FAQ   Search   Memberlist  
Profile    Log in to check your private messages    Register    Log in
what does it take to "harden" BLAG 90K

 
Post new topic   Reply to topic    BLAG Forum Index -> open discussion
View previous topic :: View next topic  
Author Message
hansencomputers
PostPosted: Wed Sep 17, 2008 1:18 am    Post subject: what does it take to "harden" BLAG 90K Reply with quote

My previous post about the need to move up from 70K to 90K led to security questions. Since I'm on 24/7 with DSL, I think I need to be concerned.

noldrin said:
Quote:

Pound for pound, if I was going to put a system naked on the internet, I'd rather put BLAG 30K than Vista or XP fully patched. Although I'd probably harden the Linux box anyways.


So, what is involved in hardening? What should I do (or not do) to my system to make it more secure?

I wonder if BLAG should have a section somewhere on the WEB site dedicated to keeping systems safe? I think plenty of users are interested.

Thanks in advance, and I hope everyone is having a great day.

Mike

stevo32
PostPosted: Wed Sep 17, 2008 2:02 am    Post subject: Reply with quote

Run a firewall and disable any services you know you don't use (don't use ssh? don't have it running) and aren't necessary. Not much more to it.

_________________
E-mail me at s.clement@localhost (replace localhost with sympatico.ca) or stevo32@localhost (replace localhost with blagblagblag.org).
noldrin
PostPosted: Wed Sep 17, 2008 3:45 am    Post subject: Reply with quote

Hardening is a process where security folks try to disable anything that isn't needed for the functions of the server and add in as many security programs as they makes sense. Basically, only run the services you need, take protections in other ways.

Common easy ways to do so include making sure your firewall only allows needed ports and having SSH block an IP after so many incorrect login attempts.

What is needed and not is debated among security people, I've seen some suggestions so out there that I wonder if anything can run on it.

Some people have created "hardened" distros that have a lot of extra precautions. Some use special kernels, such as PAX which breaks up memory in ways to be hard to exploit.

Bastille is a common program used by lazy (or busy) sysadmins to get themselves a degree of extra protection from there box.

http://bastille-linux.sourceforge.net/

extraspecialbitter
PostPosted: Wed Sep 17, 2008 1:49 pm    Post subject: Reply with quote

noldrin wrote:

Bastille is a common program used by lazy (or busy) sysadmins to get themselves a degree of extra protection from their box.

http://bastille-linux.sourceforge.net/


One thing I like about Bastille is that it offers sysadmins the ability to choose just how "hardened" their server should be. It should be noted that the more extreme settings will break some functionality. My former company relied upon the ability to do password-less ssh as root in order to control HA failover. Whenever a customer suddenly lost the ability to perform failovers, the root cause was invariably a hardened ssh configuration.

noldrin
PostPosted: Wed Sep 17, 2008 5:45 pm    Post subject: Reply with quote

Bastille is my company's main method of securing Linux. It's a good cost/benefit trade off. I surely wouldn't use it and say the system is ready for an ecommerce site. What I like about it is that it teaches you about some system security issues rather than claiming to be a magic pill.
john maclean
PostPosted: Wed Sep 17, 2008 10:20 pm    Post subject: Reply with quote

https://wiki.blagblagblag.org/Chkconfig
also `serviceconf` to run the gui


_________________
BLAG 'em up!
hansencomputers
PostPosted: Sat Sep 20, 2008 1:39 am    Post subject: Reply with quote

What about WEB browsers? Is there a consensus on this issue? What is the best from a security standpoint? Or doesn't it matter?


Mike

john maclean
PostPosted: Sat Sep 20, 2008 9:43 am    Post subject: Reply with quote

Depends what you mean by security. I guess that the most secure browser is none at all? There are a few text-based browers that don't allow cookies, java or any client-side scripts to run on your box. (elinks, lynx, w3m within emacs).

Dillo is a browser that weighs under 1024kb. Small and secure but may not be what you want if you are looking for a feature-rich browser.

Decent heavyweight browsers tend to extensible. Noscript, flashblock et al. are good add-ons for firefox. I guess you could also use the privacy, security and advanced sections of the options within ffx.

You could also use firewalls and tcpdump to check the packets that are coming in....


_________________
BLAG 'em up!
jebba
PostPosted: Sat Sep 20, 2008 10:20 pm    Post subject: Reply with quote

A security problem via the browser is most likely to come via flash or java or javascript or similar. Also, apparently lately there have been different types of attacks where you think you are going to ebay.com or whatever, but you are going somewhere else.

FWIW, it has undoubtedly happened but i have never had a BLAG user report a compromised machine to me. I have seen one, but that was done via crappy php code that didn't come with blag so that doesn't really count (and that just got a shell, not root).

I use firefox and seamonkey. I would like something more lightweight, but have never been content with the alternatives. Firefox 3 gets unstable for me when I'm running like 50-100 tabs......... ;)

-Jeff

Display posts from previous:   
Post new topic   Reply to topic    BLAG Forum Index -> open discussion
Page 1 of 1

Protected by Anti-Spam ACP