steps to securing Fedora 12

[shawn1]

Hi

I am relatively new to linux having only used ubuntu 9.10. Trouble is for all the talk of how secure ubuntu is, truth is it kept getting remote hacked (I have a stalker who is messing with me) over and over so now I am going to try fedora in hopes of finally having a secure system.

My question is, what steps do I need to take to try to secure Fedora 12?

Thanks

[diamond_ramsey]

shawn1, thank you for your posts.

Quote:

Originally Posted by shawn1

...truth is it kept getting remote hacked (I have a stalker who is messing with me) over and over so now I am going to try fedora in hopes of finally having a secure system.

My question is, what steps do I need to take to try to secure Fedora 12?...

Here's a couple starting threads to review...

=====================================

* Help securing my Fedora 11 server -

http://forums.fedoraforum.org/showthread.php?t=234292

* How secure is my fedora 12 -

http://forums.fedoraforum.org/showpo...42&postcount=4

=====================================

Also, trying searching the forum for your subject and review accordingly.

Hope this helps.

[pete_1967]

http://docs.fedoraproject.org/ and start reading both SELinux and Security Guide, you can also install Fedora Security Guide with Yum so that it's always available to you.

[Evil_Bert]

Quote:

Originally Posted by shawn1

... it kept getting remote hacked ...

What services were you running that allowed that to happen? Did you have a firewall running? For a default desktop Linux install, it's pretty hard to get hacked directly. If you're running servers, then you should look at specifically hardening those services as well as general measures.

Also, what indicators did you have that you'd been hacked? What did the hacker actually do to your machine?

Quote:

(I have a stalker who is messing with me)

Keep an image of the hard-drive after a hack event (for evidence - you can use something like SystemRescueCD) and make a complaint to your local police - your stalker may be local also.

[shawn1]

Quote:

Originally Posted by Evil_Bert

What services were you running that allowed that to happen? Did you have a firewall running? For a default desktop Linux install, it's pretty hard to get hacked directly. If you're running servers, then you should look at specifically hardening those services as well as general measures.

Also, what indicators did you have that you'd been hacked? What did the hacker actually do to your machine?


Keep an image of the hard-drive after a hack event (for evidence - you can use something like SystemRescueCD) and make a complaint to your local police - your stalker may be local also.

I wasn't running any services that were not on the default install of ubuntu 9.10. I even removed telnet but they are still getting in. Can't figure out how because after it happenes there are always snippets of logfiles missing.

Indicators that the system is hacked have been

a ssh connection showing in firestarter to a local unix server in the city that this person live in

tabs opening by themselves, commercials playing on speakers not from any web pages I am on

synaptic package manager breaks and won't open

internet speed slows to a halt etc etc

I need to figure out how this is happening so I can stop it. I am even behind a linksys router on a wired connection but still same thing over and over again. Maybe grsecurity will help?

[forkbomb]

You say

Quote:

Can't figure out how

yet...

Quote:

Originally Posted by shawn1

a ssh connection showing in firestarter to a local unix server in the city that this person live in

That's how. Disabling telnet but leaving SSH does almost nothing. Most script kiddies and cracking bots don't bother with telnet cracking because server admins don't even have the telnet service running anyway, so crackers and various miscreants focus on SSH anyway.

Disable ssh if you don't need it, blacklist (with iptables or denyhosts) & report the IP, or switch to key-based auth if you need ssh.

EDIT:

Well, wait. If you're behind a router, are you forwarding the port for ssh to the machine?

[shawn1]

Quote:

Originally Posted by tjvanwyk

You say
yet...That's how. Disabling telnet but leaving SSH does almost nothing. Most script kiddies and cracking bots don't bother with telnet cracking because server admins don't even have the telnet service running anyway, so crackers and various miscreants focus on SSH anyway.

Disable ssh if you don't need it, blacklist (with iptables or denyhosts) & report the IP, or switch to key-based auth if you need ssh.

As far as I know ssh isn't installed with the default ubuntu 9.10 so how did it get on there? Am I missing something here? I'm relatively new to this.

[forkbomb]

Quote:

Originally Posted by shawn1

As far as I know ssh isn't installed with the default ubuntu 9.10 so how did it get on there? Am I missing something here? I'm relatively new to this.

It is installed by default on Fedora and running by default in every version of Fedora I've ever used (6-12).

It shouldn't be a security liability unless you have extremely weak passwords that can be cracked by brute-forcing or dictionary cracks.

[smr54]

One other thing, which might be mentioned in one of the links provided by Diamond_Ramsey, is to have ssh listen on a different port. (Choose something that isn't used by anything in /etc/services---usually, any port above 1023 should be alright.)

It's not a complete fix in itself, but it will stop automated brute force attacks against ssh.

It's part of what's known as security by obscurity, which in itself, is known to not be all that effective, but it should remove one large group of attackers--they'll move on (in theory, anyway), to easier targets.

As tjvanwyk says, be sure to have decent passwords as well. A few other possibilities with ssh are only to allow some users to login, so they have to get the username as well as a password, and to disable root login. (You can look at man(5) sshd_config for an idea of available options.)

I should add, that in sshd_config, many items have a comment sign(#) in front of them. This doesn't necessarily mean they're not used, it means, at least in some cases, that they are default options, and are being used. For example, you'll see,

Code:

#PermitRootLogin   yes

Although it has a comment sign in front of it, in this case, it's a default option, and is what you have at present. So, when you change it from yes to no, uncomment it as well.

[johnnymack]

..Then, you do not need to worry about some uninvited persons entering your system. they can try and try and NEVER gain entry.

Here is a HOW-TO to assist setting up public key auth. It was written for openBSD but the Linux method is the same:

http://open.bsdcow.org/histerical/tu...sh_pubkey_auth

Original credit to tjVanWyck for mentioning this