Very Computer

I used to think that my systems were fairly secure...but after reading some
of the threads in here about people getting hacked, I am beginning to get a
bit paranoid/worried.

I run an IPP, and my systems must be directly connected to the Internet.
There is no real concept of stuff that could be hidden behind a firewall, so
I am on the front lines.

I use Slackware Linux, with a recent kernel.  Here are some of the steps I
have taken to secure things.  I would appreciate more
pointers/tips/suggestions/etc.

1. Disabled all unnecessary services in inetd.conf, including finger,
netstat, etc, etc.

2. Shut down mountd, nfsd, and other unnecessary daemons and prevented them
from starting up on bootup.

3. Downloaded and installed the latest version of sendmail.  Implemented
some of the anti-spam features in 8.9.1.

4. Removed serial and remote terminals from being considered secure
terminals in /etc/securetty.   Thus, root can only login from the 'login:'
prompt at the console, which is behind locked doors.

5. Limited su's to root to group root (same concept as wheel).  The only two
members of group root are myself and the second admin.  Thus, only two
accounts can su to root.

6. Implemented strong passwords for root, and the two admin accounts and
change them on a regular basis.

7. Require CGI scripts to be run using CGIwrap, which runs the script as the
UID of the user, not 'nobody'.

8. Altered syslog.conf so that certain log messages go to non-world readable
log files (to prevent joeuser from reading 'messages' and seeing that some
dumbass tried to login with his password instead of his username, and it

I can't remember some other steps I have taken, but am I missing anything
significant??  One thing I wanted to do, but couldn't find much
documentation on, was implementing some security for BIND 8.1, to prevent
unauthorized zone transfers and things like that.  Any pointers?

Also, how secure is it to post info on this newsgroup?  If I was a hacker I
think I would read this group to find out who is secure and not secure....

Thanks
Jay Ribak

Quote:> 3. Downloaded and installed the latest version of sendmail.  Implemented
> some of the anti-spam features in 8.9.1.

Not just Sendmail.  Install the latest version of *everything* that has had
a CERT advisory against it.

If it's a service important enough to leave turned on, it's important
enough to keep the patches up to date.

The rest of your list looks pretty good - I'd also add:

9) Disable telnet, and require the use of ssh instead, to prevent
the sniffing of passwords/

application_pgp-signature_part < 1K Download

Hello Jay!

Quote:> I used to think that my systems were fairly secure...but after reading some
> of the threads in here about people getting hacked, I am beginning to get a
> bit paranoid/worried.

Be afraid. Be very -very- afraid. JK! :)

What you described sounds very good. Up to date software counts for a
lot. You mentioned passwords, I'm assuming that includes shadow.

I'd suggest running tripwire daily and logcheck as often as possible.
Tripwire is an 'after the fact' thing but useful. Logcheck helps a lot
to nab wannabe crackers as -soon- as possible after an 'attempt' to
write to thei ISP and stop them from from trying other servers. I
average about one attempt a day on various services.

And -backup- early and often!! It's only a matter of time; you -will-
be cracked. Backups enable you to rebuild and restore as quickly and
smoothly as possible, your users will love that.

Have a :) day!

jb

--
jim barchuk

Quote:>I can't remember some other steps I have taken, but am I missing anything
>significant??

  You may - try checking up CERT advisories to see if there is
anything that strikes your eye.  Or search www.rootshell.com or
ftp.technotronic.com for any services you may have installed.  (Qpop?)
And the recent bugtraq archives ...

  *You* have to cover all holes to stop them from breaking in -- while
*they* only have to find one single hole to get in. It's not cricket,
exactly ...

--

Telia ProSoft AB, Teknikringen 6, S-583 30 Linkoping, Sweden

Hmmm... it is cricket: the sysadmin's the batsman - one mistake and he's
out - whereas the hacker's the bowler - hit him for six and still might
get you with his next ball :(

A change of innings would be nice :)

~ Matthew ~

I don't know why I only mentioned sendmail.  I also use the latest versions
of Apache, Qpopper, as well as  more 'internal' stuff such as perl, tcl,
etc.

Sometimes its tough keeping up on all of the latest versions!

I was definitely thinking of implementing SSH.  Where can I find it for
download?   I understand the basic principles of SSH, but is there a windows
client also?  I do a lot of remote administration by dialing in and
telnetting to a box from one of my windows machines.   It would seem a
little odd to only have SSH protection from UNIX to UNIX telnet and not
windows to UNIX...

Thanks
Jay

Yes, I didn't mention shadowing because that is a default for Slackware
Linux, and I think most versions of Linux nowadays...

Quote:> I was definitely thinking of implementing SSH.  Where can I find it for
> download?   I understand the basic principles of SSH, but is there a windows
> client also?  I do a lot of remote administration by dialing in and
> telnetting to a box from one of my windows machines.   It would seem a
> little odd to only have SSH protection from UNIX to UNIX telnet and not
> windows to UNIX...

