctrl + Alt + Backspace to kill X, and land at the command prompt already logged in. Effectivly bypassing the screen lock.
If in run level 5 then Ctrl + Alt + Backspace should land you at the X loggin screen (logged out).

Quote:

---

Obviously this is something you couldn't do with windows

---

I don't follow you, Petemcevoy.
So you think I can't define those rules in Windows? I don't see anything in your script I can't do with my Winbox. Maybe if you'd give me an example? I'm a retard, so I'm not as quick as you are.
And BTW: can someone like Parker take a look at this script, please? I'm no *NIX guru, but I think it's got some errors in it.

And Terr, why are you so fast? You're stealing the words right out of my mouth...again ;)

Negative said:
I don't follow you, Petemcevoy.
So you think I can't define those rules in Windows? I don't see anything in your script I can't do with my Winbox. Maybe if you'd give me an example? I'm a retard, so I'm not as quick as you are.

I've got a better idea, why don't you tell me how you would define those rules in a wondows box, how you would close down all ports apart from those you specify, or how you'd tell your windows box what to do to a packet that arrives at a particular port (DENY, DROP) - without the use of third party software


And he also said:
And BTW: can someone like Parker take a look at this script, please? I'm no *NIX guru, but I think it's got some errors in it.

What's your interest in finding errors in my script? Hogfly asked how people tighten up security on thier *nix boxes, this is what i do, why did Terr and yourself take offence at this, do i smell an attack of the green eyed monster? I'm not trying to give any air of superiority, what i dont know could fill a thousand books. I'm not interested in a flame war either, if you want somebody to bicker with, pwaring seems quite contentious - go bother him.

Quote:

---

Originally posted by petemcevoy
why did Terr and yourself take offence at this, do i smell an attack of the green eyed monster?

---

Offense? I'm just commenting on a vocal minority :D

Green eyed monster? AIEE! Maybe it's that liver-eating guy from the X-files! :eek:

:p

Quote:

---

I've got a better idea, why don't you tell me how you would define those rules in a wondows box, how you would close down all ports apart from those you specify, or how you'd tell your windows box what to do to a packet that arrives at a particular port (DENY, DROP) - without the use of third party software

---

This is the first time I hear you speaking about not using third party software... If that was what you meant, you were right.
And about your script: I'm not a *NIX-guru, but I do know some basic programming stuff. And there just seems something wrong with yours...
Damn, I guess this is what my flame-attitude got me: everything I ask or say, will be mistaken as a flame...

Well, I guess I'll have to live with that...

"There's an ugly green monster in my head, won't leave me alone until it's dead..." (Kapperdog: I know! You don't have to remind me of it ;) )

And Terr, I bet you'll post a reaction before I even finish this...

Goddammit!
Windows comes with all kinds of problems that have nothing to do with setting it up properly!
For example: your hacking the planet, so you grab their nametable and such, and find their lan manager.

Now, If it tells you that they are using win9x, or WinME,
THEN THEY ARE VULNERABLE TO ALL THE BEST ATTACKS!
For example!!!:
In *nix you can share filez and ****, and they are safe,
IN WINDOWS 95,98, or ME, NETBIOS SHARES ARE NOT SAFE!
their passwords can be easily cracked in a matter of seconds!
I'd like to see you do that to a Samba SMB type share!

Mind you, i know that anyone that uses Netbios is asking for it,
but everyone does! People shouldnt have to worry that because of thier OS's crappy programming they cant use the built-in features that were written right on the back of the Win98 box!

Another example,

DoS attacks, almost any DoS that works on both linux and windows generally works a hell of a lot better on Windows!
ip fragments for example. Windows is so crappily written that it will actually lock-up from resource exaustion, where linux will almost always save enough strength to allow the user to at least find out what the hell is goin on.

The amount of serious problems with windows that are exploited every-day is disgusting.

-8trak

8trak, I think the problems that come with NetBIOS have already been dealt with on those forums... You stating that everybody does use NetBIOS, is a stupid generalisation. I know you're a dual-booter, so stop bitching about Microsoft.

Quote:

---

THEN THEY ARE VULNERABLE TO ALL THE BEST ATTACKS!

