OK *NIX groupies

[Quad]

hehe...get em' hog. Talks cheap mother ****ers!

[ethx]

you start locking down nix box durring instalation.
install only the stuff you need (if it is not there it cant be exploited).
make sure you know what services are starting and why.
try to run services with accounts that have minimum premisions neceseary to function(if you dont have to run it as root then dont).
know group memberships(floppy,mail,etc).
know why to know group membership.
limit access users have to system utilities.
you can run something like tripwire and monitor all file modifications.
change banners deamons display(let suckers think they are dealing with some old buggy vesion of sendmail).
use firewall (iptables rocks).
spend some time evey day browsing security formus.
try to hack the hell out of your box.
do not run stupid services (telnet).
smartly mange your users(if your users need ftp access do not give them shell).
limit access by ip numbers (if you are only one using ssh than put that down in hosts.allowed).
change default file locations, settings, etc (as much as reason allowes).
review your logs.
set up honey pots and alerts.

ok this will probibly save you from script kidies and the most of malicious users. there is no such thing as total security.

on personal note:
i am new to linux (it started as hoby couple yers ago) and microsoft was my primary OS. what huge waste of time. windows 2k compering to nix is nothing more then advanced calculator. I guess it is up to induvidual to chose if he wants to control its system or to be just a dumb user.

[hogfly]

was that so hard everyone? decent response ethx.

[push2]

First off, i should mention something that you all should know. Any good admin/engineer needs to know both windows and at least one flavor of unix, thats the reality, deal with it.

on the security tip.

its less about methodology than it is about flexibility and dollar for dollar value.

for starters:workstations or servers.
turn off all uneeded services/ports(uucp/telnet)
deny icmp relay
turn off identifyers/banners (uname -rc.local)
NO X-windows(servers)
should we mention the lack of unix worms/viruses??
for servers use tcp wrappers.
Understand what needs to be run as root and what doesnt
Do a custom install and dont install nothing you dont need. period. and dont let your users have permissions to install either.
Like ethx mentioned use ipchains/iptables...its there, why not.

simple little things that i take for granted like a Tripwire, Snort and md5sum checks run thru crons are FREE FREE FREE. Which as an engineer mean i can trash it if its crap and not get **** from my CFO

runner ups...NIS Kerberos (thank god win2k includes), SATAN/SAINT etc etc.

i know ive forgotten a ton of stuff...oh freeBSD is where its at, if you're really serious.

~push~

[Marine06]

I'm fairly new to linux, but this is how i would secure my box.


-Obtain the latest version of whatever flavor i wanted.
-Make sure the machine is disconnected from the internet and use another box (most likely windows) to gather the latest patches & bug fixes.
-Disable all unnecessary services (telnet, apache, finger etc.)
-Configure IPChains/IPtables
-Install Hostsentry, Logcheck, Tripwire, & an antivirus utility.
-Install Nmap to audit my system for holes.
-Routinely check my logs for suspicious activity.

Just a thought, but does any version of *nix have a "lock computer" feature similar to Win2k's?

[ethx]

xscreensaver lock

[hogfly]

There is if you run a desktop. I'm sure there is if you just run text-mode but I havent found it.

[Neophyte]

Originally posted by Marine06
Just a thought, but does any version of *nix have a "lock computer" feature similar to Win2k's?

Type exit...log in when you return.

[Negative]

I don't want to start another OS war here, I only have one remark:

A lot of stuff you guys propose to secure your boxes, sounds pretty familiar to me (there actually where some good tips amongst them, things I hadn't thought of yet) and not only because I'm running Linux too. Hey, maybe I've heard of them a decade ago, when I was into DOS (that's DOS, not DoS) and the last few years, when I was into Windows.

Oke, the jargon may differ, but hey, that's why there's something like copyright...

I randomly chose some of your tips:

install only the stuff you need (if it is not there it cant be exploited).

Same with Windows... Don't install the file-and-print services if you don't need them, for example. Or the VPN, or better, don't install the Communications part at all. Bet you won't have to deal with trojans anymore ;-) (if it is not there...)

make sure you know what services are starting and why.

Start --> Run --> msconfig will do the trick.
If you want to know why, there's the MS Knowledge Base.

limit access users have to system utilities.

No prob, especially not with NT. And there's tools for that in Win 9x.

you can run something like tripwire and monitor all file modifications

Agnitums Tauscan and Taumonitor will do the trick...

use firewall (iptables rocks).

No prob.

spend some time evey day browsing security formus.

Yups.

try to hack the hell out of your box.

Been there.

do not run stupid services (telnet).

It's just as easy in Windows as it is in *nix. Blocking telnet ports also is.

limit access by ip numbers

No prob.

simple little things that i take for granted like a Tripwire, Snort and md5sum checks run thru crons are FREE FREE FREE

Simple little things that I take for granted like ZoneAlarm, Tauscan, Taumonitor, IP-tools and associates are FREE FREE FREE ;-)

-Make sure the machine is disconnected from the internet and use another box (most likely windows) to gather the latest patches & bug fixes.

Make sure the machine is disconnected from the internet and use another box (most likely LINUX) to gather the latest patches & bug fixes.


Damn, there must be a point in all of this stuff I said. Maybe something like: Windows may not be the most secure OS out there, but there's some pretty good FREE FREE FREE stuff out there to lock your Win-machine... That is, if you know what you're doing, of course...

As for my Win-machine, here's my tips / configuration (for WinME, the most-hated version out there ;-)

- Password-protected BIOS of course, combined with a general boot password.
- A 'Do not modify my boot-sector without my permission' proggy.
- StartUpMonitor (monitors all programs that are executed upon boot - Anti-Trojan)
- ZoneAlarm and Tiny Personal Firewall (if you set them up properly, they won't interfere with each other).
- Tauscan (Anti-Trojan) and Taumonitor.
- NukeNabber.
- Tambu UDP Scrambler.
- Jammer (Monitors all running applications, services, registry and netstat-options).
- IP-Tools, SamSpade, Cyberkit.
- Network Sniffer.
- Veracity ('do not modify my files without my permission').

A whole bunch of course: it's eating my memory, and it's not easy to configure to work together peacefully, but it does the job.

Of course one thing remains: a secure OS doesn't need all of this FREE FREE FREE (well, most of it) stuff...

[ivan37]

Originally posted by Marine06
Just a thought, but does any version of *nix have a "lock computer" feature similar to Win2k's?

"vlock" will lock the console and let you get right back to where you were when you type the password back in. Much better than just exiting.