How make linux box secure.

[azfar]

I am running Fedora Core 3 on my production server which hold http cache i-e I am running squid on it. Now I want to make this box as much secure as I can. For that I installed latest squid stable version. Install latest kernel version, stop few unneccessary services. Now I want to implement some kind of firewall on it i-e blocking malicious ports via iptables.
I am currently only running Squid and SSH on it, in future may be Appache but on different port and Bind.

[Anjum Butt]

The best way to secure a box is to put it behind a firewall.
That is something like this



A-------------B------------C


Where,
A is linux box
B is gateway firewall
C is the outside world

This way if there is some sort of breakin, the only thing they can come upto will be the gateway/firewall.

You can use the a small box such as a P1 100mhz with 64Mb ram to do it.
or even a 386 with 8mb ram.

If you put up a 100mhz pc for firewall, use IPCop. www.ipcop.org


Otherwise use the utilities provided by the FC3.

[mhassan]

Dear

Security comes thru assurance and responsibility. Fedora is not mend for commmercial deployments but for experiments and usage. For commercial and critical secure packed scenarios redhat has launched another family known as RedHat Enterprise Linux and in the Pakistan OpenTech is the redhat's master products and training partner.

Opentech
111-733-428
Lahore/Karachi

Regards .

[nasacis]

i think it does't matter that we are using experimental or enterprise OS

[nasacis]

check below url for securing linux box
http://www.ibiblio.org/pub/Linux/docs/H ... HOWTO.html

[gnome]

The best way to secure a box is to put it behind a firewall.
That is something like this



A-------------B------------C


Where,
A is linux box
B is gateway firewall
C is the outside world

This way if there is some sort of breakin, the only thing they can come upto will be the gateway/firewall.

You can use the a small box such as a P1 100mhz with 64Mb ram to do it.
or even a 386 with 8mb ram.

If you put up a 100mhz pc for firewall, use IPCop. www.ipcop.org


Otherwise use the utilities provided by the FC3.

correct me if i am wrong..

but even if the attacker breaks in and gets to the firewall, don't you think he'd be able to compromise the 'secure' box from/through the firewall as well?..
i mean if the attacker is smart enough, he'd know whether he has compromised the 'secure' box or the firewall.

[Anjum Butt]

Technically, there is no security against an intended attacker.

However, there are two reasons i recomeneded ipcop as firewall.
This project is known for its security.

1. It doesn't have anything more than what is actually required on firewall.
This rules out the possibility of an attacker gaining a remote shell like telnet or ssh.

2. Even if it gets compromised, an attacker wont be able to do much since its only a linux firewall, not a linux distro which u can use to do some work.

[drlinux]

hey ! I think u should read "Running Linux 4th Edition" you will really find the security solutions.......

[tt83x]

try out Bastille

http://www.bastille-linux.org/

it has an EXCELLENT step by step process of hardening the system with real explanation abt the steps ...

[mahin]

Reading is not enough implement it.

Go for IP Cop then move over to any thing you wish. It.s downloads corossed million mark long ago, being GPL it is difficult to figure the actual numbers. Try Google for security issues or reported break-in / security breach incidents involving IP Cop, do it only to give you the confidence.

If you need a Server then always use Firewall no matter what distro you choose.

If you can afford to pay $ 1499.00 + more [ dont ever think of using pirated copy no matter what this is going to get you in trouble - go for GPL if you can not afford to pay ] then for a lot less [ even free ] you have more options.

If you know what you want then Fedora will work just fine but you need a dedicated Firewall..

[zaeemarshad]

If you seriously want to secure your network, then you will have to read up a lot on different aspects of network security, breaches etc. Using a distro like IPCop can give you an idea about security but on systems where you need to secure full fledge linux servers, you need to understand the tools available, how to use them and network perimeter security.

Regards
Zaeem

[drlinux]

hello,

Reading is not enough implement it.

If you donot read how can you implement.. One can not implement until he has no knowledge about what he is doing

[gnome]

Technically, there is no security against an intended attacker.

However, there are two reasons i recomeneded ipcop as firewall.
This project is known for its security.

1. It doesn't have anything more than what is actually required on firewall.
This rules out the possibility of an attacker gaining a remote shell like telnet or ssh.

2. Even if it gets compromised, an attacker wont be able to do much since its only a linux firewall, not a linux distro which u can use to do some work.

forgive me for not following up on this thread
i have some questions, hope you can help me out

if an attacker compromises the firewall, wouldn't he be able to run a ssh server on it by getting it thru wget?

pardon me for sounding naive but i haven't actually ever used IPCop so i'm rather curious.

[fawad]

gnome, what mahin was trying to say was that IPCop is a specialized distro created for the sole purpose of shuffling packets around. It does ship with an sshd, but remote (non-LAN) access to it is disabled by default. Their CGI pages are written with perl taint mode enabled. So, it makes it dead simple to make a locked down firewall. In my installations, I enable remote access to the admin pages, but it is disabled by default. Additionally, the ipcop guys have taken a lot of measures to protect against breakins including not even installing ssh client. So your weakest link is probably the administrative passwords.

Only thing they could do better in my opinion is to create a tight selinux policy for the box.

[gnome]

gnome, what mahin was trying to say was that IPCop is a specialized distro created for the sole purpose of shuffling packets around. It does ship with an sshd, but remote (non-LAN) access to it is disabled by default. Their CGI pages are written with perl taint mode enabled. So, it makes it dead simple to make a locked down firewall. In my installations, I enable remote access to the admin pages, but it is disabled by default. Additionally, the ipcop guys have taken a lot of measures to protect against breakins including not even installing ssh client. So your weakest link is probably the administrative passwords.

Only thing they could do better in my opinion is to create a tight selinux policy for the box.

okay that was a better explanation

thanks