Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hardening Linux

CmdrTaco posted more than 6 years ago | from the you-know-you-should dept.

Security 204

davidmwilliams writes "Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities. Read about the essential steps to secure your server as well as how to solve them manually and via automated tools like Bastille."

cancel ×

204 comments

FP (4, Funny)

Anonymous Coward | more than 6 years ago | (#20202787)

yes but does it run my favorite rootkit?

Re:FP (0)

Anonymous Coward | more than 6 years ago | (#20202833)

do you want that with or without DRM sauce?

Re:FP (1)

SplatMan_DK (1035528) | more than 6 years ago | (#20203189)

Not if your favorite rootkit is the Sony music CD rootkit. Sony have wisely decided to only annoy Windows users ... ;-)

Re:FP (1, Funny)

Anonymous Coward | more than 6 years ago | (#20203487)

Has anyone got the rootkit to work under Wine?

I'm sick of Linux users being left out. I demand that companies like Sony & Microsoft release bad software for Linux too.

Re:FP (1)

SplatMan_DK (1035528) | more than 6 years ago | (#20203853)

Maybe you should try using Parallels. It uses fare more resources but should get the job done for you ...

And hey ... using 290 MB of memory to run a rootkit on a non-MS OS could be pretty cool ;-)

- Jesper

I'm not sure what this is doing on /. (1, Funny)

Silver Sloth (770927) | more than 6 years ago | (#20202797)

It's a pretty reasonable 'how to' of a basic sort but I would expect most of the /. crowd to be well bwond this level of competance.

Should have used preview (1)

Silver Sloth (770927) | more than 6 years ago | (#20202841)

Those that are not 'bwond' this level of competance will be 'beyond' it. Sunday, bloody Sunday!

Re:Should have used preview (0)

Anonymous Coward | more than 6 years ago | (#20203199)

Those that are not 'bwond' this level of competance will be 'beyond' it.
I don't think your spelling is quite up to that level of competence yet.

How To in summary... (5, Informative)

IBBoard (1128019) | more than 6 years ago | (#20202849)

For those not wanting to read the article, that "basic how to" is:

1) Disable unwanted services (done via the CLI in this day of GUIs)
2) Keep the OS patched
3) Install and run Bastille to do everything else for you.

Re:How To in summary... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20202891)

1) Disable unwanted services (done via the CLI in this day of GUIs)

Reason #1 that people who use real OS's laugh at Linux. Followed by reason #2, copy and paste beyond basic text between applications.

Re:How To in summary... (0, Informative)

Anonymous Coward | more than 6 years ago | (#20203077)

It doesnt *have* to be done via CLI, gedit would accomplish the same task - graphically. Its just - proper computer techies ( you know, not those who need a wizard to admin things for them ) use a command line because its either faster, and/or scriptable for them to do so. Its also not taxing on bandwidth should you want to remote in and do something - unlike a graphical app.

Re:How To in summary... (0)

Anonymous Coward | more than 6 years ago | (#20203155)

Go back to digg, clueless trolls or paid shrills are not welcome here.

Re:How To in summary... (0)

Anonymous Coward | more than 6 years ago | (#20202927)

And yet if someone writes an article like this on how to secure Windows (where lets face it the advice, aside from #3 is exactly the same) it's proof that Windows is insecure.

Re:How To in summary... (3, Insightful)

Knuckles (8964) | more than 6 years ago | (#20202947)

And yet if someone writes an article like this on how to secure Windows (where lets face it the advice, aside from #3 is exactly the same) it's proof that Windows is insecure.

That's because the article fell through a hole in time, and actually belongs in 1997. They are already yelling to give their article back. No self-respecting consumer distro has shipped with open ports in ages.

Re:How To in summary... (5, Funny)

tomhudson (43916) | more than 6 years ago | (#20202997)

The summary is ... strange.

"... many Linux systems are insecure with open ports" ... "...how to secure your server ..."

Remember all those internet ads about "YOUR COMPUTER HAS OPEN PORTS !!!"

Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

Next we'll read another story about how some "1337 hacker hacked into another person's machine" at IP address 127.0.0.1, erased all their files, and somehow, the "other person" was able to hack their machine and do the same thing ...

Followed by a nostalgiac look at "Punch-the-monkey" ads.

Re:How To in summary... (1)

Knuckles (8964) | more than 6 years ago | (#20203303)

Its a computer connected to "Teh Intarweb" - its supposed to have open ports.

Not if it just acts as a client, as most "consumer" machines do.

Re:How To in summary... (0)

Anonymous Coward | more than 6 years ago | (#20203481)

opening an outbound tcp connection creates an open port on the local machine. It won't accept incoming connections, though.

Re:How To in summary... (1)

Knuckles (8964) | more than 6 years ago | (#20203571)

opening an outbound tcp connection creates an open port on the local machine. It won't accept incoming connections, though.

But ports that are only open in response to the user initiating a connection are not open "by default", are they. Plus, this is just the way things are, technically, and as such not usable as differentiating criteria, wouldn't you agree?

Re:How To in summary... (0)

Anonymous Coward | more than 6 years ago | (#20203637)

I think by "Open ports", he means ones that do accept connections.

Re:How To in summary... (1)

DaleGlass (1068434) | more than 6 years ago | (#20203859)

It doesn't seem to be very widely known, but at least on Linux, all of 127.0.0.0/8 is assigned to the loopback. So 127.85.31.97 would work just as well, in case you happen to find a script kiddie a bit smarter than average.

Re:How To in summary... (0, Troll)

DrSkwid (118965) | more than 6 years ago | (#20203145)

My GUI has a command line.

It's curses that keeps Lunix stuck in the dark ages.

