Re: Unsure about security requirements for workstation/server
There are some programs and ways to secure your system.
The program "tiger" scans your system for local holes. Just run "tiger" from your shell and check /var/log/tiger/security-?
Bastille does about the same. Run it with "InteractiveBastille" from a shell.
Logcheck checks your logs for security messages and emails them to you. You will only have to put your email address in /etc/logcheck/logcheck.conf, and configre your mail client.
It is best to ignore the unimportand messages with logcheck, because people will get demotivated to keep reading when there is to much information in these messages. There is a file in /usr/share/doc/logcheck that explains how you can achieve this.
Programs like Aide and Osiris check your filesystem for changes. This way you can monitor your filesystem for unauthorized changes.
Osiris is pretty convienient to start with I'll presume.
You can monitor which packages get updated at
http://www.debian.org/security
When the logs of osiris and such show changes you can do "dpkg -L packagename" to see what files belong to a new package. You can the use diff to compare the output with the log to see only the files that don't belong to this package. If there are a few new packages you can direct the output of dpkg -L for each package into a file after which you can compare this file with the log. This way you will only see the relevant information.
Monitoring your system is importand.
You can use programs like Grsecurity and Lids to further define permissions on your system. You can for example hide directories with them, deny tampering with processes and more.
http://www.grsecurity.org http://www.lids.org They are pretty difficult to handle, but they are worth it. About Lids: after you learn what commands you'll have to use to setup your system with Lids, you can copy and paste rules from the Lids and Lids wiki site.
If these kind of programs are too difficult you can take a look a the "chroot" command to try to minimize the impact on your filesystem when you are compromised.
Makejail will automaticly setup programs for chrooting. There are some "templates" for programs in /usr/share/makejail/examples if you install Makejail. There is one for apache for example.
You use makejail by doing:
"makejail /usr/share/doc/makejail/examples/templatename"
After you have used makejail you can chroot your program with the command:
"chroot /directory/makejail/created 'programname options'"
You can also use something like user-mode-linux instead of chroot. You can find more info about this at http://www.debian-administration.org
Use chkrootkit and rkhunter to see if someone installed a rootkit on your system.
Rkhunter is not available on Debian but is easily installable and available from http://www.rootkit.nl
You can run them from cron and email the output to you by doing:
date /usr/sbin/chkrootkit|mail -s chkrootkit youremailaddress
date /usr/local/bin/rkhunter --update
date /usr/local/bin/rkhunter -c --cronjob|mail -s rkhunter youremailaddress
You will have to substitute date with the proper cron entries. (See below)
It is best to install as few as possible. This way you have less programs that could be used to compromise your computer when they have holes in them.
Close ports of programs you don't use.
You can achieve this with:
update-rc.d -f "programname" remove
With this command the program "programname" does not start anymore during the system boot.
You can setup what commands certain users can run with ssh.
You can read how to do that here:
http://www.hackinglinuxexposed.com/articles/20021211.html
Run programs like apache as a user with limited rights on the system.
Documents about securing apache and such can be found here:
http://www.securityfocus.com/unix
This documents shows very well how you can secure linux:
http://www.gentoo.org/doc/en/security/security-handbook.xml I guess I have shown well how to get your system secure but the document is detailed and will give you a better view on security on Linux.
Last but not least: keep your system up to date. People often get in systems because of holes in programs.
You can for example run this to achieve that:
"crontab -e"
0/14 0/24 * * * /usr/bin/apt-get update
0/15 0/24 * * * /usr/bin/apt-get upgrade -y
"ctrl X"
This will update your system with security updates each 15 minutes 24/7 when they are available.
Reply to: