# How secure is my system (and yours)?

## Shotpiece

Well, I guess i'll preface this with a comment about how i've only been into gentoo and/or linux for about a month now, although i've learned a hell of a lot.

However, it dawned on me the other day that despite all the utilities, eye candy, and other software i've installed on my system, i've installed nothing in the way of antivirus software or firewalls. Granted the only news stories we hear about are the viruses on Windoze, but what if some of these coders decided to put their energy towards really bringing down the Linux systems instead? Is that possible? Does the fact that you have to be root to really affect your system truly protect against sketchy software (should you run it)?

Of course aside from the virus issues (which may not be a problem on linux as far as i know..) given the open source nature of the OS I feel as though it shouldnt be difficult to find some kind of vunerability and exploit it. I mention that due to the fact a few years back someone i know was running redhat and his computer got hacked. Is this an issue with Gentoo? If i leave my system hooked up on a LAN is it possible for anyone to break into my system?

As far as firewalls are concerned, in the past i have relied on the winxp software firewall, and i was wondering if there was something similar for gentoo, and if it is an issue. Hope some of you all could clear this up for me.

----------

## gnuageux

There are anti virus packages that you can install. Though virus replication doesnt seem to be a big problem in the linux community. I used clamscan for the 1st time the other day due to a error I got from a mail host stating that I was infected. It may be stupidity on my part but this is the 1st time since I began using linux (any distro) that Ive done this. How do  you connect to the net? I hear a lot of talk about firewall yada yada yada when in fact IMHO I dont think that many home users warrant this kind of "protection".

If youre on a lan I assume that you use private IP space. (Ie 10.0.00/24 or 192.168.0/24 - whatever) do you have port forwards in place on the device that is preforming the address translations? If not then even if someone did try and connect say on an RPC port the connection would be dropped at that hop, your machine wouldnt even answer. If you are behind a router, modem, whatever that has a statically allocated addy and your curious what ports are open perhaps port scanning the IP w/ nmap would be a good idea.

----------

## nightblade

Being in a private network for sure reduces the risk of being hacked.

Moreover, a very good aspect of Gentoo is the fact that you only install what you really need (at least you are supposed to), so you don't have ftp/telnetd/fingerd/whatever-d servers hanging around with no reason at all, and this also reduces the possible "entryways" of an attacker.

Nevertheless, I believe that having a basic knowledge of how to setup a firewall on Linux is not a bad thing, and playing around a bit with iptables is a very good learning experience.

Not to mention the possibility, if you are more of the paranoid type, to tighten your machine even at kernel-level, using the grsecurity patches.

The possibilties are endless, and I think that one of the main advantages of using Linux instead of Windows is the possibility to make your machine *really* secure, no matter what the surrounding network environment happens to be. So I guess that the final result is worth playing around a few days with iptables&C.  :Smile: 

By the way, Bastille (http://www.bastille-linux.org/) is a very good tool that helps you hardening your Linux box in an interactive and relatively easy way, learning a lot about Linux security on the way.

----------

## Jeremy_Z

Well i don't think that even a firewall is really useful since :

- you don't have many exploitable app running (like already mentionned servers)

- the main purpose of a firewall (with windows) is to protect you against worms

- with gentoo you can install security updates very quickly and easilly.

----------

## Shotpiece

 *Jeremy_Z wrote:*   

> 
> 
> - with gentoo you can install security updates very quickly and easilly.

 

How is this done? Will a simple =emerge sync emerge -uaD world= update security on my system as well as all my packages?

Anyhow, no, i'm not a paranoid user, i'm pretty much your average user, on a private network, but i sure dont want random people having access to my system, OR executing arbitrary code. Since i dont know enough about security with linux, i'm pretty much just trying to figure out what a good basic *secure* setup would be with gentoo, cuz i know for damn sure using windows out of the box is not exactly a good idea.

nightblade, thanks for the reference to bastille, but i just noticed on the site it supports a few distro's, but gentoo isnt in there. Does it still work, or even better, is it somewhere in portage?

----------

## nightblade

 *Jeremy_Z wrote:*   

> Well i don't think that even a firewall is really useful since :
> 
> - you don't have many exploitable app running (like already mentionned servers)
> 
> - the main purpose of a firewall (with windows) is to protect you against worms
> ...

