Results 1 to 8 of 8

Thread: Securing Slackware

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    2

    Securing Slackware

    Hey all, (1st post)

    I'm trying to secure my new slackbox, we wanted to disable just about everything except apache (2.x) , ftp, and sshd.

    The box is behind a BSD box that we're using as the firewall.

    Basically, just looking for some tips on what to lock down and what to leave alone. I know apache (i'm only using apache as an example) needs to locked up (currently using the default settings). I don't even know where to start (total noob), I'd sure appreciate any help you all could share

    Services needed:
    > apache (perl and php)
    > ftp
    > sshd

    Users:
    >10-100 (varies)

    Box:
    > 1ghz, 528 ram, 80 gig HD
    > slackware 9.0
    -I\'m sorry, for a second I thought some one cared!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Thymus' PDF Guide to Securing Slackware would be, IMHO, the best place to start.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Just one little question why slackware 9.0 and not 9.1 (or current) ??

    You have to make sure your software is up to date..
    I use SWareT ( www.swaret.org ) for that task..
    That little tool can easily upgrade your slack 9.0 install to the current state (with minimal risk)

    One pointer, take it one step at a time..
    Read up on apache (here at AO there's lots of info)
    When you are done tightening your httpd.conf, go read up on proftpd etc..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Junior Member
    Join Date
    Apr 2004
    Posts
    2
    Much thanks, y'all.
    -I\'m sorry, for a second I thought some one cared!

  5. #5
    First off, welcome to the forums! I hope you enjoy your itme here, teaching us what you know while you learn from others here

    Just a side note since they already finished instructing you on security (good link Ms), I would like to recommend a GUI for your slackware release. 9.0 and 9.1 compatible.

    Dropline Gnome. (http://www.dropline.net) It is a release version of gnome that has been hacked and compiled to give slackware a taste of heaven, while remaining fast. From a fellow Slack user, please give it a look. Not only does it allow you to get comfortable and into a gui that looks decent (stock gnome 2.6 is disgusting), but it has a variety of tools to help make the long process of securing your box at lest more enjoyable.

    http://67.166.97.134/misc/slackdropline2.png

    That is an image of my current slack 9.1 box, and as you can see, it is a very clean release of gnome. Give it a shot, and it won't let you down. Just feel free to ask questions on their very friendly forum, or right here. I'll answer what I can.

  6. #6
    Junior Member
    Join Date
    Oct 2002
    Posts
    1

    Re: securing slackware

    this is the best slackware paper ive read on how-to harden and secure it

    have phun reading it http://www.c2i2.com/~dentonj/system-hardening

  7. #7
    Member
    Join Date
    Jul 2002
    Posts
    41
    Just a thought:

    I would advise using ftp ONLY for anonymous access, as the passwords are transmitted in clear text.

    If you are using ftp for file transfer for web page upkeep, I recommend using ssh and a client that can do SFTP throufh a ssh2 tunnel (FileZilla for Windows is a very good example and I wouldn't dream of transferring files any other way)

    Its easy to overlook this fact as I hadn't known this until I got heavily into security.

    Hope this helps.
    -Those are my principles. If you don\'t like them, I have others.
    --Groucho Marx

  8. #8
    Thought I would offer a few more security tips for a fellow slackware user

    1. Partition setup:

    hda1 = / = rest of hd space, do some math to work it out
    hda2 = /home = I use 10Gigs here, you may want more or less. This allows my users to have music and movies
    hda3 = /var = I give 3Gigs here, because I don't think I will ever see my httpd server or the logs reach 3gigs.
    hda4 = swap = twice the size of your ram. In fact, it isn't nessessary and that rule is only a fake rumor, but for security reasons this rule does help defence against RAM overflows.

    Partition reasoning: First, calculate how much space hda2,3 and 4 will take up, then subtract that from your total disk space. Use that new figure for hda1. The reason I'm suggesting the math first is because you want to make hda1 before anything else. /home is a seperate partition because we don't want someone possibly breaking into a user account and attempting a DoS with it. If a harddrive fillup is attempted, only the /home is affected and not the entire system.
    The /var is also on a seperate partition for the same reason. If someone decides to DoS you and fill up your log directory, the /var partition will stop it from taking up the entire HD space.


    2. Keep up to date:

    I either recommend looking into getting swaret (a program that helps keep slack up to date) or manually downloading everything in the slackware-current directory, and apply them.

    However, you have to make a decision first.

    A. Do I want a bleeding edge, quickly responding slackware?
    B. Do I want a stable, solid, secure slackware?


    If you indeed choose A, then you need to update your computer by hand, using the newest released software of slackware, that we all know as slackware-current. Getting there is simple:


    If you choose B (what I pick) then I recommend either using swaret (http://www.swaret.org/) or manually downloading and applying the patches via (ftp://carroll.cac.psu.edu/pub/linux/...ches/packages/), and then running updatepkg *.tgz in the directory you downloaded them too (similar to above). However, if you are honestly considering total security, I can not recommend slackware 9.1 enough. Sure, it is only a release behind, but the packages/patches for 9.0 still won't bring it safely up to where 9.1 even starts out as. Seriously, it's only two CD's (one, if you are like me and don't need gnome or kde, but use dropline gnome instead).

    3. Look into using the 2.4.25 kernel. It's the newest 2.4.x release and has more stability than the current 2.6.5 in terms of solidness and stability. I also recommend patching the kernel (read the README in the source dir to learn how to patch) with the grsecurity patch (http://www.grsecurity.org), and then in make menuconfig setting the grsecurity level to at least medium. You can set it to high if you like, but you will need to disable a thing or two to allow X to work. In short, grsecurity is similar to SELinux, a security patch placed on a kernel level to help prevent buffer overflows, chroot improper usage, improper chmod usages, etc etc.

    So, you could get the tgz for the bare 2.4.25 kernel here : ftp://carroll.cac.psu.edu/pub/linux/...5-noarch-2.tgz

    And the headers for it here: ftp://carroll.cac.psu.edu/pub/linux/....25-i386-2.tgz

    And simply installpkg both of them. After that, grab the 2.4.25 grsecurity patch from the grsecurity site, apply the patch, and have fun. Of course, you would need to enable grsecurity in the make menuconfig, but keep in mind to use the Medium setting. I recommend high, personally, but there are 3 settings which breaks Xfree and x.org completely. IF you end up wanting that extra bit of security, post here and let me know. I'll be more than happy to help you on this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •