How to secure a Linux box?

Let a system run a standard Linux distribution like Fedora, Ubuntu etc. Now, I'd request to share your views about the possible ways to secure this Linux distro. To my understanding, there could be a several, e.g. shutting down services, configuring firewall to block ports & log unwanted packets, changing the permission of certain system critical files & directories, uninstalling potentially penetrable packages & services, grant users "just" the required privileges (no more, no less), disabling root account (in Ubuntu) etc. Also, there are some packages/utilities available like SElinux(Security Enhanced Linux) to escalate the security of a Linux box. But, we all would like to hear from experienced reboot guys. It'll be a great help if anybody volunteers to compose a script to automate the tasks.

Does it have to be a plain vanilla distro or can you use the Smoothwall Distro

Uname -a = Linux smoothwall 2.6.32.26+drm33.12-0-runtime #1 Tue Apr 5 02:53:09 BST 2011 i686 GNU/Linux
If you can't use the smoothwall, I suggest you look at their scripts for a starting point.

Does it have to be a plain vanilla distro or can you use the Smoothwall Distro

Can you be a bit more elaborate?

Hi Holmes.Sherlock
I will elaborate;

What I mean by plain vanilla distro:
Are you constrained/required to use a certain Linux distro without
mods, apps, libraries, utilities or are you able to pick which distro to use.

Definition of Linux distribution from here: http://en.wikipedia....ux_distribution
A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel.
Such distributions (often called distros for short) are Operating systems including a large collection of
software applications such as word processors, spreadsheets, media players, and database applications.
The operating system will consist of the Linux kernel and, usually, a set of libraries and utilities
from the GNU project, with graphics support from the X Window System

Comparison of Linux Distributions found here, http://en.wikipedia....x_distributions

Technically these are all distros:
Ubuntu 11.04, Fedora 15
Red Hat Linux 9
BT5 based on Ubuntu Lucid LTS Kernel 2.6.38,patched
Smoothwall 3.0 Based on the Linux 2.6 kernel

Although Smoothwall is not listed on these pages, it could be defined as a distro
smoothwall distro based on: Linux smoothwall 2.6.32.26+drm33.12-0-runtime #1
Tue Apr 5 02:53:09 BST 2011 i686 GNU/Linux


And yes, you have done your homework as how to secure your OS.

But why pick a standard distro that you have to mod to harden when it is
already done for you in the smoothwall distro.

A very simplified description of what the smoothwall distro does is this:
among already applying the methods you suggest, it also will only allow
communications that originate from it's green interface to be passed
through it's red interface, also there are numerous mods that can be
applied to further harden the system.

I would also seek Wonko's opinion on this, as he seems to be quite the Linux Guru.

I wish you guys luck on your endeavor.

But why pick a standard distro that you have to mod to harden when it is
already done for you in the smoothwall distro.

Because in previous years' contests, each of the participant teams were given the image of same Linux distro running some vulnerable service which they had to protect & keep running as long as possible. More the uptime is, more point you earn.

So do you know which distro you will be given

So do you know which distro you will be given

So far I can remember from what I read, in 2008, it was Ubuntu 8.10. But don't expect it to be the same next time. Though this year we didn't have nothing to protect as such, but the image distributed was of Minix image.

Just saw this link on Linux Today...It is a headline aggregator for Linux stories, and it's links to articles are just a teaser, then link to the real story...

Hope you enjoy...

Although a Linux is very much safer than a Windows, there are also malware found on Linux. Besides that fact if you share any files with Windows users from your Linux for example by E-mail, a virus that can not harm a Linux can be passed onto a Windows installation. For that reason I think Linux users should also use anti-virus software. Avast! has a good freeware, also there is Clam AV, which was originally created to protect large servers. I do think that you do not need to use any real time anti-virus yet, but that time will come too I'm sure.

http://www.unixmen.c...ktop-and-server

I would also seek Wonko's opinion on this, as he seems to be quite the Linux Guru.

Just for the record, Wonko knows very little of Linux , but has enough Common Sense to know that a distro aimed to secure computing will be much more secure than a "generic, one size fits all" one (expecially if it took - like Ubuntu has - the trend towards "automagically" and Gnome "toyish looks" - actually mainly mutuated by the XP/Vista or 7 "helpfulness" and "toyishness").

