digg

Facebook Connect Join Digg About

Tips to Secure Linux Workstation

aymanh.com Tips to Secure Linux Workstation

Who dugg this? Made popular Mar 7, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

33 Comments

show profanity settings
expand all
  • funkytaco, on 10/12/2007, -2/+8Just a small suggestion for those who are learning something:

    "Regularly monitor the output of the following command for odd entries:
    # vi /var/log/messages (system log)"

    I'd suggest using `tail` instead.
    tail -f /var/log/messages (watch the log in real-time)
    tail -300 /var/log/messages (see the last 300 lines)

    There is also a command called `head`. Guess what it does? ;)
  • equusdc, on 10/12/2007, -1/+6"Here's a fun contest: spot five things that are just plain wrong in this article. "

    I'll take the easy one. Default SSH port is 21? What the hell? Oh, to "secure" it, move it to 22. Well, golly gee willikers, that'll really stop the bots, since 22 IS the default SSH port (21 being ftp) and, well, how long does it take to scan 65536 ports? Less time than it took me to write this.

    But, "Don't rely on security through obscurity as the only measure, it can be another defense line, but full dependence on it can only lead to trouble.'

    No, don't rely on it AT ALL and that includes relying on a firewall. Network services that shouldn't be accessed from a network port shouldn't be running on it in the first place. Running iptables on a node with only one network port (that is, it's not a router) should be superfluous. If it's not, there's something very, very wrong with the rest of your security plan...like what the hell are you doing with plaintext passwords in /etc/passwd on every machine? Lordy.
  • inactive, on 10/12/2007, -6/+11Wait I thought Linux was secure by default? j/k you can add your thumbs down now

    But looking over the remedies it's nearly identical to any Windows box. Secure Root/Admin, Firewall, IP Access etc etc.

    In the Windows world, few Win users know how to or care to lock down their systems. That's pretty much why Windows has a bad rep. Not to say MS should get a free pass, but every system needs some lock down work.
  • inactive, on 10/12/2007, -0/+3Fuc%in blogs, I'm sick to freekin death of it. It seems like there are about 180 people who will digg any blog crap that shows up in the queue.

    Support my 3 month ban on Blogs (started 3/6/06). Report as lame or inaccurate.
  • targetX, on 10/12/2007, -1/+3nice article, especially the part about /etc/security/limits.conf. Excellent work!
  • inactive, on 10/12/2007, -2/+4Or better yet, just use logcheck so you don't have to do anything.
  • MellerTime, on 10/12/2007, -1/+3I agree completely. Turning on a firewall, removing unused accounts, limiting admin access... Very basic stuff here.
  • aztekm30, on 10/12/2007, -1/+3sudo apt-get install more secure linux
  • argoff, on 10/12/2007, -0/+2Some other ones I like to do...

    Log in as root and do a "netstat -anp", this will show all the listening ports. Unless I'm using it, I turn off portmap, rpc, and a lot of other junk. (leave sendmail on, but make sure it is only listening on 127.0.0.1 and not 0.0.0.0, because it's used for a lot of internal stuff)

    Also do a "chkconfig --list|grep :on" for redhat/fedora/ubantu type systems (for debian type systems I don't know what the equiv is). This will show all the services that automatically get run at startup. I have found that 90% of stuff that gets auto-started ... I don't need, and many others (like kudzu) you can run manually if you need them.

  • EdLesMann, on 10/12/2007, -0/+1"for debian type systems I don't know what the equiv is"
    Anyone interested in this topic on a Debian system should look at rcconf. Since I haven't actually used chkconfig before I cant say with 100% certainty that this is the same, but it will let you modify startup items. (quick search on google brought up this site for those interested http://blogs.cyberciti.biz/hm/index.php/2005/10/27/removing-unwanted-startup-debian-files-or-services/ )

    I also agree with using netstat to check for listening ports, good suggestion for the masses.

    As for the 5 wrong things posted earlier, please do tell what they were. The port 21 was already mentioned, other then that I found allot of debated advice type comments but nothing glaringly wrong. Like the /tmp, some systems it is better to use the /tmp to do allot of your work in (as long as it isn't security sensitive information) those type of systems should have a excutable /tmp. However there are exploits that will attack and fill the /tmp partition to lockup the system and force a reboot, that is why I always make certain that the /tmp is on a different partition all together from the / partition.

    Things like that are more of a admin choice/debate then a standard security practice, it depends on the system and the user(s). There are a few of those in this article, but once again I did spot any glaring error (except the port22). If there really are 4 other errors, I would be grateful to know what I missed.
  • krissb, on 10/12/2007, -0/+1Here ia another (and better) guide to securing and hardening linux production systems
    http://www.puschitz.com/SecuringLinux.shtml
  • EdLesMann, on 10/12/2007, -0/+1"for debian type systems I don't know what the equiv is"
    Anyone interested in this topic on a Debian system should look at rcconf. Since I haven't actually used chkconfig before I cant say with 100% certainty that this is the same, but it will let you modify startup items.
    I also agree with using netstat to check for listening ports, good suggestion for the masses.

    As for the 5 wrong things posted earlier, please do tell what they were. The port 21 was already mentioned, other then that I found allot of debated advice type comments but nothing glaringly wrong. Like the /tmp, some systems it is better to use the /tmp to do allot of your work in (as long as it isn't security sensitive information) those type of systems should have a excutable /tmp. However there are exploits that will attack and fill the /tmp partition to lockup the system and force a reboot, that is why I always make certain that the /tmp is on a different partition all together from the / partition.

    Things like that are more of a admin choice/debate then a standard security practice, it depends on the system. There are a few of those in this article, but once again I did spot any glaring error (except the port22). If there really are 4 other errors, I would be grateful to know what I missed.
  • Toallpointswest, on 10/12/2007, -0/+1Protect against Fork Bombs

    Fork bombs are programs that keep creating child processes until system resources are all used, they actually aren't remote exploits because they require a local user to execute the bomb, however, users may be tricked into running a fork bomb, for example the following example may
    Okay, I so never heard of this, can anyone explain why this works? As in what each symbol does?

    look innocent, but running it on an unprotected system may take the whole system down:
    :(){ :|:& }; :
    WARNING: do NOT run the above code on an unprotected system!

    The above shell script will actually keep forking at an exponential rate until system resources are exhausted.
  • EdLesMann, on 10/12/2007, -0/+1Iappologize...my connection went wierd and it seems to have posted 3 times...how do I remove extras?
  • EdLesMann, on 10/12/2007, -0/+1"for debian type systems I don't know what the equiv is"
    Anyone interested in this topic on a Debian system should look at rcconf. Since I haven't actually used chkconfig before I cant say with 100% certainty that this is the same, but it will let you modify startup items. (quick search on google brought up this site for those interested http://blogs.cyberciti.biz/hm/index.php/2005/10/27/removing-unwanted-startup-debian-files-or-services/ )

    I also agree with using netstat to check for listening ports, good suggestion for the masses.

    As for the 5 wrong things posted earlier, please do tell what they were. The port 21 was already mentioned, other then that I found allot of debated advice type comments but nothing glaringly wrong. Like the /tmp, some systems it is better to use the /tmp to do allot of your work in (as long as it isn't security sensitive information) those type of systems should have a excutable /tmp. However there are exploits that will attack and fill the /tmp partition to lockup the system and force a reboot, that is why I always make certain that the /tmp is on a different partition all together from the / partition.

    Things like that are more of a admin choice/debate then a standard security practice, it depends on the system and the user(s). There are a few of those in this article, but once again I did spot any glaring error (except the port22). If there really are 4 other errors, I would be grateful to know what I missed.
  • PerlJunkie, on 10/12/2007, -2/+3Quote: In the Windows world, few Win users know how to or care to lock down their systems. That's pretty much why Windows has a bad rep.

    Ummm.... No. Windows is shot so full of holes as to make it look and smell like Swiss cheese. You can "secure" all the accounts, etc. that you want. Windows is still quite vulnerable.
  • Aeiri, on 10/12/2007, -0/+1"No, don't rely on it AT ALL and that includes relying on a firewall."

    I agree you shouldn't rely on a firewall, but using one isn't a bad thing. If you have a service listed in /etc/hosts.allow to only allow computer X access to port Y, AND have it listed in your firewall configurations, then that is much better than only one or the other.

    The reason for this is if your firewall has a bug in it that allows an attacker to bypass that check, or if the kernel has a similar bug, then it would be less likely for you to be actually exploited, since BOTH have to occur in order for an attacker to even access said service.
  • mynameisneo, on 10/12/2007, -0/+0I dont suppose anyone saw the 192.168.0.0/99 ... Why would you this take advice from someone who obviously has no clue about networking?
  • karudzo, on 10/12/2007, -0/+0I liked this article, but wished that it went into detail regarding locking down single user mode as well as X11/XORG and permissions. For those who really want a relatively secure system, Trustix is alright. FreeBSD (after locking it down- ie. kernel secure levels, services, etc...) is my favorite.
  • Ayman, on 10/12/2007, -0/+0OK, I wasn't familiar with that IP notation, fixed now.
  • Ayman, on 10/12/2007, -0/+0I never said I don't know how to use iptables, or recommended the reader to neglect it, on the contrary, I linked to a detailed howto. And I don't think iptables can be called user-friendly, so I linked to frontends that are easier to deal with.
  • darthmdh, on 10/12/2007, -0/+0I had to digg your comment. The author claims ssh runs on port 21 by default (no, sorry, that's FTP numbskull) but before you even get down that far into the article, in fact, right at the beginning is this gem:

    "Linux firewall infrastructure is called netfilter/iptables, unfortunately it is quite complicated, the details can't be covered here, so check out this howto, or use configuration frontends like m0n0wall (CLI), shorewall (CLI), and FireStarter (GUI)."

    ie, don't bother learning how to use your OS's firewall, just implicitly trust some other software you get off some random person on the internet. Uh-huh. I think this article should really be called "tips to fool yourself into thinking your workstation is secure"
  • Ayman, on 10/12/2007, -0/+0For those picking on me for saying SSH's default port is 21, that was a typo, if you paid some attention you'd notice that I reference port 22 somewhere else in the article as well.

    And for those saying it's basic stuff, I never claimed that the tips assure ultra security for super servers, it IS meant to be basic stuff.

    -- Original author of the dugg article.
  • weirdfox, on 10/12/2007, -1/+0"Secure by default" is not the OpenBSD moto ?

    They even made songs with it :
    Systemagic and E-Railed (OpenBSD Mix)
    see http://www.openbsd.org/lyrics.html
  • MrDolomite, on 10/12/2007, -2/+1excellent tips
  • johnder, on 10/12/2007, -2/+1yawn. bad article. Full of errors, I agree with john117, just trying to generate traffic.digg--
  • lagnut, on 10/12/2007, -1/+0It had some good pointers but it won't help John Doe very much
  • equusdc, on 10/12/2007, -6/+4In the style of Mario Cantone: LIIIIIIIINKKKKKKKKK WHORE!!!

    Seriously, folks, this crosslinking of Top 10 lists is really, really sad and lame.
  • spamdies, on 10/12/2007, -5/+2While this isnt a complete guide to securing your server, this is good information...
  • Voodooengine, on 10/12/2007, -4/+0Thanks for the info.
  • john117, on 10/12/2007, -6/+2Here's a fun contest: spot five things that are just plain wrong in this article. The author clearly doesn't know what he's talking about, and is just trying to generate traffic for his blog.
  • sigginike90, on 10/12/2007, -19/+1i'm not sure web browsing is that popular in pakistan .....
  • inactive, on 10/12/2007, -26/+1Your first mistake was using the word SECURE...

    http://www.onlyriddles.com

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.