Not hard to find if you look.

http://www.ssh.fi

ftp://ftp.cs.hut.fi/pub/ssh IIRC

See http://www.zip.com.au/~roca/ttssh.html for a free windows ssh
client. The terminal emulation of Tera Term (?) is pretty good and
makes it easy to convince users to dump win telnet.
--
cmg

It's 12 Dec 98  07:52:07,

discussion of How secure am I really??

 mp> Hmmm... it is cricket: the sysadmin's the batsman - one mistake and
 mp> he's out - whereas the hacker's the bowler - hit him for six and still
 mp> might get you with his next ball :(

Hehehe. :-)

Might have to bat like your boys did in the 70's. :P

(sorry, couldn't resist :-) ).

 mp> A change of innings would be nice :)

Well, you can always send a few deliveries of your own, as unlike
cricket, the pitch works both ways. :-) (not that I'd seriously advocate
"counter hacking").

.. I'm not a complete idiot -- several parts are missing.
--
|Fidonet:  Tony Langdon 3:635/728.18

|
| Standard disclaimer: The views of this user are strictly his own.

It's 12 Dec 98  08:27:49,

discussion of How secure am I really??

 jr> I was definitely thinking of implementing SSH.  Where can I find it
 jr> for download?   I understand the basic principles of SSH, but is there

ftp.replay.com (I think).

 jr> a windows client also?  I do a lot of remote administration by dialing
 jr> in and telnetting to a box from one of my windows machines.   It would
 jr> seem a little odd to only have SSH protection from UNIX to UNIX telnet
 jr> and not windows to UNIX...

You can buy a commercial client, but there's also a good freeware
alternative.  Tera Term, which is a telnet client can be installed.  You
then need to install the SSH add on, and it will do both telnet and SSH.

You can find links to Tera Term's home page on www.winfiles.com, and
from the home page, there is a link to the SSH add on.

Works fine for me. :)

.. All I need is a Wave and a board to surf it on.
--
|Fidonet:  Tony Langdon 3:635/728.18

|
| Standard disclaimer: The views of this user are strictly his own.

Quote:>I used to think that my systems were fairly secure...but after reading some
>of the threads in here about people getting hacked, I am beginning to get a
>bit paranoid/worried.

>I run an IPP, and my systems must be directly connected to the Internet.
>There is no real concept of stuff that could be hidden behind a firewall, so
>I am on the front lines.

>I use Slackware Linux, with a recent kernel.  Here are some of the steps I
>have taken to secure things.  I would appreciate more
>pointers/tips/suggestions/etc.

<stuff deleted>

Quote:>6. Implemented strong passwords for root, and the two admin accounts and
>change them on a regular basis.

All accounts need to have strong passwords.  Once someone is on the system
as any account, they will have a considerably easier time breaking root
and launching other attacks from your machine.

Quote:>7. Require CGI scripts to be run using CGIwrap, which runs the script as the
>UID of the user, not 'nobody'.

This sounds to me like it may hurt more then it helps you.  If users write bad
CGI scripts, then now the attacker effectively has their ID instead of
nobody!

Consider running httpd in a carefully set up chroot() area, with loopback
mounted read-only restricted filesystems, wherever possible.  Consider
setting up pairs of UIDs or using some other UID for just cgi, so user cgi
scripts are *not* running with the userid of login accounts on your system.

Try to get this logging off onto another possibly more-secure machine.

Quote:>I can't remember some other steps I have taken, but am I missing anything
>significant??  One thing I wanted to do, but couldn't find much
>documentation on, was implementing some security for BIND 8.1, to prevent
>unauthorized zone transfers and things like that.  Any pointers?

I believe there are links to this info on http://www.isc.org/

You will want to use the allow-transfer {} directive.

Hope this helps,

-Mark

--

Quote:

>See http://www.zip.com.au/~roca/ttssh.html for a free windows ssh
>client. The terminal emulation of Tera Term (?) is pretty good and
>makes it easy to convince users to dump win telnet.

I use SecureCRT (www.vandyke.com).  As part of a cooperative
arrangement with some folks at Univ of Wisconsin, I got my hands
on a list of SSH clients they maintain.  I, of course, lost the
Wisconsin URL, but a recent version of the list they put together
is on my web page:  http://www.ece.nwu.edu/~mack23/ssh-clients.html.

--

ECE Dept., Northwestern Univ.           for PGP 2.6.2 public key
Evanston, IL 60208 Ph:(847) 491-8141    ICBM: 42.054551 N, 87.694331 W      
Old house?  Check out The Old House Chronicle.  http://www.ece.nwu.edu/ohc/