Re:How To in summary... (1)

IBBoard (1128019) | more than 6 years ago | (#20203227)

Yes, but GUIs also normally have applications to enable and disable services (which was my point). Their method is to hack in files from the command line or similar, while most distros should have an "easy to use" service management app. I know Redhat and Fedora have for ages.

Re:How To in summary... (1)

DrSkwid (118965) | more than 6 years ago | (#20203385)

> Yes, but GUIs also normally have applications to enable and disable services (which was my point).

ed or a text editor work for me.

Clicking buttons is primitive.

Re:How To in summary... (4, Insightful)

Jessta (666101) | more than 6 years ago | (#20203633)

I've alway found GUI tools to be slow and weird.
gentoo has great service management /etc/init.d/ start /etc/init.d/ restart /etc/init.d/ stop

GUI tools are seriously annoying, since this article is about security and disabling unneeded services having config tools that require the unneeded service X11 is pretty silly.

Re:I'm not sure what this is doing on /. (1)

HoosierPeschke (887362) | more than 6 years ago | (#20202889)

Well, not everyone is good at everything. I'm always looking for new references of how to do things, either for myself or people I have been trying to convert to Linux. I typically take guides of this nature and make quick references or sticky notes to remind myself of all the checks to properly secure a box. For instance, I download every new Gentoo handbook and update my quick reference for that, which is only 3 pages long (install through config)!

Slashdot comments (and sometimes articles) contain tons of references I have used to better my knowledge (verified through other sources of course).

Re:I'm not sure what this is doing on /. (3, Informative)

ozmanjusri (601766) | more than 6 years ago | (#20203113)

I'm always looking for new references of how to do things, either for myself or people I have been trying to convert to Linux.

Don't read TFA then. The advice it gives is barely relevant to any distro released in the past decade.

Dude, that article sucked. (4, Insightful)

khasim (1285) | more than 6 years ago | (#20202913)

Did you see where it mentioned nmap? No? Because it didn't. Wouldn't you expect it to tell you to run nmap from a different machine to you can what your outside profile looks like?

It reads more like someone who's just discovered Bastille and now considers himself "informed" on "security issues".

Step #1. Limit the avenues of attack. This is where you'd use nmap.

Step #2. Remove anything you don't absolutely need. Come on, most people out there will be running some distribution now. At least he could have covered dpkg, rpm, etc.

What's this with the "Enter kill -9 xxx where xxx is the PID."? How about just /etc/init.d/service_name stop? Just use the package manager to remove it.

And editing xinetd.conf / inetd.conf? Again, just use the package manager to remove it.

And he doesn't even go into how each distribution handles package updates? What the fuck? Nothing about "apt-get update"? No "apt-get upgrade"?

No, this article is about someone's discovery of Bastille and how it helps an old, stock installation of Red Hat.

Re:Dude, that article sucked. (1)

bigredgiant1 (756646) | more than 6 years ago | (#20203105)

Did you see where it mentioned nmap? No? Because it didn't. Wouldn't you expect it to tell you to run nmap from a different machine to you can what your outside profile looks like?
Actually, you can run nmap from the local machine, as long as you target an IP of the machine that is accessible via the network (often 0.0.0.0, 192.x.x.x, 10.x.x.x, or an internet IP,) it will give you the same list of open ports as if you were running it from a different machine. It is often useful to run it locally, anyway, so that you can compare the output of `nmap localhost` and `nmap 0.0.0.0`, as often a machine will have services running that are only accessible locally.

That's a good point. Thanks. (4, Interesting)

khasim (1285) | more than 6 years ago | (#20203287)

It is often useful to run it locally, anyway, so that you can compare the output of `nmap localhost` and `nmap 0.0.0.0`, as often a machine will have services running that are only accessible locally.

Yep. That's why I prefer hitting it from a different machine. Multiple machines if possible. One on the same LAN segment and one from somewhere on the Internet.

That way you'll see what a would-be-attacker will see.

Sure, I might be running SMTP on port 25, but bound to 127.0.0.1 instead of eth0. An attacker would have to FIRST gain access to my machine through some other means to be able to attack my SMTP service.

Sure, that first hurdle might be set very, Very, VERY, VERY high, but if someone can get over it ... that's why patching is still important. But that's also why patching cannot be your only "defense". You will not know what vulnerabilities the bad guys have found that are not patched yet. Defense in depth.

And that's what "security" is all about to me. It's the PROCESS of evaluating threats and reducing their effectiveness.

Re:That's a good point. Thanks. (1)

bigredgiant1 (756646) | more than 6 years ago | (#20203787)

I think you missed my point -- you can see what an attacker would see from the local machine, by nmapping the network IP. Going to a different machine is superfluous.

Maybe. (1)

khasim (1285) | more than 6 years ago | (#20203899)

I think you missed my point -- you can see what an attacker would see from the local machine, by nmapping the network IP. Going to a different machine is superfluous.

I set up a VPN connection for a co-worker last week. She was directly connected to the Internet through her ISP supplied cable modem.

Except that that particular cable modem automatically filtered the inbound connections. Checking her machine showed that everything was okay ... but checking from outside showed that everything was not okay.

Rather than waste time trying to determine all the possible combinations that COULD cause something ... just scan the same way a would-be-attacker would. It may be "superfluous", but it will give you the EXACT view that the attacker will be seeing. Through external firewalls, software firewalls, etc.

chkconfig anyone? (1)

NoBozo99 (836289) | more than 6 years ago | (#20203873)

Last time I looked (at least on redhat systems) chkconfig can show you which services are running
and disable the ones you don't want running.

chkconfig --list
chkconfig nscd off

Re:Dude, that article sucked. (1)

Wonko the Sane (25252) | more than 6 years ago | (#20203285)

Do people really still use xinetd? I understand how on the 486 with 8 MB of ram you couldn't afford to keep all you services running all the time, but now?

In my mind this is just like the mbox vs. maildir arguement. It took about 10 years after MFM drives stopped being used until everyone realized that mbox wasn't faster anymore [courier-mta.org] .

Re:I'm not sure what this is doing on /. (1, Funny)

Anonymous Coward | more than 6 years ago | (#20203061)

"It's a pretty reasonable 'how to' of a basic sort but I would expect most of the /. crowd to be well bwond this level of competance" - by Silver Sloth (770927) on Sunday August 12, @10:33AM (#20202797)

Apparently not!

I say this, because I have challenged the *NIX crew here, 26 times now to be exact, here in these url's, to try the multiplatform benchmark of online security (by the CENTER FOR INTERNET SECURITY, noted by SANS + COMPUTERWORLD, no less, as legit/good etc.):

http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923 [slashdot.org]
http://slashdot.org/comments.pl?sid=240283&cid=196 31141 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=240501&c id=19630965 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=241957&cid= 19662703 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485 [slashdot.org]
http://bsd.slashdot.org/comments.pl?sid=238993&cid =19578849 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=243071&cid= 19690705 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=243071&cid= 19691091 [slashdot.org]
http://slashdot.org/comments.pl?sid=240283&cid=196 22485 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=245695&cid= 19761821 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=246115&cid= 19774211 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=246583&c id=19779437 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=252367&c id=19946243 [slashdot.org]
http://slashdot.org/comments.pl?sid=254685&cid=199 83339 [slashdot.org]
http://bsd.slashdot.org/comments.pl?sid=255743&cid =19996191 [slashdot.org]
http://bsd.slashdot.org/comments.pl?sid=255743&thr eshold=-1&commentsort=0&mode=thread&cid=19997047 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=260975&thre shold=-1&commentsort=0&mode=thread&pid=20109099#20 114035 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=260975&cid= 20109707 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=261525&t hreshold=-1&commentsort=0&mode=thread&cid=20138729 [slashdot.org]
http://slashdot.org/comments.pl?sid=264303&cid=201 59655 [slashdot.org]
http://slashdot.org/comments.pl?sid=264303&thresho ld=-1&commentsort=0&mode=thread&cid=20159515 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=267219&t hreshold=-1&commentsort=0&mode=thread&pid=20199199 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=267219&c id=20196723 [slashdot.org]
http://linux.slashdot.org/comments.pl?sid=267219&c id=20198711 [slashdot.org]

LASTLY, & imo, MOST IMPORTANTLY, from a LINUX oriented site, where they suggested BSD instead:

http://linux.sys-con.com/read/382946_f.htm [sys-con.com]

I challenged folks who use *NIX's above, to get someone from the *NIX camp here @ /., to try the multiplatform benchmark of online security (by the CENTER FOR INTERNET SECURITY, noted by SANS + COMPUTERWORLD, no less, as legit/good etc.)...

Yes, I would preferably like to see a result photo (legit/unfaked, because I had someone insinate they would or could do that here once @ this site) someone using FreeBSD or SeLinux kernel hook addon bearing distros of LINUX (Ubuntu 7.04 onwards has this 'baked in' no less, & it's pretty widely used).

HOWEVER- All I have gotten is evasions I easily overcame, such as:

----

1.) "There is no registry in Windows", but, there is for example in the /etc tree-subtree & its state keeping files & folders, thus, an analog exists to test access control levels to on that note!

(That's just 1 example, because *NIX uses what oldschool Win3.x did, in init files (.ini in Windows) scattering them all over the system: GOOD for security in 1 respect that 1 grenade cannot take out the whole platoon, but bad in that text file access is SLOWER than binary data can be (& the Windows registry is a mix of both data types & more - & yes, Windows & its apps still can & DO use .ini files too, besides the registry if need be or designed thus!)

&

2.) The program "is not legitimate & spyware", & who is "THE CENTER FOR INTERNET SECURITY" etc. et al, & to that? All I can say is this (if you trust SANS alone? It should suffice!):

CIS Tool (multiplatform test/gauge of ONLINE SECURITY) is downloadable here:

http://www.cisecurity.org/bench.html [cisecurity.org]

& it is noted by both SANS & COMPUTERWORLD as legitimate, not "bushwhack ware":

MULTIPLATFORM ONLINE SECURITY TEST CIS TOOL (NOTED @ SANS: CIS to Release Windows Configuration Assessment Tool (May 1, 2007)):

http://www.sans.org/newsletters/newsbites/newsbite s.php?vol=9&issue=36#sID302 [sans.org]

MULTIPLATFORM ONLINE SECURITY TEST CIS TOOL (NOTED @ COMPUTERWORLD):

http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=9018362&intsrc=hm_ list [computerworld.com]

2 respected sources about computer information AND security!

----

Anyhow/anyways:

I made those 26 "challenges" here @ /., & other LINUX oriented sites (where BSD variants were actually suggested as far as security, but imo, SeLINUX bearing distros could do the job well too), per these URL's above, & ALL I GOT WAS EVASIONS, no test results posted!

Perhaps this topic @ /. will get some folks "more up to speed" on security hardening their *NIX based OS, & they will then, take the multiplatform CIS TOOL test & compare their scores (AND MORE IMPORTANTLY, techniques used, OR "bugs" they may have found & disagree with on their score result, as I had & mention here no less)...?

I hope so!

Again - *NIX person needed (preferably SeLinux user, or FreeBSD user):

TO COMPARE MY SCORE of 84.735/100 on the CIS TOOL multiplatform security test, vs. what ANY *NIX person would score!

So we could discuss things I have seen in the test that "scored me down" which you also MAY FIND!

(When I am 95-99% sure, the test made some minor errors on the areas noted on my score no less that I have run by the CENTER FOR INTERNET SECURITY's DEVELOPERS no less, but no answers came back yet on the issues I pointed out - thus, I am fairly certain my score is ACTUALLY HIGHER)... that all said?

Perhaps the *NIX folks will benefit from this posting here @ /. & take the challenge I post!

PHOTO OF MY SCORE ON THE MULTIPLATFORM CIS TOOL BY THE CENTER FOR INTERNET SECURITY:

http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg [techpowerup.org]

FOR *NIX USER'S REFERENCE, SHOULD THEY HAVE THE COURAGE & SKILL TO HARDEN THEIR RIGS & INSTALL + RUN THIS TEST & POST THEIR SCORES HERE @ SLASHDOT, finally...

APK

P.S.=> Decent *NIX links for security? Try these for starters & GET SeLINUX understood & configured for your needs (provides Mandatory Access Control (MAC) to files/folders beyond chroot-chmod-chown & ALSO, Sockets Level Control as well), learn IPChains/IPTables & how to packet filter (built into the LINUX kernel already) to layer security on the fronts of IP & file/folder accesses, & maybe these will help too:

http://www.cromwell-intl.com/security/security-sta ck-hardening.html [cromwell-intl.com]

http://www.puschitz.com/SecuringLinux.shtml [puschitz.com]

BOTTOM-LINE:

I really would like to see someone with a STRONG *NIX security background take the CIS TOOL test, after hardening their rig, & compare their score to mine, & to discuss HOW they did it to achieve their score (ESPECIALLY IF THEY SURPASS MINE on a custom hardened build of WINDOWS SERVER 2003 SP #2)... apk

Re:I'm not sure what this is doing on /. (0)

Anonymous Coward | more than 6 years ago | (#20203099)

84.736/100 on Ubuntu. whoop de dooo.

Re:I'm not sure what this is doing on /. (0)

Anonymous Coward | more than 6 years ago | (#20203457)

I've always wondered how hard it would be to get a Slashdot reader to download and install a root-kit on their Linux box. Thanks to you, now I know it's not hard at all.

Re:I'm not sure what this is doing on /. (0)

Anonymous Coward | more than 6 years ago | (#20203755)

It's a pretty reasonable 'how to' of a basic sort but I would expect most of the /. crowd to be well bwond this level of competance.

Seeing as how they 99.999% of Slashdotters are still running under the delusion that teh Lunix is secure (especially compared to Windows Server 2003), your assumption is wildly (and unrealistically) optimistic.

A good question might be that, if hardening a system is so simple and basic... why doesn't it just install that way? Yet another reason teh Lunix isn't ready for prime-time.

ZZzzzz.... (0)

Anonymous Coward | more than 6 years ago | (#20202805)

Apply a firewall to prevent access to potentially vulnerable services, using ipchains.

Hello 2001 when we all switched to iptables. My gran could write a linux security primer like this by rehashing a couple of google articles.

AppArmour (4, Interesting)

Shuntros (1059306) | more than 6 years ago | (#20202829)

I know people seem to find it all trendy to bash Novell these days, but AppArmour is a a pretty damn good tool for containing the behaviour of applications. Use a handy little utility to monitor your application (apache, bind, postfix, anything else..) being used in a controlled environment, then apply that ruleset at kernel level and if access isn't defined in the AppArmour profile, it ain't happening.

Isn't Linux already hard? (0)

Ang31us (1132361) | more than 6 years ago | (#20202835)

Does the OS need a fluffer [wikipedia.org] ?

Hmmmm (2, Insightful)

WizMaster (974384) | more than 6 years ago | (#20202843)

Only skimmed the article but it seems to be pushing Bastille more then anything else. Don't know of any installer that automagically starts services unless you specify them yourself. I'm pretty sure there are far better security tutorials and introductions. Better yet, your distro probably has one specifically for it. This seems more like advertising then anything useful. I could be wrong though.

Ipchains? (1)

Wonko the Sane (25252) | more than 6 years ago | (#20202859)

Apply a firewall to prevent access to potentially vulnerable services, using ipchains.
Is that a misprint, or is Bastille still using ipchains? (Is that even possible in modern kernels?)

Huh? (0, Redundant)

MMC Monster (602931) | more than 6 years ago | (#20202867)

I haven't read the article. Can someone please tell me what ports are left open on the default installations of some of the major Linux distributions? I'm running Ubuntu, and I was under the impression that the default installation doesn't leave any ports open.

Re:Huh? (1)

Ang31us (1132361) | more than 6 years ago | (#20202885)

Install nmap and nmapfe, portscan your box, and you'll see what ports are open for yourself. Shutdown specific services, portscan again, and you'll see that the ports for those services are no longer open.

Re:Huh? (1)

Shuntros (1059306) | more than 6 years ago | (#20202893)

Use nmap and scan yourself, that will tell you all you need to know. Alternatively you could use a command such as netstat -ltu or lsof -i TCP/UDP. The information is all there, readily available.

Re:Huh? (1)

Knuckles (8964) | more than 6 years ago | (#20202963)

Others told you to run nmap, which is always a good idea. But the Ubuntu default is "no open ports".

Re:Huh? (5, Informative)

Zocalo (252965) | more than 6 years ago | (#20202969)

As root, run the following command:

netstat -plutn
That will list all the listening services on a Linux box, complete with the program/PID that is associated with it. It's faster than just running something like NMAP, plus it will identify whether a program is binding to a specific external IP, a loopback IP and so on, not all of which an external port scanner is going to be able to report on.

Re:Huh? (3, Funny)

drspliff (652992) | more than 6 years ago | (#20203757)

and "netstat -putin" secretly terminates all applications and pretends there's no open ports?

A default Ubuntu box has them all closed. (3, Informative)

khasim (1285) | more than 6 years ago | (#20202989)

I'm running Ubuntu, and I was under the impression that the default installation doesn't leave any ports open.

That is correct. By default, they are all closed.

But you may have changed that. If you've installed any P2P or such apps, you may have open ports from that.

As the other poster suggested, use nmap to determine what your outward profile looks like. Even better, have a friend scan your address from their location. That will tell you what your machine looks like from the Internet.

xxxxxx@xxxxxxx:~$ sudo nmap -p0-65535 10.31.198.130

Starting Nmap 4.20 ( http://insecure.org/ [insecure.org] ) at 2007-08-12 07:54 PDT
All 65536 scanned ports on 10.31.198.130 are closed
MAC Address: 00:11:D8:E1:9F:A9 (Asustek Computer)

Nmap finished: 1 IP address (1 host up) scanned in 16.486 seconds

That's without a firewall.

Re:Huh? (1)

jnelson4765 (845296) | more than 6 years ago | (#20203255)

Well, here's the list from my just-about-stock Ubuntu install:

root@david:~# lsof -i -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
avahi-dae 6785 avahi 13u IPv4 23031 UDP *:5353
avahi-dae 6785 avahi 14u IPv4 23032 UDP *:32769
hpiod 6910 root 0u IPv4 23326 TCP localhost:2208 (LISTEN)
dhclient 6914 dhcp 6u IPv4 23579 UDP *:68
python 6921 hplip 4u IPv4 23358 TCP localhost:2207 (LISTEN)
cupsd 11487 cupsys 1u IPv4 699709 TCP localhost:631 (LISTEN)
I don't have samba set up on it yet, though - that would add a few ports.

OTOH, I have a hardened Slackware box running as a syslog server, and this is what is running:

# lsof -i -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 587 root 3u IPv4 6356917 TCP *:22 (LISTEN)
syslogd 2144 root 1u IPv4 5073749 UDP *:514
munin-nod 11745 root 5u IPv4 19380 TCP *:4949 (LISTEN)
It also has a firewall set up on both the local machine and the router to block access to those ports that are open to just those IPs that need to get to it.

I don't use Bastille - I'll read through it, and decide what of its recommendations I need to implement, but I don't blindly follow anyone's advice about security.

P. S. - sorry about the formatting - it would be nice to have the <pre> tag available...

Re:Huh? (1)

Knuckles (8964) | more than 6 years ago | (#20203335)

Note that beside avahi (which I have forgotten in previous post when I said "no open ports") and dhcp (which has be open if casual users shall have a chance to connect to their ISP in the first place), all those services in Ubuntu just listen to localhost.

Re:Huh? (1)

toppavak (943659) | more than 6 years ago | (#20203489)

I was under the impression that ports are only "open" if an application is actively listening on that port.

In Soviet Russia (2, Funny)

Anonymous Coward | more than 6 years ago | (#20202869)

Linux hardens You

Open Ports? (1)

CastrTroy (595695) | more than 6 years ago | (#20202875)

I know that Mandriva tells you if you have any services installed that have open ports (SSH,Samba) when you do the install. There are some necessary open ports for most users, like samba. Having open ports doesn't have to be a bad thing, although I will agree that having them open without any reason is not a good idea. However, as long as you keep on top of the updates (very easy with Mandriva and most other distros), you shouldn't have too much to worry about.

Per-distro comparisons? (4, Interesting)

delire (809063) | more than 6 years ago | (#20202881)

In this regard I'm very impressed with the work the Ubuntu developers have done: a netstat -tupa post-install reveals a very small attack-surface where ports are concerned. That said, it would certainly be interesting to see a per-distro comparison at some point.

Anyone know of such a project - even if just comparing a few top-tier distributions?

Re:Per-distro comparisons? (3, Insightful)

DrXym (126579) | more than 6 years ago | (#20203437)

I think a dist security roundup would be an awesome thing. Do a default install of Mandrive, RedHat, Ubuntu etc. and then run nmap, examine their password policy, see what "dangerous" apps are installed by default and so on. Dists should be named and shamed if they have a single port open.

Hardened Linux From Scratch (2, Interesting)

owlman17 (871857) | more than 6 years ago | (#20202887)

This is mainly for those who roll their own using LFS, but Hardened Linux From Scratch [linuxfromscratch.org] should give some tips, and practical advice, which critical areas need patching, plus proper practices.

Lots of linux stories on the front page (-1, Troll)

Jalwin (1082419) | more than 6 years ago | (#20202909)

I just counted 6 of the stories on the front page of slashdot.org frontpage include linux (out of 20 total stories). This is 30%. While I have nothing against linux or the people that use it (just the people that try to force it upon others), it's like the second life stories: I just don't care. Sometimes a unrelated story shows up under the category linux so I don't unfilter it, but it does seem like there is Linux spreading agenda going on here. Just observations made by a casual observer. The purpose of this post is to see the reasoning behind so many linux fluff stories making front page (because most of them should stay on the linux section only).

Re:Lots of linux stories on the front page (1)

deftcoder (1090261) | more than 6 years ago | (#20202935)

You DO realize what website you're on, right?

Seriously.

Re:Lots of linux stories on the front page (1)

WizMaster (974384) | more than 6 years ago | (#20202959)

I think it was a joke. If not, I can't help but grin.

Re:Lots of linux stories on the front page (2, Insightful)

SplatMan_DK (1035528) | more than 6 years ago | (#20203137)

There is more to being an IT Geek than pushing Linux to the world.

There are other kinds of FOSS products than Linux btw - so why is Linux the only one to get 30% of the index page?

Allthough I like and use Linux, I think the point is valid.

- Jesper

Re:Lots of linux stories on the front page (1)

Knuckles (8964) | more than 6 years ago | (#20203355)

Could you please stop to draw conclusions from a data set of one day? Frankly, it's sickening. Draw up a statistic and I suppose you will see that not every day has 30% linux kernel stories.

Re:Lots of linux stories on the front page (1)

SplatMan_DK (1035528) | more than 6 years ago | (#20203803)

True.

But I am sure those days don't have comments about "too many Linux stories" either. Right?

So we could say it is only fair to have that particular criticism on a day where there is also fact to back it up? :-)

- Jesper

Re:Lots of linux stories on the front page (1)

Knuckles (8964) | more than 6 years ago | (#20203861)

As long as the complaint is about that particular day, and not general :)

Re:Lots of linux stories on the front page (1)

m.ducharme (1082683) | more than 6 years ago | (#20202953)

Are you new?

Re:Lots of linux stories on the front page (1)

Knuckles (8964) | more than 6 years ago | (#20202975)

Um, I see you have a 20-digit UID or something, but how can you be surprised that /. is generally pro-FOSS, pro-Linux???

Re:Lots of linux stories on the front page (1)

Jalwin (1082419) | more than 6 years ago | (#20203079)

I am fully aware that they are pro both those things, but this level of stories when there is such a wide range covered seems excessive. Not to mention most of the stories are almost worthless even for people who like linux.

Re:Lots of linux stories on the front page (1)

Knuckles (8964) | more than 6 years ago | (#20203109)

Well, I think for many (most?) people, it's one of the reasons to be here. The quality of the stories is another matter ...

Re:Lots of linux stories on the front page (1)

Falstius (963333) | more than 6 years ago | (#20203141)

You can't complain about most of the Linux stories being worthless, when some many Slashdot stories in general are worthless. Welcome to the new vaporware, wonder drug, laws-of-physics breaking device, imaginary problem, or developer bickering of the hour. One doesn't read Slashdot for the quality of the stories, but to avoid doing other things.

Re:Lots of linux stories on the front page (1)

C0vardeAn0nim0 (232451) | more than 6 years ago | (#20203667)

i wish i had mod point to givo to you, my friend

mnb Re:Lots of linux stories on the front page (0)

Anonymous Coward | more than 6 years ago | (#20203301)

Why is it, since registering an account at Slashdot, a half of your posts have been complaints about Slashdot?
100% of your posts have been anti-status quo. While this is not evidence in itself of trolling (lord knows there is value in all opinions) some of your blanket statements and emotional rhetoric do leave the question open.

Re:Lots of linux stories on the front page (0)

Anonymous Coward | more than 6 years ago | (#20203013)

Dear Jalwin, Slashdot ID one billion. You said: "I just don't care." Yes. Do you somehow think that your opinion matters at all? :D

Re:Lots of linux stories on the front page (1)

tomhudson (43916) | more than 6 years ago | (#20203119)

Well, if you're looking for something that's "not linux", you can always enter this contest [trolltalk.com] - there are already a few entries that cover "open ports" that have nothing to do with linux - and one (# 12) that really nails "hardening" pretty good.

"The purpose of this post is to see the reasoning behind so many linux fluff stories making front page "

Its Sunday, this is slashdot, not PC Magazine, CmdrTaco is stuck reviewing submissions over dialup, and the big news of the MONTH was SCO getting kicked in the nuts. [youtube.com] - but at least they got more than the $20 that guy got. Hopefully one or two will also get prison, but I'm not holding my breath.

Maybe they can turn the whole SCO fiasco into a tv show, like this kicked in the nuts [youtube.com] video, but in reverse - have Darl wear the orange clown wig and PAY people $699 each to kick him.

Re:Lots of linux stories on the front page (1)

Bombula (670389) | more than 6 years ago | (#20203191)

If there's a bigger - and by bigger I mean more populated - Linux fanboy forum than slashdot, I'm not aware of it. All in all, I think it's probably a good thing though.

Open ports and unpatched vulnerabilities? (1)

Knuckles (8964) | more than 6 years ago | (#20202923)

If your Linux distro is out-of-the-box "insecure with open ports and unpatched vulnerabilities", then change distro. If this is not an option, it's time to approach your vendor menacingly, clue bat in hand.

Re:Open ports and unpatched vulnerabilities? (2)

Nasarius (593729) | more than 6 years ago | (#20203017)

Seriously. As someone else mentioned, this article has been outdated for about a decade. Good installers will pull in all the latest stable versions (assuming a net connection), but any popular Linux distro is trivial to update immediately after. And I can't recall the last time I've seen a default workstation/desktop install with any open ports. Maybe SSH.

Re:Open ports and unpatched vulnerabilities? (0)

Anonymous Coward | more than 6 years ago | (#20203185)

Your mom has allllll of her ports open by default.

Article not very informative (5, Informative)

Anonymous Coward | more than 6 years ago | (#20202925)

The article isn't very informative and makes several assumptions about the distribution being used. For example, when it tells the reader to "ps aux|grep http" and then "kill -9 [the pid]" it doesn't take into account that Debian systems are running Apache2 as 'apache2', not 'httpd'. Why you would SIGKILL the running process instead of just using apachectl or the appropriate init script is also just as short-sighted.

Run 'netstat -apvtu' if you're worried about what you have open. A good ingress/egress firewall policy is ideal and any competent Linux user should be forced to learn iptables instead of relying on a GUI or automated configuration tool to make assumptions about the purposes of your network.

The article isn't very useful or accurate.

What the article should have mentioned (1)

cumin (1141433) | more than 6 years ago | (#20203347)

I was disappointed in the article as well. I expected more security in general and less distro/package specific advice.

I know enough about security to know I'm no expert but here are some of my personal tips:

  • Install a hardened distribution instead of hardening one yourself if you have the option. Gentoo Hardened, Annvix and Trustix spring to mind. All are designed to be secure from the outset. For that matter, OpenBSD is a good option for a hardened server if you're not bent on using Linux. See: http://www.linuxlinks.com/Distributions/Secure/ [linuxlinks.com]
  • Don't install anything you don't need. Default installs from major distros include a lot of stuff you probably don't need. If you're setting up a server that needs to be secure, then doing a custom installation with only the minimum you need installed is probably far better than trying to go back later and pick and choose what you remove. A minimal RHEL install for example comes in at around 700MB. Annvix is around 300MB and it's been a while since I used Trustix, but I'm sure it was under 1G and I think it was under 500MB.
  • Worry more about what is running than closing ports. Yes, a good firewall configuration is wise, but the main issue should be making sure that your system is doing only what you want which will result in only the ports you intend to be open being open. I haven't used Ubuntu in a bit, but I recall being surprised that it didn't firewall by default and instead relied on not having any listening services by default.
  • Really use a good package manager. If you install software without it then it makes auditing your server much more difficult.
  • I'd like to see more done with WORM media. If you have a small server install you can probably back the entire thing up to a single CD and put an md5 (or sha or both) on it. Then you can reinstall it at the drop of a hat and just do updates when it is re-applied.
  • If you are using a distro that supports it (like RHEL) then learn a little about SELinux. It does tremendous things to make sure that software can only do what it is supposed to. Yes, like many other security approaches it takes a little more work, but it goes a long way toward turning Linux into seriously secure software.

Slashdotters should be able to add quite a bit, in fact hopefully this will turn out to be a discussion I reference later myself.

Box? (4, Insightful)

wytcld (179112) | more than 6 years ago | (#20203011)

Out of the box, many Linux systems are insecure with open ports and unpatched vulnerabilities.
That box must have a lot of dust on it, and an early 13-floppy Slackware distro inside.

Before making a claim like that, the writer should come up with at least three examples, from current versions of major distros.

Reminds me of a local woman who said "We must have a town-wide neighborhood watch, because there's a child sexual predator on every block." In the several years since she raised that hysteria, there's been exactly one serious case in town: one of her best friends had his extensive child porn collection found by the police. He hired the state's most expensive lawyers and got off with probation. She's still his best friend.

Back to the topic. The article mentions telnet. Is there a single current distro that comes with telnetd enabled? Let's help the sloppy author. Has anyone here installed any current distro and found "open ports and unpatched vulnerabilities"?

Re:Box? (1)

eneville (745111) | more than 6 years ago | (#20203175)

... OpenBSD has zero services in the default install. I'm not sure about ubuntu, or debain, but I'm pretty sure they dont even come with SSHd

Hardened? Hardly. (4, Informative)

slummy (887268) | more than 6 years ago | (#20203085)

This article makes no mention of grsecurity [grsecurity.net] . Surely closing off unused services and patching vulnerabilities can certainly prevent a penetration, but what happens if a penetration is successful? grsecurity is the answer.

Re:Hardened? Hardly. (1, Funny)

Anonymous Coward | more than 6 years ago | (#20203221)

what happens if a penetration is successful?

Pregnancy, in most cases. But in your case, it's probably just a gutteral moan as Inmate 266497 mounts you from behind.

Linsux - insecure out of the box (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#20203123)

The 10,831 people that use Linsux will find this story informative.

oblig (0)

Anonymous Coward | more than 6 years ago | (#20203161)

I, for one, welcome our archaic security overlords!

So what - we are all NAT'ed anyway? (1)

SplatMan_DK (1035528) | more than 6 years ago | (#20203179)

I bet that 99% of Linux users are behind a NAT router (because as IT geeks they have tons of networked gear and a private network). The remaining 1% with a public IP directly on their Linux box probably know what they are doing. And don't give me the "what if there is port forwarding rules on the router" argument. If the user has port forwarding rules then he/she also knowledgeable enough to secure the target Linux box. I know a lot of IT geeks (being one myself) and I seriously don't know ANY IT geek who is not using a NAT router for their local machines. The few that do have a machine on a public IP (hobby mail servers, game servers, etc) already know what they are doing and don't need an article about open ports on a default-installed Linux box. - Jesper

Re:So what - we are all NAT'ed anyway? (1)

marcello_dl (667940) | more than 6 years ago | (#20203243)

My laptop is the NAT router, you insensitive clod! :)

Re:So what - we are all NAT'ed anyway? (0, Troll)

kayditty (641006) | more than 6 years ago | (#20203591)

Why are you talking about anything? You just said "NAT router." That's the worst 'oxymoron' I've ever seen.

This article and the people commenting in it, myself excluded, are possibly the most retarded and unqualified people to comment on a Linux / general computing story ever.

Re:So what - we are all NAT'ed anyway? (1)

SplatMan_DK (1035528) | more than 6 years ago | (#20203779)

Fine. I will rephrase myself: "a NAT capable router". There.

My router has a lot of configuration options which are not NAT. In fact there are lots of uses for routers than don't use NAT schemes. There are also many ways to use NAT without the network device actually being a physical box we usually call a "router".

What is your point? If everybody except you is retarded, then why don't you enlighten us?

- Jesper

Since the submitter is also the author... (4, Funny)

kwabbles (259554) | more than 6 years ago | (#20203195)

Can you tell us the story about how you came to write this article?

Here's how I'm picturing it:

(editor) Mr. Williams, we need a techie article on Linux.
(mr. williams) Okay... I haven't touched linux since I played around with my RedHat 7.2 box 3 years ago.
(editor) Do you still have it?
(mr. williams) Yes, what would you like me to write about it?
(editor) Write something up on securing its "holes and vulnerabilities", and we'll sensationalize it a bit by making it look like Linux is insecure out of the box.
(mr. williams) I don't know how to do that.
(editor) Find something on google. Try it on your RedHat machine.
(mr. williams) I'm going to look really stupid.
(editor) You're a journalist.

The defaults are no longer what they were in 199x (4, Informative)

bl8n8r (649187) | more than 6 years ago | (#20203253)

Seems to me the article is just pimping bastille Linux. Years and years ago, most distros did indeed ship with some pretty crack-worthy options enabled by default. It took a small amount of prodding by the community, but most distros, these days, lean towards a default disable policy:

- [KU]buntu
    All services off by default. netfilter rules are default allow however, but there is
    nothing to connect to.

- Fedora/RHEL/CentOS
    Choose during install what services you want enabled/open/firewalled.
    SELinux enabled by default.

- Knoppix 5.1.1
    Only Port 68 for dhcp client listener. /etc/hosts.deny ALL:PARANOID

- Mandriva 2007 Bootable CD
    Port 6000 is all that's open (X server. Ok this is dumb, why?)

Other distros follow similar suit. You can find out what's running on your linux box with:
  - netstat -tuna (all tcp/udp sockets, dont resolve names, all listening/non-listening sockets)
  - locate iptables; sudo iptables -nvL (show iptables chains for netfilter)

Chances are, if you've not mucked around with the default services things are pretty tight.
TFA is a bit inaccurate for linux systems these days.

newbie article (2, Interesting)

NynexNinja (379583) | more than 6 years ago | (#20203321)

The obvious problem with this article is they mention using "Bastille" and forget to mention grsec [grsecurity.net] . I don't really care about Bastille, but I do care about using grsec. Just because you turn off some services doesnt mean someone is not going to pop an xterm off your apache web server from some random cgi vulnerability... At least when someone compromises your web server in this way (which is probably how most linux web servers get compromised these days anyway), the attacker wont be able to do anything besides navigate the directory tree maybe. The attacker wont be able to view processes that are outside their own uid. The attacker wont be able to execute binaries outside of the standard bin directories (so custom scripts/binaries wont execute), and stack overflows do not allow execution of arbitrary code.. Its not a very fun environment to work in, most attackers will just look around and exit when confined to this type of environment...

Enough of Linux (0, Troll)

postmortem (906676) | more than 6 years ago | (#20203411)

Linux this, Linux that...

Linux is marginal (abysmal market share), let's talk about Windows, I propose one week without Linux on front page.

Damn ... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#20203449)

It's hard enough! I mean, configuring my sound card was not a simple thing! Probably 1 days of R/D for this configuration is enough. So now make it harder? To that I say, screw-off; I'll keep my hard enough Linux 2.6.16!

Redhat 7.0, ipchains? (1)

joib (70841) | more than 6 years ago | (#20203453)

Uh oh..

That article sucked (0)

Anonymous Coward | more than 6 years ago | (#20203623)

Is this the kind of slop Slashdot is peddling these days?

Why doesn't linux come "closed" out of the box (1)

presidenteloco (659168) | more than 6 years ago | (#20203785)

i.e. with all ports closed and all services off, then take the installing user through
some wizards with a few different, and mostly conservative, minimalist options
for opening things up, explaining the cost-benefit of the options.

I suppose it's just inertia combined with Unix/Linux's pre-internet-malevolence
origins. The whole idea originally was for a number of socially responsible researchers
to have their computers maximally cooperating with each other (go figure). It wasn't designed
with human viruses (malicious crackers) in mind at the get-go.

But we've had net morons long enough now that you'd think a closed and incrementally
open up policy would be a no-brainer for the default installations of net-facing OSes like
Linux.

He missed the most important point (0)

Anonymous Coward | more than 6 years ago | (#20203805)

Which is basicly know what you're doing. Most of these websites simply ignore this very important sniplet. Take this website for example; it gives you a few pointers, some even very odd (Bastille hard to use? A kid can fill out yes/no questions) but never goes into any detail as to why.

For example the part about stopping Apache from running. I quote: "To achieve the second, use ps aux | grep httpd. As above, the second column is the PID. Enter kill -9 xxx where xxx is the PID. This stops the process running immediately.". But he doesn't go into any details which strikes me as odd since this is supposedly for inexperienced Linux users. PID? kill? All the newbie learns here is that "kill -9" is the way to immediatly stop a program, which is ofcourse utter bollocks. When people learn that as basis they might very well trash part of their system.

For the newbies reading: The why here is that -9 refers to the "KILL" signal (see the kill manpage) which forces a program to stop. This is hardly a clean way to stop your software, you don't tell it "hurry, finish what you're doing and get lost". No, instead you're telling it: "Drop whatever you're doing and get lost". If its in the middle of handleing certain events this might give you very unexpected results. I shudder at the idea of someone trying to "immediatly stop" a fsck process.

Still, the first step to security is to know what you're doing. Seeing a "kill -9" to stop a webserver immediatly tells me that the author doesn't fit into that category himself. Why this is important? Think about it: if you want to be secure, would you want to use some firewall script of which you're not sure what it does exactly? Sure, the author can tell you that the script blocks all dangerous ports so no one can access your system, but how safe are you really if you didn't check out for yourself?

Sorry, useless story and just a collection of nonsense IMVHO.

Secure wget! (1)

rcs1000 (462363) | more than 6 years ago | (#20203885)

Almost all script kiddies work off the same theory: find an application that has not been updated, and which has a security vulnerability (un-updated versions of Wordpress or AWStats are always favourites), use this to run wget to pull a script, rootkit, etc. onto the server, then "break" the machine and use it as a spambot.

The simplest way, then, to prevent script kiddies from compromising your system is not only allow access to wget through sudo! Simply chmod it.

Now, this is no excuse not to ensure everything else is up to date, etc. But a simple chmod can make an enormous difference to the security of your system.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...