Help me decide how to secure my box

[zenlunatic]

You had a concern about an entire encrypted FS. I will add my $.02 in that regard. Your concern was that what would you do to recover information off the loopback if the laptop failed. It is actually fairly easy to recover using another machine to mount the loopback filesystem as long as you have the passphrase and the filesystem is relatively intact post hardware failure.

Is this documented anywhere?

[xedx]

If you want a little bit more secure system excluding local access just dont open ports

btw
why would you use openbsd.
linux/gnu can be made more secure
with the fact that it is more flexible
than any other *nix flavor

[zenlunatic]

If you want a little bit more secure system excluding local access just dont open ports

btw
why would you use openbsd.
linux/gnu can be made more secure
with the fact that it is more flexible
than any other *nix flavor

Why is flexible better than secure by default?

[tgoodaire]

I just wanted to make a quick comment on one of the suggestions made to you. Someone suggested to recompile your kernel without module support because rootkits can be installed as modules. I've seen this suggested in a few places, and I have an argument against it. Kernel modules are only loadable by root. If a hacker already has root on your box, you have bigger things to worry about than a rootkit.

Just my .02.

[Vancouverite]

btw
why would you use openbsd.
linux/gnu can be made more secure
with the fact that it is more flexible
than any other *nix flavor

This seems rather naive considering the amount of code auditing the OpenBSD developers perform.

Someone suggested to recompile your kernel without module support because rootkits can be installed as modules. I've seen this suggested in a few places, and I have an argument against it. Kernel modules are only loadable by root. If a hacker already has root on your box, you have bigger things to worry about than a rootkit.

Like recompiling your kernel with support for modules and rebooting.

[paranode]

I find this guide quite informative:
http://www.gentoo.org/doc/en/gentoo-security.xml

If you enable the Grsecurity stuff it should protect you very well. It features a non-executable stack, which is one of the main selling points of software like OpenBSD. This will protect you from almost all exploits (all that use buffer overflows at least). Plus it has other stuff to guard off attacks. I think it would make for a really secure system while still providing the flexibility and support that Linux has.

[mlynx]

Is this documented anywhere?

The documentation of encrypting filesystems located on the forums (here) has an explanation of how to mount a loopback encrypted filesystem. IIRC, the loopback README, also recommended by the above thread, has this information as well.

[To]

I've used ipchains and now iptables to secure my machines connect to the internet. There's been some good points about iptables ( and other subjects, that I'm not an expert on those mathers, this is just about iptables ). For some machines I wrote all the rules, just because I want to add some features that tools that use iptables don't allow.
Anyway there's a tool, that is on portage too that really helps and it's really easy to configure. You can use it to NAT, or just to REJECT or DROP, you may want to give it a look ( also allows multi interface ).

Code: Select all

root @ gandalf $ > emerge -s shorewall
Searching...   
[ Results for search key : shorewall ]
[ Applications found : 1 ]
 
*  net-firewall/shorewall
      Latest version available: 1.4.4b
      Latest version installed: [ Not Installed ]
      Size of downloaded files: 1,932 kB
      Homepage:    http://www.shorewall.net
      Description: Full state iptables firewall

You can check it here too http://shorewall.sourceforge.net

Tó

[tgoodaire]

I'm using iptables, tcp_wrappers, and portsentry to secure my box. By the way, the book "Real World Linux Security" by Bob Toxen is a great book to get started in securing your box.

[jimlynch11]

zenlunatic: if you havent already seen it, check this out http://selinux.dev.gentoo.org/

they give you root to their box, asking you to try and do any harm to it. perhaps you should visit the project site (linked on the above page) and see what you can implement.

[cybermans]

u said it was only for a laptop that is plugged to the web with 56k?
in that case its useless to make a big uber secure firewall. Because u dont gonna be 24/7 online i think. If you want to make a better firewall i sugest that u read something about how tcp/ip works. If you know that it makes a lot more sense if you are writing a firewall ruleset.

One basic security thing is dont use root for X. And servers dont need X so dont even install it.

just my [eurosign] 0,02