How best to secure a linux workstation?

FizzyWidget

Having just moved full time from Windows to Linux, I am trying to figure out how best to secure my machines, I do use ssh but this is only internal and not allowed through the router, I also use key's not a password - is that good enough for ssh or is there more i should be doing?

I have a iptables script (although basic)

ferreirafm · Posted: Thu Dec 08, 2011 5:23 pm Post subject:

Hi Dark Foo,
I think you are all done. Here goes my ip rules in case you want do close some other ports.
For paranoids, it also possible to implement a black/white list.
G'Luck

FizzyWidget · Posted: Thu Dec 08, 2011 5:29 pm Post subject:

Hi ferreirafm

Thanks for the iptables - looking at the Windows files sharing i can share with windows and NFS without issue, is there something in your script that blocks all ports and so you need to specifically put them in there to have them open?

Yours is near enough the same as the test iptables i had, well at least for ftp and such, i added friends ip addresses there just to make double sure

Also what is a black/whitelist? A newb question I am sure, but I am a newb to Linux full time so far, every bit of information will help me learn

_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

ferreirafm · Posted: Thu Dec 08, 2011 5:41 pm Post subject:

tclover · Guru Joined: 10 Apr 2011 Posts: 516

If you want to learn, then you should definitely go the old wiki page, referenced on the bottom of gento-wiki.com iptables article. You'll learn how to set up together a powerfull scripts which will drop every packet and block many common unused ports and then let in packets based on your rules. As for the whitelist/blacklist you'll need to merge ipset which has advanced settings for filtering. hopefully for you, ipset modules are now merged to iptables kernel modules a few months ago. Just enable what could be of interest or else enable almost every iptables/ipset modules. The old article will help for that! And you could search in the forum as there's somebody who posted basic filtering list last summer, I cannot remember who it was. A search in forum with ipset keywords should be enough.
_________________
home/:mkinitramfs-ll/:supervision/:e-gtk-theme/:overlay/

NeddySeagoon · Posted: Thu Dec 08, 2011 9:38 pm Post subject:

Dark Foo,

Security is a trade off with usability.

First, accept that an attacker with suffcient resources and determination will get in. Such an attacker can break in and steal your system.
All you can do is to make it clear that there are easier systems to attack, so the casual attacker goes away and finds a windows box to play with.

First, don't run any services you don't need, The wider you open the window, the more the dirt blows in.
Set up your firewall, so that everything that is not explicity allowed is denied. Both in and out.
That helps keep the nasties out and if they do get in, helps to stop them phoning home.

Do not permit remote root logins. Every *NIX box has a root user, so don't give attackers half the information they need to get in.

Look at what filesystems you can mount with nodev, noexec , nosuid to make life harder after a breakin.

Make your kernel monolithic if you can and turn off loadable module support. Thatstops an attacker loading kernel modules

If you run a wireless network, put it on its own NIC in your firewall and do not permit wireless to wired connecttions. This keeps the wardrivers out. They can still steal your bandwidth but not get at your wired network.

Consider running a hardened Gentoo. Now it starts to get more uncomforable. Xorg still won't run on a hardened system unless some of the hardening features are disbaled for Xorg. nvida-drivers, the binary blob, even needs a /tmp. with exec permissions, which is a well known attack vector. Thats just brain dead.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

FizzyWidget · Posted: Fri Dec 09, 2011 3:16 pm Post subject:

salmonix · Guru Joined: 16 Jul 2006 Posts: 410

http://www.gentoo.org/doc/en/security/

?
_________________
Quis custodiet ipsos, custodes?

FizzyWidget · Posted: Fri Dec 09, 2011 5:57 pm Post subject:

most of what is there i have already seen and i am not sure about that is why i am asking here, sometimes things need to be simplified for us mere mortals who are new to Linux

_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

NeddySeagoon · Posted: Sat Dec 10, 2011 4:15 pm Post subject:

Dark Foo,

A few words on your questions.

With a four partition syste,, there is no much you can do with nodev, noexec and nosuid.
Consider what is in /home. If you don't have an chroots there, you should be able to use nodev and nosuid because nothing needing those rights should be installed in /home unless its a chroot for something. You will almost certianly have some scripts that you like to run in /home so noexec won't be possible. Testing is harmless. At worst, you will need to use a liveCD to edit /etc/fstab.

