All The Best Linux Security Hardening?

Discussion in 'Backup and Security' started by ktmexc20, Mar 18, 2006.

  1. I am changing to a new linux distro and with that I am trying to learn about network security in all it's depth.

    My objective with this topical question is.. what are all the best ways to protect my computer from the WAN in a linux environment.

    Topics like chroot jailing, browser considerations, isolating services, gateway box, proxy, VNC (xen natively supported w/ kernel patch), partitioning recommendations, virusware (clamav, etc), firewall initiatives (IPtables, and other considerations), network & port monitoring (both real time & logging), rootkit detection, etc... IOW, any and all other efforts or considerations...

    What ever you have to offer so I can be assured I have a system that is as hardened as is possible.

    Custom configs and linux programming are not intimidating... Have any questions about my hardware or configs, please specify them.

    Thanks for offering your recommendations and solutions.

  2. Here is a link to a free open source book on Linux security that may prove useful. The book is available for free download in PDF format.

    (It's near the bottom of the page).

    If you are the only person with access to your network, and it's behind a hardware firewall (or use IP tables) then I reckon it's fairly secure already.

    The browser is probably the main potential point of attack. You could run the browser under a separate user ID reserved for just browsing, or for the truely paranoid in a separate virtual machine using Vmware or Xen.
  3. Hi dcraig,

    Thanks for replying. Yeah I've been doing all sorts of reading and am finally starting to comprehend networking, protocalls, and services in general as well as related security implementations. Initially, it's a bit overwhelming, so now that I understand more, I just wanted to just sort some of it out. Which is why I was interested in a little linux specific dialog here.

    Would using IPtables be as reliably secure as a "hardware" firewall. If not, does a "home" (linux) router/gateway box serve the same security?

    Does a "hardware" firewall actually do some sort of electronic switching that makes it "hardware"? Or, is it just a fancy reference for well enacted table routing and port blocking?

    As for the browser isolation, I constantly need to have my browser open (java script regulated) while I'm working with offline stuff on my other monitors, so would VNC (latency?) be the right way to do that, or something else. Maybe by using xinerama in order to have another Xserver for a singled out monitor... or some such. (chrooting?)

    Are there any other concerns I should look out for?

  4. You can easily run firefox for example under another user id:

    1. Create a new group and user specifically for browsing.

    2. Open a terminal window and do

    xhost +

    This disables X server access controls so users other the user id under which the X server was started can access the X server.

    3. su to the browsing user.

    4. run firefox eg


    The 'hardware' firewalls in ADSL modem/routers are just embedded processors with appropriate software in ROM.

    I would think that IP tables should be very secure, but only in so far as it it correctly configured. The advantage of a external firewall is it's just set and forget.

    Even if you are behind a firewall, it's advisable to turn of unwanted services (such as FTP or HTTP server etc). These are configured in /etc/inetd.conf. Modern Linux distros have minimal defaults for these so out of the box config should be fine.
  5. Great. Thanks.

    Now if I were to want to run some services (server/client), is that when I should consider the properly configured gateway box? Keeping those services secluded on the that "public" box with second firewall between it and my private host?
  6. Btw, those are some great books to have around. Thanks for that link!
  7. I guess so, if they are services open to the internet eg HTTP server.
  8. Thanks again dcraig.
  9. Clients don't listen, they connect (at least for connection oriented protocols such as TCP). When an application calls connect(2) the operating system allocates a port as the local connection endpoint. It can be bound to a specific local port, but that is usually not necessary.
  10. Oops, sorry about that. I kind of rationalized the answer to my question before I deleted it. :)
    #10     Mar 19, 2006