Hardening Linux 204
davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to
secure your server as well as how to solve them manually and via automated tools like Bastille."
How To in summary... (Score:5, Informative)
1) Disable unwanted services (done via the CLI in this day of GUIs)
2) Keep the OS patched
3) Install and run Bastille to do everything else for you.
Article not very informative (Score:5, Informative)
Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.
The article isn't very useful or accurate.
Re:Huh? (Score:5, Informative)
A default Ubuntu box has them all closed. (Score:4, Informative)
That is correct. By default, they are all closed.
But you may have changed that. If you've installed any P2P or such apps, you may have open ports from that.
As the other poster suggested, use nmap to determine what your outward profile looks like. Even better, have a friend scan your address from their location. That will tell you what your machine looks like from the Internet.
That's without a firewall.
Re:How To in summary... (Score:0, Informative)
Hardened? Hardly. (Score:4, Informative)
Re:I'm not sure what this is doing on /. (Score:3, Informative)
Don't read TFA then. The advice it gives is barely relevant to any distro released in the past decade.
The defaults are no longer what they were in 199x (Score:5, Informative)
- [KU]buntu
All services off by default. netfilter rules are default allow however, but there is
nothing to connect to.
- Fedora/RHEL/CentOS
Choose during install what services you want enabled/open/firewalled.
SELinux enabled by default.
- Knoppix 5.1.1
Only Port 68 for dhcp client listener.
- Mandriva 2007 Bootable CD
Port 6000 is all that's open (X server. Ok this is dumb, why?)
Other distros follow similar suit. You can find out what's running on your linux box with:
- netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
- locate iptables; sudo iptables -nvL (show iptables chains for netfilter)
Chances are, if you've not mucked around with the default services things are pretty tight.
TFA is a bit inaccurate for linux systems these days.
This is the last time I'm explaining it to you. (Score:5, Informative)
Maybe it does. Maybe it does not. But that is immaterial. This is about what an attacker would see. Not what your machine can see from itself.
It is possible to set up a system that allows access to those services from eth0 & localhost, but not from any other addresses.
You are not concerned about what you can see from your machine. You are concerned about what an attacker can see. They are NOT the same.
NO it will NOT.
Your statement is only accurate for the condition in which NO ports are open. That is a single scenario and does NOT account for the various possibilities. Therefore the ONLY way to know what an attacker would see is to scan the way the attacker would.
No. Again, the system can be set up so that the ports are visible from localhost and eth0. The only way to know EXACTLY what the attacker can see (other than in the specific scenario of all ports being closed) is to scan the way the attacker would.
No, the list given by nmap would not be accurate. Because the list given by nmap would show ports open (and therefore vulnerable) when there would be no way for an attacker to see those ports.
Again, the only time your statement would be accurate is the single case of all ports being closed.
I've given multiple, specific examples where such would not be the case. I've shown where your statement is correct ONLY FOR A SINGLE SCENARIO where all the ports are closed.
Again, I've provided specific examples that illustrate where the information gained by scanning from an attacker's position would be different than scanning from the machine itself.
You can claim that such is impossible all you want.
But the facts contradict you.
You are taking a single case and claiming that it is the same for ALL the possible configurations. It is not. The only way to know what an attacker will see is to perform the scan as an attacker would.
Re:Dude, that article sucked. (Score:3, Informative)