---

What are those 'best' attacks? The ones that inflict the most damage? Grow up, man.
At least Windows supports my modem...

Best means Best, nothing else
You assume that i mean most destructive, I mean most effective.
Such as the OOB attacks a few years ago.
You cant say that there was ever a "better" DoS then that.
It caused users to BSOD immediately, what more do you want.
What operation system was effected??? Windows of course!

Why would you ever want somthing to use the "Most Destructive" Attack,
when with 'Microsoft Windows' you can download all their personal filez.

As for the modem thing,
Mabey if people didnt make such shitty modems then they would be
supported. Asking linux to support win modems is like asking Windows
to fully support hardware out of some ibm ps/2. (granted the architecture
was actually compatible).
And as for people who think that their USB crap should be supported,
their USB stuff should burn! USB is the spawn of all that is evil!

haha,
I've personally had some compatibility problems, but its my own fault for
having crappy hardware. And it's microsoft's fault that that crappy
hardware exists in the first place.

I do dual boot, but its only because i have to.
All of these programs could have been just as easily written
for linux, and if they had been, then i would never use windows.


-8trak

Its quite accurate to say that Netbios is everywhere.
I dont know if you've taken a look lately, but home
networks are getting popular, and netbios is making
a huge comeback.

I cracked the password on my school's admin's computer
today. It had it's entire drive shared. If he was using linux,
not only would i have not been able to get that password,
they probably would have caught me.

Scan a cable or DSL subnet and you'll find as many
people with open shares as you want. theyre everywhere.

-8trak

You know what? I did as you suggested, and the scary part is that you were right... So, for all of you that still have NetBios installed, but don't even know why: http://www.antionline.com/showthread...hreadid=114601 (jansson_markus' tips on disabling Netbios)

Hahaha,
Yeah, its completely insane, Secuirity techs would be appalled.
Worst part is that most of them arent password protected.

-8trak

I don't think either operating system is more inherintly secure. I think it depends entirely upon the the system administrator and their dedication to securing their systems. The reason so many windows machines get compromised is that the system administrator has as much of a clue as a gopher.

Unix is complicated and still somewhat more difficult to set up and confiure than windows (used to be really hard :)). The average windows users buys the machine from Dell/local superstore/etc. They don't configure it, secure it, or do anything other than what is required to get their Internet connection working(and they usually need help for this).

Netbios is not insecure, using it over tcp/ip is, and is not where netbios was originally used. Configure it to use netbeiu only on a local lan and it is ok. As far as grabbing passwords from local machines, with physical access to a machine of any operating system, comprimising the system is relativly easy compared to gaining remote access to a properly configured and patched system.

The same steps and in many cases similar tools are used to lock down windows AND unix systems. Its a matter of attention to detail, I've been running both unix and windows systems on the Internet for a long time and have had both systems compromised at one time or another. No system is perfect, but with attention to detail we can minimize the effects of any system penetration and learn more to apply in the future.

cheers

Quote:

---

Netbios is not insecure, using it over tcp/ip is, and is not where netbios was originally used. Configure it to use netbeiu only on a local lan and it is ok. As far as grabbing passwords from local machines, with physical access to a machine of any operating system, comprimising the system is relativly easy compared to gaining remote access to a properly configured and patched system.

---

Do you have any idea what your talking about?
I've personally never had any of my systems, linux or windows
"comprimised"

First of all, Netbios is insecure,
I never said that i was getting the passwords locally,
Give me a share address, and i'll show you how i can
crack the password in under 30 seconds for my comfortable
seat in my house.

Second of all, Netbios doesnt run under NetBEUI!
It runs under Tcp/ip or Ipx/Spx
It was originally meant to run under ipx!

Third,
Netbios is no more secure regardless of what protocol that
you run it under! The password authentication scheme is
busted! I dare you to share your drive and put your ip up here!

NetBEUI is insane! its like AppleTalk or somthing!
Microsoft just bought into it for some crazy reason!
It cant even support more then 256 computers!
Oh yeah, and its spelled NetBEUI, not "netbeiu"

Fifth:
NetBEUI....
HAHAHAHAHAHAHAHAHA

-8trak