On Thu, Mar 01, 2001 at 09:32:19AM +0100, Runar Bell wrote: > > 2) When inspecting /var/log/messages I noticed quite a lot of attempts to > send a buffer overflow (or something like that) on the port running > rcp.statd. Is there some security hole there I am not aware of? I have > removed portmap from init.d to make sure it is not started again. Are > there some other services I should be aware of? the first thing you should add to a newly installed debian system is: ## security updates deb http://security.debian.org/debian-security/ potato/updates main contrib deb http://security.debian.org/debian-non-US/ potato/non-US main contrib deb-src http://security.debian.org/debian-security/ potato/updates main contrib deb-src http://security.debian.org/debian-non-US/ potato/non-US main contrib to /etc/apt/sources.list, then run apt-get update && apt-get dist-upgrade to install all current security fixes. (im not sure if this has been added to the default sources.list yet, IMO it should have been default a long time ago. iirc the last potato box i installed, potato r0, i still had to add these manually) if you have non-free in your other sources you should add it to the security lines too. > 3) I couldn't find any "obvious" back-doors, but that doesn't necessarily > mean that there were none, so be on the safe side, I re-installed linux, good move, there are ways to make backdoors almost completely invisable. granted most attackers don't bother to use them, or are not sophisticated enough to use them. > and am now using SSH2.4 from www.ssh.com. Hopefully I won't have to do > this again. :-) the non-free ssh has had more security holes then OpenSSH. i recommend against using the non-free ssh. just keep your system up to date on security fixes, which is much easier with apt and security.debian.org. if you had updated from security.debian.org right away this would not have happened. > I am definitely going to install some sort of firewall, are there any > recommendations? ipchaining is not supported in my kernel as of now, so I > will compile a new kernel when I get the time. But, are there any > documentation available discussing recommendations regarding security? (I > am not paranoid, but would like it to be as hard as possible to get > unauthorized access to my computer) before thinking about so called magic bullets like firewalls you should turn off services you are not using and don't need. (remove them if possible, most things such as rpc.statd can be removed, apt-get --purge remove nfs-common) then make sure you keep up with security updates. subscribe to debain-security-announce and you will get an announcment of security fixes. after you do that look at what services you have left and decide if they need to be firewalled. sometimes simply locking down /etc/hosts.allow and /etc/hosts.deny is enough, otherwise look at setting up some ipchains rules. but first keep security updates installed and don't run services you don't need and are not using. don't depend on firewalls to protect you when you leave holes open by not installing security updates. it cannot be said enough. a sidenote, that rpc.statd bug was fixed a loong time ago, and yet its still be actively and aggresivily checked for and exploited, why? because NOBODY INSTALLS SECURITY UPDATES! same thing with bind. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpUtaBEz4Lnj.pgp
Description: PGP signature