# How best to secure a linux workstation?

## FizzyWidget

Having just moved full time from Windows to Linux, I am trying to figure out how best to secure my machines, I do use ssh but this is only internal and not allowed through the router, I also use key's not a password - is that good enough for ssh or is there more i should be doing?

I have a iptables script (although basic)

```
#!/bin/bash

iptables -F INPUT

iptables -P INPUT DROP

iptables -F OUTPUT

iptables -F FLUSH

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT

iptables -A INPUT -i eth0 -j DROP
```

I know how to add programs and allowed ip addresses for ftp/web and such so only friends should be able to connect, is there anything more i should add to that?

Last but not least, i have been looking at programs like rkhunter, chkrootkit and unhide, are they any good? Do they find most things or are there other programs i should be looking at. I know Linux is more secure than Windows bt default, but any extra help i can give it to make things harder for others to get in and do things to my machines the happier i will be  :Smile: 

----------

## ferreirafm

Hi Dark Foo,

I think you are all done. Here goes my ip rules in case you want do close some other ports.

For paranoids, it also possible to implement a black/white list.

G'Luck

```
mephisto etc # more iptables.rules 

# Generated by iptables-save v1.4.3.2 on Qua Out 14 16:54:29 BRT 2010

*filter

:INPUT ACCEPT [5:952]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# permit people to ssh into this computer

#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

#-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set 

#-A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 5 -j DROP

# REJECT --reject-with tcp-reset

# permit ftp and web hosting services

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# permit passive ftp ports

#-A INPUT -p tcp -m state --state NEW -m tcp --dport 60000:65000 --syn -j ACCEPT 

#-A INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT

# permit windows file sharing

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# permit five ports for bitorrent

-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT

# reject all other packets coming into the computer, even from other

# computers in the local area network

#-A INPUT -j DROP

#         -j REJECT --reject-with icmp-port-unreachable

COMMIT
```

Some of these rules might not work due to changes from previous versions of iptables.

----------

## FizzyWidget

Hi ferreirafm

Thanks for the iptables - looking at the Windows files sharing i can share with windows and NFS without issue, is there something in your script that blocks all ports and so you need to specifically put them in there to have them open?

Yours is near enough the same as the test iptables i had, well at least for ftp and such, i added friends ip addresses there just to make double sure  :Smile: 

Also what is a black/whitelist? A newb question I am sure, but I am a newb to Linux full time so far, every bit of information will help me learn  :Smile: 

----------

## ferreirafm

 *Dark Foo wrote:*   

> is there something in your script that blocks all ports and so you need to specifically put them in there to have them open?

 You may try to uncomment the last line where it is or put it in the beginning of the rules. Like, close all and open some. However, I couldn't get this effect and thats why these lines are commented. If  it works for you, please, drop me a line.

G'Luck

Edit: a black/white is to gather friendly/threatening ip's and allow/deny them according to the number of times which they fail to access.

----------

## tclover

If you want to learn, then you should definitely go the old wiki page, referenced on the bottom of gento-wiki.com iptables article. You'll learn how to set up together a powerfull scripts which will drop every packet and block many common unused ports and then let in packets based on your rules. As for the whitelist/blacklist you'll need to merge ipset which has advanced settings for filtering. hopefully for you, ipset modules are now merged to iptables kernel modules a few months ago. Just enable what could be of interest or else enable almost every iptables/ipset modules. The old article will help for that! And you could search in the forum as there's somebody who posted basic filtering list last summer, I cannot remember who it was. A search in forum with ipset keywords should be enough.

----------

## NeddySeagoon

Dark Foo,

Security is a trade off with usability.

First, accept that an attacker with suffcient resources and determination will get in. Such an attacker can break in and steal your system.

All you can do is to make it clear that there are easier systems to attack, so the casual attacker goes away and finds a windows box to play with.

First, don't run any services you don't need, The wider you open the window, the more the dirt blows in.

Set up your firewall, so that everything that is not explicity allowed is denied. Both in and out.

That helps keep the nasties out and if they do get in, helps to stop them phoning home.

Do not permit remote root logins.  Every *NIX box has a root user, so don't give attackers half the information they need to get in.

Look at what filesystems you can mount with nodev, noexec , nosuid to make life harder after a breakin.

Make your kernel monolithic if you can and turn off loadable module support. Thatstops an attacker loading kernel modules

If you run a wireless network, put it on its own NIC in your firewall and do not permit wireless to wired connecttions. This keeps the wardrivers out. They can still steal your bandwidth but not get at your wired network.

Consider running a hardened Gentoo.  Now it starts to get more uncomforable. Xorg still won't run on a hardened system unless some of the hardening features are disbaled for Xorg.  nvida-drivers, the binary blob, even needs a /tmp. with exec permissions, which is a well known attack vector.  Thats just brain dead.

----------

## FizzyWidget

 *NeddySeagoon wrote:*   

> Dark Foo,
> 
> Security is a trade off with usability.
> 
> 

 

well seeing as it is to be used in place of a Windows desktop i think a bit of both is in order

 *NeddySeagoon wrote:*   

> 
> 
> First, accept that an attacker with suffcient resources and determination will get in. Such an attacker can break in and steal your system.
> 
> All you can do is to make it clear that there are easier systems to attack, so the casual attacker goes away and finds a windows box to play with.
> ...

 

I know this, this is why i am asking how to make it as hard as possible, or as you say make them think its not worth their time, on my older router, which was running tomato firmware i could add ip addresses to ports, but with new e4200 it seems most firmwares are still not fully supported and is indeed even advised no to use until they have tested it more

 *NeddySeagoon wrote:*   

> 
> 
> First, don't run any services you don't need, The wider you open the window, the more the dirt blows in.
> 
> Set up your firewall, so that everything that is not explicity allowed is denied. Both in and out.
> ...

 

I have changed /etc/ssh/sshd)config to - PermitRootLogin no and i have changed it so that keys only are allowed

ChallengeResponseAuthentication no

PasswordAuthentication no

as suggested here http://en.gentoo-wiki.com/wiki/SSH_Public_Key_Authentication

Have also changed the ssh port and set it to protocol 2, although i will never allow this to be set in the router as ssh is purely for internal use only

I do have mysql on both laptop and storage pc as i am using KDE/Amarok for music, although i might dump that if people think that using mysql for that and digikam is overkill, only have apache and php compile as for some reason no matter how hard i try, using mysql from command line i never seem to be able to get changes to stick, then again guess i am using wrong mysql commands, so am being lazy and using phpmyadmin   :Embarassed: 

 *NeddySeagoon wrote:*   

> 
> 
> Look at what filesystems you can mount with nodev, noexec , nosuid to make life harder after a breakin.
> 
> 

 

I am using the standard 4 partitions as described in the setup guide - /boot /swap / and /home , how would i work out which should be mounted with nodev, noexec , nosuid ?

 *NeddySeagoon wrote:*   

> 
> 
> Make your kernel monolithic if you can and turn off loadable module support. Thatstops an attacker loading kernel modules
> 
> 

 

Do you mean build everything as built in and then disable loadable module support? I have been told that building everything all in is not always a good idea, have seen this suggested on the forums and elsewhere, or is this another old wife's tale?

 *NeddySeagoon wrote:*   

> 
> 
> If you run a wireless network, put it on its own NIC in your firewall and do not permit wireless to wired connecttions. This keeps the wardrivers out. They can still steal your bandwidth but not get at your wired network.
> 
> 

 

How would i do that in iptables?, I'm guessing in some way its blocking wlan0 to eth0 conections?

I have it set in the router to dis-allow anyone not in the mac filter list, i know this will not stop everyone as you can spoof a mac address, but am hoping that, by tying down mac address, it should stop the average person sitting outside or driving past stealing my bandwidth  :Smile: 

 *NeddySeagoon wrote:*   

> 
> 
> Consider running a hardened Gentoo.  Now it starts to get more uncomforable. Xorg still won't run on a hardened system unless some of the hardening features are disbaled for Xorg.  nvida-drivers, the binary blob, even needs a /tmp. with exec permissions, which is a well known attack vector.  Thats just brain dead.