Monolithic kernels are not always possible. Things that need firmware can be difficult to build in as you also need to build in the firmware. Third party kernel modules can't be loaded, so the ATI and nVidia binary blobs will no longer work. You make the usabiity/security trade off choice.

I can't tell you how to write your iptables rules to split out your wireless. I use shorewall to avoid playing with iptables directly. I can share my iptables -L and/or shorewall setup if you like.

Hardened Gentoo may be a step too far to start with but you can play with it in a virtual machile to fet the feel of it. I know it runs in a Kernel Virtual Machine ant it should run in Virtual Box, whhich is easier to set up, too. Some features of hardened are coming to ordinary gentoo soon anyway.

Blacklisting/Whitelisting etc are matters of personel taste. If your security is good, they should not be needed but they will reduce wasted bandwidth from potential attackers knocking on your door. Add them later when you are confident in your settings until then keep a close eye on your logs to see what the outside world is trying to do.

ckrootkit and friends use huristics to spoy potential threats installed on your system. They do show false positives. I you want to keep an eye on things on your system try tripwire. It saves a list of every file you ask it to cover along with a hash for the file. Keep this data off the system to be covered. Later, you run it again and it compares whates there now with the original files and hashes, so you know whats been changed. It tells you what but not why. If you keep a check on /usr, do an emerge then a tripwire run, all the changed/added files will be highlighted.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

FizzyWidget · Posted: Sat Dec 10, 2011 7:03 pm Post subject:

I have looked at shorewall before, never could get my head around it, if you could share your iptables that it gives you that would be great.

As to the partition situation how would you suggest the system to be setup, i have no issue with re-partitioning or re-installing, once upon a time i think i had some thing like

sda1 /boot - 100meg
sad2 /swap - 2-4GB (even on a system with 8GB RAM)
sad3 / - 1G
sda5 /portage - 1G (maybe two, cant remember)
sda6 /tmp - 6G (open office bitch about it being less)
sda7 /usr -15G
sda8 /var - 1G
sda9 /home - rest of drive

As for tripwire - im guessing this should be one of the first things to compile and install, maybe while chrooted on initial install?

Sorry if these questions seem silly or something a linux user should instinctively know, I just want to make sure i have everything right before i bring the main pc over to linux, storage pc that hardly ever see's the inet apart from a few torrents here and there, and a laptop that is mainly for watching movies and backup if the main PC should break are different to a pc that will always be connected to the inet near on 24/7, even if it is behind a router.

Thanks

_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

NeddySeagoon · Posted: Sat Dec 10, 2011 7:56 pm Post subject:

Dark Foo,

I just know this will make your head hurt ...

I have a network with five zones to shorewall.
net == the big bad internet
fw == the firewall itself
green == the protected wired network
blue == the wireless network
dmz == the partially protected network for my servers.

iptables -L is at http://paste.pocoo.org/show/518949/

The internet is at 62.3.120.136/29
green is 192.168.100.0/24
blue is 192.168.54.0/24
dmz is 192.168.10.0/24

There is a private gentoo rsync mirror, a mail server, a web server, a ssh server, a squid transparent proxy and http-replicator in there somewhere.
I need to add snort to log the nasties too.

Ping is allowed everywhere. VPN is only allowed out from blue. Everything that is rejected is logged, mostly for debugging.

You need to run tripwire as soon as your install is complete as any added files will be spotted and reported. That can be a lot if you add say, Xorg and Gnome3.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

FizzyWidget · Posted: Sat Dec 10, 2011 11:04 pm Post subject:

no needy the alcohol is making my head hurt atm, but i will look at this in the morning :p

What do you think to the partition scheme i posted, does it look okay or would you do it differently ?

Thanks for all your help btw, much appreciated

_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

NeddySeagoon · Posted: Sun Dec 11, 2011 6:25 pm Post subject:

Dark Foo,

I do it differently. There will soon be a problem with /var and/or /usr on a partition other than root, unless you have an initrd to mount /, /usr and /var before udev can start.
udev only supports it now with a workaround and the workaround has been removed in the overlay version of udev.
Thats just bitten me. I knew it was coming but not when.

/var needs to be a lot more than 1G. Its used for portage workspace as well as permanent information.
LibreOffice needs 9G in /var to build just now.