But the principles remain the same everywhere, as Holmes.Sherlock correctly summed up, like:

• disable any and all "services" (or "daemons") that you don't actually need
• find out if there is any alternative (that can work without that service) to the stupid software that needs a service
• disable *anything* you don't actually need (or that you don't know what is doing)
• Close ALL ports.
• Monitor the behaviour of the system (expecially if you see anything running that you did not initiate and that either listen or talks to a port)

@Holmes.Sherlock
The essence of the competition is that of showing off your level of experience and knowledge on the specific OS, so we are back to a CATCH22:

• if you know how to secure a Linux box, you don't ask how to do it (let alone on reboot.pro)
• if you ask how to secure a Linux box (on reboot.pro or anywhere) you cannot secure a Linux box (and you'll probably never learn it from here or elsewhere)

What you should do is start studying C, C++ and what not, then read a few tens thousands lines of code, actually understand them, subscribe to a handful of mailing lists (and read EVERYTHING goes on them AND understand it ), write your own "independent" OS, fail at it , and start finding (minor or major) vulnerabilities in existing Linux apps/code/kernel, publish them as POC and/or write patches for them.
In a few years you will be at the same level as most of the people that take part to the competition (and yes, that is what they have done in the last, say, five years).


Wonko

In a few years you will be at the same level as most of the people that take part to the competition (and yes, that is what they have done in the last, say, five years).

Just saw this link on Linux Today...It is a headline aggregator for Linux stories, and it's links to articles are just a teaser, then link to the real story...

Hope you enjoy...

interesting ...

but....

i much like the option revert back to the snapshot in NexentaOS


NexentaOS is Debian/Ubuntu/GNU/Opensolaris hybrid

Nexenta has built a small but vibrant community. It has been downloaded over half a million times, and is being used in around 10,000 systems, mostly data-centers.

The Opensolaris technologies: ZFS

The open source world has gone gaga over the next generation file system from the Opensolaris community. It has been ported to Apple's OSX and FreeBSD. Licensing incompatibilities have held up a Linux port. It is a file system and volume manager built into one. And with lightning fast snapshots and automatic integrity and error checking, this is the filesystem of the future. Lets take a look at how you as a developer can benefit by the use of ZFS:

Never have to worry about data loss, or the system and packaging system going into a mangled state

ZFS's quick and painless snapshot feature allows you to take incremental backups of your entire filesystem or the packaging related data. So if the last kernel upgrade botches up the system or renders it unbootable, easily revert back to the earlier working state

Nexenta provide a tool called apt-clone which is a wrapper over apt-get. Roughly translated

apt-clone = system clone + apt-get

so a command apt-get install apache2 is equivalent to

zfs clone beforeapache2 rootfs
#add grub lines to boot to 'beforeapache2'
apt-get install apache2

If things go wrong and apache2 isn't installed right, you can revert back to the snapshot "beforeapache2" and the system reverts to the original configuration. Further information in the apt-clone manpage [0].

Use snapshot capabilities to create restore points

..all along your development/build cycle allowing for easy reversion to an earlier state

Another use of ZFS for package maintainers is the capability to easily take a snapshot of the environment (like the current working directory) and make those deadly changes. There no longer a need to worry or limit your changes for the fear of "ruining this working state" or "losing all these changes I've made". Use ZFS like a quick and dirty versioning system for those short development sessions.

Nexenta OS runs on Intel/AMD 32-/64-bit hardware and is distributed as a single installable CD.

http://www.nexenta.o.../DownloadStable

Let a system run a standard Linux distribution like Fedora, Ubuntu etc. Now, I'd request to share your views about the possible ways to secure this Linux distro. To my understanding, there could be a several, e.g. shutting down services, configuring firewall to block ports & log unwanted packets, changing the permission of certain system critical files & directories, uninstalling potentially penetrable packages & services, grant users "just" the required privileges (no more, no less), disabling root account (in Ubuntu) etc. Also, there are some packages/utilities available like SElinux(Security Enhanced Linux) to escalate the security of a Linux box. But, we all would like to hear from experienced reboot guys. It'll be a great help if anybody volunteers to compose a script to automate the tasks.

IIRC - A pure Linux distro untainted by the desire of users to see something more like Windows, or a Mac, will not have permissions set for regular users at all.
[sarcasm] Thanks Canonical [/sarcasm]

You have to 'add' the permissions to user accounts as you see fit. The same applies for the daemons. The daemon is only installed if it is needed as a dependency, and then again it's only enabled 'manually' to the boot process if desired.

I do think that you do not need to use any real time anti-virus yet, but that time will come too I'm sure.

Yeah, when certain distros come dangerously close to using registries. They shall remain unmentioned...

Hi Sherlock,

I have no special script for you at the moment but I think this piece of ubuntu might provide us all with a
better allround and specific equipment for testing if what is on each ones security focus will do what we really want.
The developers really did a great job with it in my opinion.
But enuff with the words, maybe you already know it:
(If not I am happy to feel like Dr.Whatson just for a second and you should spend a pipe on booting the livecd : )
http://www.backbox.org/ http://wiki.backbox..0..x.php/Main_Page

(new release out since a couple of days)

Edited by grubsome, 11 September 2011 - 07:05 AM.