 

Steady on neddy, lets not rush things, let me learn to crawl before i start a 100m sprint  :Wink: 

The other thing i have done is to use the hosts to stop ads and other things coming in, using http://winhelp2002.mvps.org/hosts.htm and spybots onw block lists (yes i know they are windows things, but it helps keep the ads and crap down).

As to the blacklist/whitelist, which is best to use for that? fail2ban or are there other scripts/programs?

Also what abou the programs i first sked about are they okay or are there better ones?

----------

## salmonix

http://www.gentoo.org/doc/en/security/

?

----------

## FizzyWidget

most of what is there i have already seen and i am not sure about that is why i am asking here, sometimes things need to be simplified for us mere mortals who are new to Linux  :Wink: 

----------

## NeddySeagoon

Dark Foo,

A few words on your questions.

With a four partition syste,, there is no much you can do with nodev, noexec and nosuid. 

Consider what is in /home.  If you don't have an chroots there, you should be able to use nodev and nosuid because nothing needing those rights should be installed in /home unless its a chroot for something.  You will almost certianly have some scripts that you like to run in /home so noexec won't be possible. Testing is harmless. At worst, you will need to use a liveCD to edit /etc/fstab.

Monolithic kernels are not always possible.  Things that need firmware can be difficult to build in as you also need to build in the firmware. Third party kernel modules can't be loaded, so the ATI and nVidia binary blobs will no longer work.  You make the usabiity/security trade off choice.

I can't tell you how to write your iptables rules to split out your wireless. I use shorewall to avoid playing with iptables directly. I can share my iptables -L and/or shorewall setup if you like.

Hardened Gentoo may be a step too far to start with but you can play with it in a virtual machile to fet the feel of it.  I know it runs in a Kernel Virtual Machine ant it should run in Virtual Box, whhich is easier to set up, too.  Some features of hardened are coming to ordinary gentoo soon anyway.

Blacklisting/Whitelisting etc are matters of personel taste.  If your security is good, they should not be needed but they will reduce wasted bandwidth from potential attackers knocking on your door.  Add them later when you are confident in your settings until then keep a close eye on your logs to see what the outside world is trying to do.

ckrootkit and friends use huristics to spoy potential threats installed on your system.  They do show false positives. I you want to keep an eye on things on your system try tripwire.  It saves a list of every file you ask it to cover along with a hash for the file.  Keep this data off the system to be covered.  Later, you run it again and it compares whates there now with the original files and hashes, so you know whats been changed.  It tells you what but not why.  If you keep a check on /usr, do an emerge then a tripwire run, all the changed/added files will be highlighted.

----------

## FizzyWidget

I have looked at shorewall before, never could get my head around it, if you could share your iptables that it gives you that would be great.

As to the partition situation how would you suggest the system to be setup, i have no issue with re-partitioning or re-installing, once upon a time i think i had some thing like

sda1 /boot      - 100meg

sad2 /swap     - 2-4GB (even on a system with 8GB RAM)

sad3 /            - 1G

sda5 /portage - 1G (maybe two, cant remember)

sda6 /tmp       - 6G (open office bitch about it being less)

sda7 /usr        -15G

sda8 /var        - 1G

sda9 /home     - rest of drive

As for tripwire - im guessing this should be one of the first things to compile and install, maybe while chrooted on initial install?

Sorry if these questions seem silly or something a linux user should instinctively know, I just want to make sure i have everything right before i bring the main pc over to linux, storage pc that hardly ever see's the inet apart from a few torrents here and there, and a laptop that is mainly for watching movies and backup if the main PC should break are different to a pc that will always be connected to the inet near on 24/7, even if it is behind a router.

Thanks  :Smile: 

----------

## NeddySeagoon

Dark Foo,

I just know this will make your head hurt ...

I have a network with five zones to shorewall.

net == the big bad internet

fw == the firewall itself

green == the protected wired network

blue == the wireless network

dmz == the partially protected network for my servers.

iptables -L is at http://paste.pocoo.org/show/518949/

The internet is at 62.3.120.136/29

green is 192.168.100.0/24

blue is 192.168.54.0/24

dmz is 192.168.10.0/24

There is a private gentoo rsync mirror, a mail server, a web server, a ssh server, a squid transparent proxy and http-replicator in there somewhere.