Once I can boot my main system again, I'll post my partition scheme. Just now, I'm fetching System Rescue CD so I can pick up the pieces. I gave away my USB stick with it on.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

FizzyWidget · Posted: Mon Dec 12, 2011 10:10 pm Post subject:

Okay Neddy, when you are sorted is fine, i think i was working up untill xmas, but it seems im not now, so i have some spear time to devote to getting all 3 pcs sorted

_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

NeddySeagoon · Posted: Mon Dec 12, 2011 10:40 pm Post subject:

Dark Foo,

FizzyWidget · Posted: Tue Dec 13, 2011 4:51 pm Post subject:

FFS!!!!! I put /usr/portage as 2G and i get -

NeddySeagoon · Posted: Tue Dec 13, 2011 6:43 pm Post subject:

Dark Foo.

For the portage tree, you can use i node per block, which is 1024 bytes. Iy contains loats of very small files and as you can see, it will run out of inodes because of the huge number of files.

For /usr/portage/distfiles, and /usr/portage/packages, the defaults are OK as these directories store your downloaded sources and builit binary packges respectively.
The are all comparatibely large files.

The above dirs, together with /tmp and /boot can all be either ext2 or ext4 with no journal as the are all easy to recreate.
Depending on the amount of RAM you have, you can point /tmp to /dev/shmfs and have /tmp in RAM. Its wiped every boot. so thats safe.

There is nasty surprise just around the corned thats been the suject of a lot of of discussion on the gentoo developer and user mailing lists.
Just now, udev tolerates /usr and /var not being on the root filesystem. Howerver, this support is going to be withdrawn soon, to the point where your box (and mine) will not boot without and initrd to mount /usr and /var before udev gets started. udev already depends on things in /var and /usr and has to take recovery action when they are not mounted when it starts. The way ahead is still indetermanate with there being three camps:-

Read the archives for the full story.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

NeddySeagoon · Posted: Tue Dec 13, 2011 6:43 pm Post subject:

Dark Foo.

For the portage tree, you can use i node per block, which is 1024 bytes. Iy contains loats of very small files and as you can see, it will run out of inodes because of the huge number of files.

For /usr/portage/distfiles, and /usr/portage/packages, the defaults are OK as these directories store your downloaded sources and builit binary packges respectively.
The are all comparatibely large files.

The above dirs, together with /tmp and /boot can all be either ext2 or ext4 with no journal as the are all easy to recreate.
Depending on the amount of RAM you have, you can point /tmp to /dev/shmfs and have /tmp in RAM. Its wiped every boot. so thats safe.

There is nasty surprise just around the corned thats been the suject of a lot of of discussion on the gentoo developer and user mailing lists.
Just now, udev tolerates /usr and /var not being on the root filesystem. Howerver, this support is going to be withdrawn soon, to the point where your box (and mine) will not boot without and initrd to mount /usr and /var before udev gets started. udev already depends on things in /var and /usr and has to take recovery action when they are not mounted when it starts. The way ahead is still indetermanate with there being three camps:-

Read the archives for the full story.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

FizzyWidget · Posted: Tue Dec 13, 2011 7:16 pm Post subject:

would you advise keeping the system as is and dealing with it when they remove support for /var and /tmp when not on the root system? or just make / bigger and put var and tmp on there?

Last question before i start the server install, which of your partitions are set nodev, noexec and nosuid.

Once i have that little bit of info i think i will be set, just have to figure out how much to give to what partition on the 80gb drive in here :p
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

NeddySeagoon · Posted: Tue Dec 13, 2011 8:13 pm Post subject:

Dark Foo,

Keep it as is. The way ahead for systems like yours and mine is being worked out.
It will be supported one way or another and a udev that needs it will not be stablised until the rest of the support is also in place.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

FizzyWidget · Posted: Tue Dec 13, 2011 8:14 pm Post subject:

NeddySeagoon · Posted: Tue Dec 13, 2011 8:49 pm Post subject:

Dark Foo,

Very few at the moment, this should work.

FizzyWidget · Posted: Tue Dec 13, 2011 9:09 pm Post subject:

Thanks neddy, will take a look a the system in the morning, took some of my medication and am starting to feel sleepy, /home isnt listed as its on a raid and i only have some many sata connections, i know i should get an external cd/dvd drive, which i might look into, once i have the main system in, i will re-attach the drives in the raid

_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

FizzyWidget · Posted: Wed Dec 14, 2011 9:34 am Post subject: