Security Questions From a Newcomer

[johnst]

Hello everybody, I hope this is the right place to post this.


I have long been harrassed by some "crackers" online, which has been part of my motivation to switch entirely to Fedora and leave windows behind.

I'm not very "smart" with linux, I've been a windows user all my life, but I know how to do simple things from reading up on it, like installing and uninstalling and what not, so I'm not 100% ignorant.

But even through reading up on a lot of things, I'm not sure how to secure my computer and Fedora.

I know that nothing is absolute, but I'd like pointers on how to do some basic security. I use firestarter as my front for Iptables, and hope that that's one step in the right direction atleast.

A lot of oddball things that have been happening on my computer have lead me to believe that I'm not entirely rid of my pests yet, and I thought this would be the perfect opportunity to take steps to secure myself further.

I know that you can do scans for rootkits? But how?

And is there anything else I could do?

Thanks a bunch in advance... I really would appreciate any help I can get.

[Effie04]

hello and welcome

there`s a package called chkrootkit which can be found using yum, try it (it suppose to check for signs of rootkit)

also via yum you can install clam-av which is an anti-virus (or user grisoft`s AVG)

iptables/firestarter is a good choice.
secure your passwords (use more than 5 characters of letters and numbers)
disable services you dont need (ssh,ftp etc...)

[lazlow]

John

A good router (with firewall) goes a long way at detering PITA "friends". I think of it as my armour but I still wear my chain mail undies too.

lazlow

[compwizzer]

perhaps these oddball things aren't caused by the crackers? gnome has been known to randomly rearrange desktops.

I'd bet money these "crackers" are just script kiddies, and can't really do anything besides running a canned script they D/L'ed of some site. Just set IPtables to Drop incoming connections and stop worrying about them. If they really could do the things they claim, why would they waste their time messing with you? I've dealt these types before, they're all mouth and no a**.

Ever since I first opened port 22 on my firewall, I've seen lots of connection attempts to ssh. A some of them were just trying any user/password combo, I put an end to that quickly by turning off password auth and installing Denyhosts. Now I get about 3 attempts per day. Although, the last couple of days I've seen a few more than usual - school must be out - hehe

Everyone else has already covered what you need to do to protect yourself. All I will add is don't forget to check your logs occasionally for unusual activity.

[brandor]

There are lots of great resources available online. A google search will provide tons of info for you.

Some of my favorite links are:

www.sans.org
isc.sans.org
www.sans.org/rr/
www.cisecurity.org
www.bastille-linux.org

[Clockman]

Quote:

Originally Posted by compwizzer

Just set IPtables to Drop incoming connections and stop worrying about them.

Hi compwizzer :-)

1- How do you set the IPtables to drop incoming connections?

2-Isn't Firestarter doing just that when you go in the tab "Policy" and the "Inbound Traffic Policy" is left blank?

I have several connections attempts to my PC, some of them on rather high numbers like port 32000 something, but the Events tab says those are Blocked Connections. Am I safe? The GRC.com scan says I'm totally stealth.

Clockman

[compwizzer]

In firestarter you should be able to explicitly drop inbound connections that you don't want, I'm not sure exactly how to from firestarter though. It should be fairly simple. Just remember that the drop entry should come after all the allowed entries.

connections to port 32000, etc sound like online games or p2p stuff, I wouldn't be concerned.

Online scaning tools like GRC.com are a good way to tell if your firewall is working, or in case it isn't, if you have any services listening. Your firewall is your firstline of defense, as it prevents services that shouldn't be running from connecting in the first place. However, be sure it is working first! A third party scan only really confirms that presently you have no services avalible to the internet, this doesn't mean that you couldn't have some in the future. That's what the firewall is for, to filter any unwanted traffic.

[Clockman]

Quote:

Originally Posted by compwizzer

In firestarter you should be able to explicitly drop inbound connections that you don't want, I'm not sure exactly how to from firestarter though. It should be fairly simple. Just remember that the drop entry should come after all the allowed entries.

connections to port 32000, etc sound like online games or p2p stuff, I wouldn't be concerned.

Online scaning tools like GRC.com are a good way to tell if your firewall is working, or in case it isn't, if you have any services listening. Your firewall is your firstline of defense, as it prevents services that shouldn't be running from connecting in the first place. However, be sure it is working first! A third party scan only really confirms that presently you have no services avalible to the internet, this doesn't mean that you couldn't have some in the future. That's what the firewall is for, to filter any unwanted traffic.

Thank you compwizzer :-)

Your post was very helpful and also sharing with us some of your websites like Bastille. I went there and installed it. Man!.... You know the gooood stuff! hehe :-)
The activity in the Blocked connections hasn't dropped, but I feel more secure since the Bastille has configured and hardened the PC.

Thanks again compwizzer.

Clockman

[jim]

funny I install Bastille perl-Tk perl-Curses and then try to run it with
bastille -c or bastille -x and get bastille: command not found

Quote:

[jim@localhost ~]$ rpm -q Bastille
Bastille-3.0.9-1.0
[jim@localhost ~]$ rpm -qa | grep perl-
perl-URI-1.35-2.2
perl-Net-IP-1.24-2.2
perl-Gnome2-Wnck-0.12-1.fc5
perl-HTML-Parser-3.51-1.FC5
perl-Gtk2-1.121-1.fc5
perl-Tk-804.027-9.fc5
perl-SGMLSpm-1.03ii-16.2
perl-ExtUtils-PkgConfig-1.07-4.fc5
perl-Digest-HMAC-1.01-14.2
perl-HTML-Tagset-3.10-2.1
perl-XML-Parser-2.34-6.1.2.2
perl-DBI-1.50-2.2
perl-DBD-MySQL-3.0004-1.FC5
perl-Curses-1.13-3.fc5
perl-Gnome2-1.023-1.fc5
perl-String-CRC32-1.4-1.FC5
perl-Digest-SHA1-2.11-1.2
perl-libwww-perl-5.805-1.1
perl-5.8.8-5
perl-Gnome2-Canvas-1.002-4.fc5
perl-Gtk2-TrayIcon-0.03-1.rf
perl-Net-DNS-0.57-1
perl-Compress-Zlib-1.41-1.2.2
perl-ExtUtils-Depends-0.205-4.fc5
perl-Glib-1.120-1.fc5
perl-Gnome2-VFS-1.041-1.fc5
[jim@localhost ~]$ bastille -c
bash: bastille: command not found
[jim@localhost ~]$ bastille -x
bash: bastille: command not found
[jim@localhost ~]$

[lazlow]

Try becoming superuser first. "su - "

lazlow

[compwizzer]

Thank brandor for the links. I do hope my explaination helped you understand the issues better.