I need to add snort to log the nasties too.

Ping is allowed everywhere. VPN is only allowed out from blue. Everything that is rejected is logged, mostly for debugging.

You need to run tripwire as soon as your install is complete as any added files will be spotted and reported.  That can be a lot if you add say, Xorg and Gnome3.

----------

## FizzyWidget

no needy the alcohol is making my head hurt atm, but i will look at this in the morning :p

What do  you think to the partition scheme i posted, does it look okay or would you do it differently ?

Thanks for all your help btw, much appreciated  :Smile: 

----------

## NeddySeagoon

Dark Foo,

I do it differently.  There will soon be a problem with /var and/or /usr on a partition other than root, unless you have an initrd to mount /, /usr and /var before udev can start.

udev only supports it now with a workaround and the workaround has been removed in the overlay version of udev.

Thats just bitten me.  I knew it was coming but not when.

/var needs to be a lot more than 1G. Its used for portage workspace as well as permanent information.

LibreOffice needs 9G in /var to build just now.  

Once I can boot my main system again, I'll post my partition scheme. Just now, I'm fetching System Rescue CD so I can pick up the pieces.  I gave away my USB stick with it on.

----------

## FizzyWidget

Okay Neddy, when you are sorted is fine, i think i was working up untill xmas, but it seems im not now, so i have some spear time to devote to getting all 3 pcs sorted  :Smile: 

----------

## NeddySeagoon

Dark Foo,

```
df -Th

Filesystem               Type    Size  Used Avail Use% Mounted on

rootfs                   rootfs   15G  1.3G   13G   9% /

/dev/root                ext4     15G  1.3G   13G   9% /

rc-svcdir                tmpfs   1.0M   76K  948K   8% /lib64/rc/init.d

udev                     tmpfs    10M  756K  9.3M   8% /dev

shm                      tmpfs   7.9G  512K  7.9G   1% /dev/shm

/dev/mapper/vg-home      ext4   1008G  768G  189G  81% /home

/dev/mapper/vg-opt       ext4    9.9G  1.2G  8.2G  13% /opt

/dev/mapper/vg-tmp       ext2    2.0G  3.1M  1.9G   1% /tmp

/dev/mapper/vg-var       ext4     59G   27G   29G  48% /var

/dev/mapper/vg-usr       ext4     40G   21G   17G  56% /usr

/dev/mapper/vg-local     ext4   1008M   56M  901M   6% /usr/local

/dev/mapper/vg-portage   ext2    2.0G  298M  1.6G  16% /usr/portage

/dev/mapper/vg-distfiles ext4     30G   27G  1.2G  96% /usr/portage/distfiles

/dev/mapper/vg-packages  ext4     30G   21G  7.5G  74% /usr/portage/packages

/dev/mapper/vg-vmware    ext4     82G   25G   53G  33% /mnt/vmware

/dev/shm                 tmpfs   7.9G     0  7.9G   0% /var/tmp/portage

/dev/md125               ext2     38M   16M   21M  43% /boot
```

is what I have, doing it over again, I would use ext4 with no journal for the ext2 partitions.

The inode ratio is not all standard either.

----------

## FizzyWidget

FFS!!!!! I put /usr/portage as 2G and i get -

```
Cannot open: No space left on device
```

```
livecd gentoo # df -Th

Filesystem    Type    Size  Used Avail Use% Mounted on

rootfs      rootfs    4.0G   32M  3.9G   1% /

udev      devtmpfs     10M  208K  9.8M   3% /dev

/dev/sr0   iso9660    147M  147M     0 100% /mnt/cdrom

/dev/loop0

          squashfs    117M  117M     0 100% /mnt/livecd

rc-svcdir    tmpfs    1.0M   80K  944K   8% /mnt/livecd/lib64/rc/init.d

shm          tmpfs    4.0G     0  4.0G   0% /dev/shm

tmpfs        tmpfs    4.0G   13M  3.9G   1% /mnt/livecd/lib64/firmware

tmpfs        tmpfs    4.0G     0  4.0G   0% /mnt/livecd/usr/portage

/dev/sda3     ext4     15G  382M   13G   3% /mnt/gentoo

/dev/sda1     ext4     46M  766K   43M   2% /mnt/gentoo/boot

/dev/sda5     ext4    9.4G  150M  8.8G   2% /mnt/gentoo/opt

/dev/sda6     ext4     38G  718M   35G   2% /mnt/gentoo/usr

/dev/sda7     ext4    1.9G   35M  1.8G   2% /mnt/gentoo/usr/local

/dev/sda8     ext4    1.9G  602M  1.2G  33% /mnt/gentoo/usr/portage

/dev/sda9     ext4     29G  172M   27G   1% /mnt/gentoo/usr/portage/distfiles

/dev/sda10    ext4     29G  172M   27G   1% /mnt/gentoo/usr/portage/packages

/dev/sda11    ext4    1.9G  2.9M  1.8G   1% /mnt/gentoo/tmp

/dev/sda12    ext4     38G  193M   36G   1% /mnt/gentoo/var
```

So why the hell is it saying there is no space left on device????

```
livecd gentoo # tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
```

is right, I have done it many times before

I should have just left it as the 4 partitions, at least i had a working system then!!!!!

Edit:  Seems all the innodes are used

```
/dev/sda8             125184  125184       0  100% /mnt/gentoo/usr/portage
```

Seems using 

```
mkfs.ext4 -i 4096 /dev/sda8
```

sorts the issue, so are there any other special values i should be using for the other files systems?

or would you suggest 4096 for all 2G partitions as they will have many little files on them (ebuilds txt files etcetera) and leave the others as ext4 defaults?

----------

## NeddySeagoon

Dark Foo.

For the portage tree, you can use i node per block, which is 1024 bytes.  Iy contains loats of very small files and as you can see, it will run out of inodes because of the huge number of files.

For /usr/portage/distfiles, and /usr/portage/packages,  the defaults are OK as these directories store your downloaded sources and builit binary packges respectively.

The are all comparatibely large files.

The above dirs, together with /tmp and /boot can all be either ext2 or ext4 with no journal as the are all easy to recreate.

Depending on the amount of RAM you have, you can point /tmp to /dev/shmfs and have /tmp in RAM.  Its wiped every boot. so thats safe.

There is nasty surprise just around the corned thats been the suject of a lot of of discussion on the gentoo  developer and user mailing lists.

Just now, udev tolerates /usr and /var not being on the root filesystem. Howerver, this support is going to be withdrawn soon, to the point where your box (and mine) will not boot without and initrd to mount /usr and /var before udev gets started.  udev already depends on things in /var and /usr and has to take recovery action when they are not mounted when it starts.  The way ahead is still indetermanate with there being three camps:-

Those that promote the use of an initrd, which is what the rest of the Linux world seems to want to do.

Those that want to develop mdev and drop udev

A small minority than suggest moving udev to the boot runlevel and using existig openrc scripts to get /usr/ and /var mounted su udev is happy

Read the archives for the full story.

----------

## NeddySeagoon

Dark Foo.

For the portage tree, you can use i node per block, which is 1024 bytes.  Iy contains loats of very small files and as you can see, it will run out of inodes because of the huge number of files.

For /usr/portage/distfiles, and /usr/portage/packages,  the defaults are OK as these directories store your downloaded sources and builit binary packges respectively.

The are all comparatibely large files.

The above dirs, together with /tmp and /boot can all be either ext2 or ext4 with no journal as the are all easy to recreate.

Depending on the amount of RAM you have, you can point /tmp to /dev/shmfs and have /tmp in RAM.  Its wiped every boot. so thats safe.

There is nasty surprise just around the corned thats been the suject of a lot of of discussion on the gentoo  developer and user mailing lists.

Just now, udev tolerates /usr and /var not being on the root filesystem. Howerver, this support is going to be withdrawn soon, to the point where your box (and mine) will not boot without and initrd to mount /usr and /var before udev gets started.  udev already depends on things in /var and /usr and has to take recovery action when they are not mounted when it starts.  The way ahead is still indetermanate with there being three camps:-

Those that promote the use of an initrd, which is what the rest of the Linux world seems to want to do.

Those that want to develop mdev and drop udev

A small minority than suggest moving udev to the boot runlevel and using existig openrc scripts to get /usr/ and /var mounted su udev is happy

Read the archives for the full story.

----------

## FizzyWidget

would you advise keeping the system as is and dealing with it when they remove support for /var and /tmp when not on the root system? or just make / bigger and put var and tmp on there?

Last question before i start the server install, which of your partitions are set nodev, noexec and nosuid.

Once i have that little bit of info i think i will be set, just have to figure out how much to give to what partition on the 80gb drive in here :p

----------

## NeddySeagoon

Dark Foo,

Keep it as is.  The way ahead for systems like yours and mine is being worked out.

It will be supported one way or another and a udev that needs it will not be stablised until the rest of the support is also in place.

----------

## FizzyWidget

 *Dark Foo wrote:*   

> 
> 
> Last question before i start the server install, which of your partitions are set nodev, noexec and nosuid.
> 
> Once i have that little bit of info i think i will be set, just have to figure out how much to give to what partition on the 80gb drive in here :p

 

^^^^^^^

Please - stop teasing me  :Smile: 

----------

## NeddySeagoon

Dark Foo,

Very few at the moment, this should work.

```
/dev/sda3     ext4     15G  382M   13G   3% /mnt/gentoo 

/dev/sda1     ext4     46M  766K   43M   2% /mnt/gentoo/boot                    nodev, noexec and nosuid

/dev/sda5     ext4    9.4G  150M  8.8G   2% /mnt/gentoo/opt                     nodev (maybe nosuid too)

/dev/sda6     ext4     38G  718M   35G   2% /mnt/gentoo/usr                     nodev

/dev/sda7     ext4    1.9G   35M  1.8G   2% /mnt/gentoo/usr/local               nodev (maybe nosuid too)

/dev/sda8     ext4    1.9G  602M  1.2G  33% /mnt/gentoo/usr/portage             nodev, noexec and nosuid

/dev/sda9     ext4     29G  172M   27G   1% /mnt/gentoo/usr/portage/distfiles   nodev, noexec and nosuid 

/dev/sda10    ext4     29G  172M   27G   1% /mnt/gentoo/usr/portage/packages    nodev, noexec and nosuid 

/dev/sda11    ext4    1.9G  2.9M  1.8G   1% /mnt/gentoo/tmp                     nodev, noexec and nosuid

/dev/sda12    ext4     38G  193M   36G   1% /mnt/gentoo/var                     nodev (maybe nosuid too) 
```

Only root should have device special files, thats most of the contend of /dev.  The only reason to have them in any other filesystem is because you have a chroot there,

in which case you will need to fix the nodev above.

noexec prevents files on tha filesystem from being executed. Your executable files are in /, /opt, /usr, /var/ /usr/local and maybe /home, which isn't listed.

/boot doesn't count as the kernel and initrd files if you have them, are never executed by the Gentoo system. You don't really need any of these options on /boot as its never mounted. If it is, its done by root to update the kernel and if an attacker has root, its game over anyway.

You may have suid files anywhere you have executable files - you would need to test.  These are files that can be run by users when when they run they run with the file owners permissions.  e.g. your normal user can run ping but its suid root, so it runs as root. 

```
 ls -l /bin/ping

-rws--x--x 1 root root 39672 Nov 24 20:01 /bin/ping
```

note the 'sticky bit' is set.  Thats the s in place of the x in the owners permissions.

----------

## FizzyWidget

Thanks neddy, will take a look a the system in the morning, took some of my medication and am starting to feel sleepy,  /home isnt listed as its on a raid and i only have some many sata connections, i know i should get an external cd/dvd drive, which i might look into, once i have the main system in, i will re-attach the drives in the raid  :Smile: 

----------

## FizzyWidget

 *NeddySeagoon wrote:*   

> 
> 
> ckrootkit and friends use huristics to spoy potential threats installed on your system.  They do show false positives. I you want to keep an eye on things on your system try tripwire.  It saves a list of every file you ask it to cover along with a hash for the file.  Keep this data off the system to be covered.  Later, you run it again and it compares whates there now with the original files and hashes, so you know whats been changed.  It tells you what but not why.  If you keep a check on /usr, do an emerge then a tripwire run, all the changed/added files will be highlighted.

 

Installed tripwire and used the script from bug tracker to make a better ruleset than what comes with it  :Smile:  just have to find a usb stick to put the files onto as its set to stick them on /etc atm, will chance that as soon as i can,And just to be clear are you saying NOT to use chkrootkit/rkhunter and unhide?

edit

```
 df -Th

Filesystem     Type      Size  Used Avail Use% Mounted on

rootfs         rootfs     15G  390M   14G   3% /

/dev/root      ext4       15G  390M   14G   3% /

rc-svcdir      tmpfs     1.0M   48K  976K   5% /lib64/rc/init.d

cgroup         tmpfs     3.9G     0  3.9G   0% /sys/fs/cgroup

udev           devtmpfs   10M  176K  9.9M   2% /dev

shm            tmpfs     3.9G     0  3.9G   0% /dev/shm

/dev/sda1      ext4       44M  5.0M   37M  12% /boot

/dev/sda5      ext4      9.9G  151M  9.2G   2% /opt

/dev/sda6      ext4       40G  1.5G   36G   4% /usr

/dev/sda7      ext4      2.0G   68M  1.9G   4% /usr/local

/dev/sda8      ext4      1.5G  681M  754M  48% /usr/portage

/dev/sda9      ext4       30G  642M   28G   3% /usr/portage/distfiles

/dev/sda10     ext4       30G  172M   28G   1% /usr/portage/packages

/dev/sda11     ext4      2.0G  3.1M  1.9G   1% /tmp

/dev/sda12     ext4       47G  214M   44G   1% /var

/dev/md0       xfs       932G  266G  666G  29% /home/foo
```

# /etc/fstab: static file system information.

#

```
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.

/dev/sda1   /boot                   ext4    defaults,noatime,nodev,noexec,nosuid     1 2

/dev/sda2   none                    swap    sw                                       0 0

/dev/sda3   /                       ext4    defaults,noatime                         0 1

/dev/sda5   /opt                    ext4    defaults,noatime,nodev                   0 1

/dev/sda6   /usr                    ext4    defaults,noatime,nodev                   0 1

/dev/sda7   /usr/local              ext4    defaults,noatime,nodev                   0 1

/dev/sda8   /usr/portage            ext4    defaults,noatime,nodev,noexec,nosuid     0 1

/dev/sda9   /usr/portage/distfiles  ext4    defaults,noatime,nodev,noexec,nosuid     0 1

/dev/sda10  /usr/portage/packages   ext4    defaults,noatime,nodev,noexec,nosuid     0 1

/dev/sda11  /tmp                    ext4    defaults,noatime,nodev,noexec,nosuid     0 1

/dev/sda12  /var                    ext4    defaults,noatime,nodev                   0 1

/dev/md0    /home/foo              xfs     noatime,nodiratime,allocsize=512m        0 0

##/dev/cdrom  /mnt/cdrom   auto    noauto,user          0 0

proc        /proc        proc    defaults             0 0

shm         /dev/shm     tmpfs   nodev,nosuid,noexec  0 0
```

so far so good  :Smile: 

Are there any other ext4 mount options you do or can advise on?

----------

## NeddySeagoon

Dark Foo,

Correct. chkrootkit/rkhunter both give false positives on a healthy system. I don't know unhide.

----------

## jtharel

Here is a pretty good write up on a hardened build of gentoo...

http://globosferro.org/?p=1010

Jimmy

----------

## FizzyWidget

I feel like saying fuck it and going back to windows as i dont think i can keep the machines secure, think its because of all the programs that there are for windows that cover this area, and that I have got used to having it all done for me, I just dont feel confident enough, keep getting this feeling that I have missed something and the boxes will be compromised  :Sad: 

----------

## j4miel

Too late Dark Foo, we're already watching you.

 :Twisted Evil: 

----------

## FizzyWidget

Do you like my windows desktop?   :Laughing: 

----------

