BLAG

BLAG Forums
It is currently Mon Dec 22, 2014 3:32 am

All times are UTC




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Wed Sep 17, 2008 1:18 am 
Offline

Joined: Sun Mar 25, 2007 11:33 am
Posts: 240
Location: Great Lakes
My previous post about the need to move up from 70K to 90K led to security questions. Since I'm on 24/7 with DSL, I think I need to be concerned.

noldrin said:
Quote:
Pound for pound, if I was going to put a system naked on the internet, I'd rather put BLAG 30K than Vista or XP fully patched. Although I'd probably harden the Linux box anyways.


So, what is involved in hardening? What should I do (or not do) to my system to make it more secure?

I wonder if BLAG should have a section somewhere on the WEB site dedicated to keeping systems safe? I think plenty of users are interested.

Thanks in advance, and I hope everyone is having a great day.

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 17, 2008 2:02 am 
Offline
Site Admin

Joined: Sun Mar 14, 2004 6:08 pm
Posts: 973
Location: Canada
Run a firewall and disable any services you know you don't use (don't use ssh? don't have it running) and aren't necessary. Not much more to it.

_________________
E-mail me at s.clement@localhost (replace localhost with sympatico.ca) or stevo32@localhost (replace localhost with blagblagblag.org).


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 17, 2008 3:45 am 
Offline

Joined: Fri Nov 18, 2005 3:07 am
Posts: 699
Hardening is a process where security folks try to disable anything that isn't needed for the functions of the server and add in as many security programs as they makes sense. Basically, only run the services you need, take protections in other ways.

Common easy ways to do so include making sure your firewall only allows needed ports and having SSH block an IP after so many incorrect login attempts.

What is needed and not is debated among security people, I've seen some suggestions so out there that I wonder if anything can run on it.

Some people have created "hardened" distros that have a lot of extra precautions. Some use special kernels, such as PAX which breaks up memory in ways to be hard to exploit.

Bastille is a common program used by lazy (or busy) sysadmins to get themselves a degree of extra protection from there box.

http://bastille-linux.sourceforge.net/


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 17, 2008 1:49 pm 
Offline

Joined: Thu Jul 13, 2006 5:01 pm
Posts: 509
Location: Boston, MA, USA
noldrin wrote:
Bastille is a common program used by lazy (or busy) sysadmins to get themselves a degree of extra protection from their box.

http://bastille-linux.sourceforge.net/


One thing I like about Bastille is that it offers sysadmins the ability to choose just how "hardened" their server should be. It should be noted that the more extreme settings will break some functionality. My former company relied upon the ability to do password-less ssh as root in order to control HA failover. Whenever a customer suddenly lost the ability to perform failovers, the root cause was invariably a hardened ssh configuration.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 17, 2008 5:45 pm 
Offline

Joined: Fri Nov 18, 2005 3:07 am
Posts: 699
Bastille is my company's main method of securing Linux. It's a good cost/benefit trade off. I surely wouldn't use it and say the system is ready for an ecommerce site. What I like about it is that it teaches you about some system security issues rather than claiming to be a magic pill.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 17, 2008 10:20 pm 
Offline
Site Admin

Joined: Wed Mar 17, 2004 6:17 pm
Posts: 1340
Location: London, UK
https://wiki.blagblagblag.org/Chkconfig
also `serviceconf` to run the gui

_________________
BLAG 'em up!


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 20, 2008 1:39 am 
Offline

Joined: Sun Mar 25, 2007 11:33 am
Posts: 240
Location: Great Lakes
What about WEB browsers? Is there a consensus on this issue? What is the best from a security standpoint? Or doesn't it matter?


Mike


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 20, 2008 9:43 am 
Offline
Site Admin

Joined: Wed Mar 17, 2004 6:17 pm
Posts: 1340
Location: London, UK
Depends what you mean by security. I guess that the most secure browser is none at all? There are a few text-based browers that don't allow cookies, java or any client-side scripts to run on your box. (elinks, lynx, w3m within emacs).

Dillo is a browser that weighs under 1024kb. Small and secure but may not be what you want if you are looking for a feature-rich browser.

Decent heavyweight browsers tend to extensible. Noscript, flashblock et al. are good add-ons for firefox. I guess you could also use the privacy, security and advanced sections of the options within ffx.

You could also use firewalls and tcpdump to check the packets that are coming in....

_________________
BLAG 'em up!


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 20, 2008 10:20 pm 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
A security problem via the browser is most likely to come via flash or java or javascript or similar. Also, apparently lately there have been different types of attacks where you think you are going to ebay.com or whatever, but you are going somewhere else.

FWIW, it has undoubtedly happened but i have never had a BLAG user report a compromised machine to me. I have seen one, but that was done via crappy php code that didn't come with blag so that doesn't really count (and that just got a shell, not root).

I use firefox and seamonkey. I would like something more lightweight, but have never been content with the alternatives. Firefox 3 gets unstable for me when I'm running like 50-100 tabs......... ;)

-Jeff


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group