 

All true, Jeremy... but there are several possible scenarios... say you want to give some access (web/ssh/ftp) to a trusted machine and not to anybody else. Or if you are exposed to the Internet, you might want to drop unwanted packets, instead of rejecting them, in order to avoid to be used as a 'zombie' in an idle portscan.

Maybe it's just my personal experience (read: paranoia), but even when working on a machine that does not provide services to remote users, iptables is one of the first things I configure  :Smile: 

----------

## nightblade

 *Shotpiece wrote:*   

> 
> 
> nightblade, thanks for the reference to bastille, but i just noticed on the site it supports a few distro's, but gentoo isnt in there. Does it still work, or even better, is it somewhere in portage?

 

Sure it is:

http://packages.gentoo.org/search/?sstring=bastille

 :Smile: 

----------

## aetius

The truth of the matter is that no system that is networked is 100% safe.  It's not possible.  Given that fact, the best practice route that is taken by most security-conscious administrators is one of defense in depth -- running a simple firewall, removing unneeded services, maintaining backups, and keeping up to date with security patches  are four basic steps you can take that will drastically improve your system's security.  They aren't mutually exclusive; they work together to make a system that much harder to compromise.

Linux systems are a high-priority target due to their excellent remote-use capabilities.  They are, if anything, at more risk than Windows systems of being targeted for a compromise.  As the population of Linux systems grows, so will the number and sophistication of the attacks.  Although the design of most Linux systems does not lend itself well to things like email viruses (this is a philosophical difference, not a technical difference), Linux systems are theoretically just as vulnerable as anything else to worms and trojans that exploit buffer overflows or other bugs in common server services.

The things that make Linux more secure are:

1) Open code discourages sloppy coding and encourages code review (see the large list of recent kernel-level problems).

2) Open code encourages a more diverse developer base, bringing more varied perspectives on security and a better overall view of security problems.

3) Open code discourages trojans, back-doors, and easter eggs placed into programs by developers.

4) Open code encourages projects like Hardened Linux, Grsecurity and SELinux, which help even more to protect very high-value targets.

5) The surrounding philosphical and cultural spheres are in general highly security-conscious and strongly discourage bad programming practices that are tolerated elsewhere.

6) Open code is typically not encumbered by licensing and DRM that inhibits updates and patches from being distributed quickly and completely.

Linux and open source/free software aren't magical.  Their real advantage lies in admitting that  they aren't perfect, and encouraging eternal vigilance to keep things as perfect as possible.

----------

## nightblade

 *aetius wrote:*   

> The truth of the matter is that no system that is networked is 100% safe.  It's not possible.

 

Agree. My previous post about Linux being "really secure" might sound like an overstatement.

----------

## Shotpiece

well, like i said, i'm not the huge paranoid type, nor do i need 100%. I was basically wondering after installing linux without regard to any extra software/firewalls/other precautions that are security based, is my box wide open to attack? Or is linux in general pretty secure..

----------

## tom56

well, i'm a desktop user, and i run a firewall.  i probably don't need it but, it can't do any harm to have it there just in case.  i use firestarter and found it really easy to set up.  to test how secure your computer is, use the sheilds up site - https://www.grc.com/x/ne.dll?bh0bkyd2.

----------

## Shotpiece

interesting tool, thanks tom.

----------

## Jeremy_Z

 *Shotpiece wrote:*   

> well, like i said, i'm not the huge paranoid type, nor do i need 100%. I was basically wondering after installing linux without regard to any extra software/firewalls/other precautions that are security based, is my box wide open to attack? Or is linux in general pretty secure..

 

That's what i meant, for a desktop user it is secure (enough). 

 *Quote:*   

>  but there are several possible scenarios... say you want to give some access (web/ssh/ftp) to a trusted machine and not to anybody else. 

 

If you wonder how to do that, then you know that you need a firewall. (But you could also use password protection (ssh/ftp/www), tweak the conf file to restrict ip ...)

Why should you fear hackers ? if you don't have any ftp/web server with static name, nobody will bother to "hack" your comp.  I mean *really* hack, not just auto-exploit-script or stupid-exploit-worms?

Just realize that any effort improving security will be "for fun". But if you want to install a firewall "for fun", don't use anything but pure iptables

You can also use one-shot password for your ssh, encryption for sending/receiving mail.

----------

## aetius

 *Shotpiece wrote:*   

> well, like i said, i'm not the huge paranoid type, nor do i need 100%. I was basically wondering after installing linux without regard to any extra software/firewalls/other precautions that are security based, is my box wide open to attack? Or is linux in general pretty secure..

 

The answer to that question is yes, your box is open to attack, and in fact is being attacked constantly, right this very moment, every minute you are connected to the internet.  Most of those attacks are looking for Windows machines, but some are looking for Linux machines.  Anything that you are running that is vulnerable (whether the vulnerability is known or not) is ready to be exploited, since you have no defenses in place other than the software you are running itself.  Ask yourself: IF my system was compromised, how would I know? Chances are, with a decent rootkit, you will never know your system has been compromised until you run across a problem.  For example, when your ISP shuts you down for sending 100,000 emails in less than 5 minutes.

I would bet small amounts of money that your system has a vulnerability right now - probably configuration related.  If someone was to look hard, they would probably find it.  Fortunately, most attacks are automated, looking for specific things to exploit -- which you don't have because your software is current.

You *should* be a bit paranoid -- though it isn't paranoia if they really are out to get you ... which they are, in an impersonal sort of way.  If you haven't seen it before, you should install one of the tools that detects portscans and ping sweeps and run it for a bit, or just run tcpdump for a while and examine the results.  That machine with the Hungarian domain name?  Checking you out.  That set of machines in the Time Warner nc.rr.com namespace that keep trying to access tcp port 445?  All compromised and scanning your machine.  Every minute of every day someone is looking at your system to see if it's vulnerable.  A little paranoia is a good thing on the Net today.  People who see this traffic for the first time are often shocked at the rate at which systems are scanned and probed.

Now, having said that, you are probably ok ... for now.  You have a fresh Gentoo installation, with the latest or near-latest versions of everything you are running.  IF you stay on top of updates, IF you don't run unneeded services, and IF you are careful with configuration, you might be ok for a good while.  If you are not running a firewall, you are trusting that the good guys know about all the vulnerabilities in the software you run.  You are trusting that the updated version of software you just installed didn't just add a bug that allows someone to remotely run arbitrary code on your machine.  You are trusting that the version of X windows you are running doesn't have a vulnerability with network access.

Open source and free software developers are trustworthy -- most of the time.  Defense in depth takes care of those times when developers are human just like the rest of us.  Without a firewall you are giving up one layer of your basic defense in depth, arguably the most important one.

If you don't have defenses, don't keep up with updates, aren't careful with your config, and don't keep backups either, it's really only a matter of time.  A Linux system will last longer than a Windows system, but not too much longer.  Stock Windows systems have been tested and timed -- they do not last more than an hour unprotected on the Internet, and sometimes only last a couple of minutes.  A stock Red Hat 7.x box won't last much longer.   Linux is better, but not that much better.

I know I sound like Mr. Doom and Gloom, but I've worked in with Linux and networking a long time.  I've lost track of the number of people I've had to tell "Flatten your box and re-install, you've been compromised - what is the state of your backups?".  Linux distributions provide the tools to be secure.  The rest is up to you.  Eternal vigilance. :)

----------

## bluedevils

all true aetius,

I've seen enough snort logs to see all the people outside on the internet street checking the door handle of my systems to see if the door was locked.  A firewall is a good idea, though I recommend a router or a dedicated gateway (not the company) server.  Attacks from within (email, webbrowsing and such) are a concern, but not as prevalent as windoz$.  As stated before, the apps are built more with security in mind and there are less people trying to get to you.

Home users are still a risk.  A neighbour told me how wierd things were happening to their XP machine.  It turns out someone was going through their hidden shares.

----------

## Jeremy_Z

Actually, a windows machine last 3 minutes before it is forced to shutdown "because the Remote Procedure Call (RPC) service terminated unexpectedly"

 :Laughing: 

 *Quote:*   

> Most of those attacks are looking for Windows machines, but some are looking for Linux machines

 

I wonder how many .. you look well informed, do you know how many target at linux machines ?

----------

## aetius

I don't know if anyone really knows the full extent of how much scanning and probing goes on.  incidents.org is a place to start looking, as they do a lot of logging on what gets hit and how often.  For example:

http://www.incidents.org/port_details.php?isc=9bd18aea245ace696fb98ce1d574579a&port=22&repax=1&tarax=2&srcax=2&percent=N&days=7

That's a sample of reported probes to port 22 (ssh) in the last week.  Some of these probes will be general scans looking for interesting machines, and some will be automated compromise tools looking for openssh servers with the vulnerabilities published last year.

If you go here:

http://www.incidents.org/port_report.php?isc=9bd18aea245ace696fb98ce1d574579a

That's today's numbers for ports that are being attacked or scanned.  Top 10 are all Windows, mostly due to the sheer number of Windows systems out there.  You'll see that you have to go down 12 places to find a port that is typically open on a Unix machine (DNS of course, an extremely high-priority target on any OS).  ssh is in the 40's or 50's on that list - but it's still there.

----------

## Jeremy_Z

I am aware of that, i am aware that misconfigured Unix/Linux are used to take advantage of the full raw sockets (for example).

Probabilities are just lower for him, lower if he doesn't run as root, lower if he doesn't use exploitable servers.

Shotpiece : did you finally emerged iptables ?   :Cool: 

----------

## GenKreton

 *Jeremy_Z wrote:*   

> Well i don't think that even a firewall is really useful since :
> 
> - you don't have many exploitable app running (like already mentionned servers)
> 
> - the main purpose of a firewall (with windows) is to protect you against worms
> ...

 

It really is better to have a seperate box for a firewall (or even one of them linksys, dlink or whatever else firewall/routers). If security is ever compromised At least you only have to reinstall that box. It should have 2 zones, one for your servers, and one for your private network (nothing hosting anything, no ftps, no apache). ANd your internal network should still be fairly secure. Sure you can share data on it and such, but that doesn't mean you make it easy to get into the important stuff. Using ssh with rsa keys only and not accepting ssh protocol 1 is a start. Not using nfs but using shfs if you need such things.

Root kits seem to be our biggest problem outside of misconfigured settings and the attackers getting a prompt. Emerging and using chkrootkit is a good way to see if something questionable has already happened to your box. Don't freak if it finds something, it can give false positives. But you should investigate it quickly. Ask google and or remove and emerge again the offending program to see if it changes the result. If it indeed was part of a root kit you should just reinstall.

Bottom line, you can never trust a compromised system. You can never be sure any amount of fixint will resolve all traces of it being compromised.

----------

## Jeremy_Z

Well at home i have ONE box only, i think it is the same for Shotpiece. Security admins know their job, desktop user and gentoo hobbyists are different.

I admin a gentoo server at my parent's with a small network (5 machines). The server is acting as a router for a DSL connection.

Well the gentoo is 1 month old, before they had a W98 (at that time, linux would not install on it because of crappy exotic hardware), with MS internet sharing, p2p client, windows share, and no firewall ... it lasted 2 years until the P-200 died which gave me the oportunity to put something *better*.

I can't say how many trojan was nesting in the W98 before it died, but i suspect it would have been worse with XP (my dad wanted to replace it with XP because of a better internet sharing support ...)

Now it is secure .. or as much secure as it can be since the users on the local network have to be trusted (if you can *trust* a MS machine on which you have no control at all)   :Twisted Evil: 

----------

## Korr.ban

My config is: 

Intel P1-mmx 233mhz 

hda = Linux 

hdb = PUB 

eth0 = Outside world 

eth1 = LAN 

My server is running: 

dnsmasq - DHCP server and DNS cache server (SOON TO BE DHCPD and BIND)

iptables - incluedes a proper redirect to proxy 

samba - file sharing accessible from LAN only 

squid - PROXY 

sshd - accessible from LAN only 

My network:

ISP ---> eth0 - Intel Gentoo Box - eth1 -----> HUB -----> eth0 -AMD 1.2gighz

My setup is WAY overkill for a single computer network but I didnt do it just for security. I did it to learn how to do it. My current project is to setup BIND so that I can use the hostname of my domain names rubixware.com iraqlug.com planetuxo.com

I will be adding to this setup a 700mhz Gentoo box working as a proxy server probably next month.

This is all part of my Server Project

----------

## jdgill0

 *Jeremy_Z wrote:*   

> Actually, a windows machine last 3 minutes before it is forced to shutdown "because the Remote Procedure Call (RPC) service terminated unexpectedly"
> 
> 

 

I can vouch for this! ... I installed MS WinXP on my mother's computer. I connected to the internet through dial-up internet.  Within less than 15 seconds the computer was hit by a Remote Procedure Call! This happend for three connections in a row, where the second one actually shut the computer off  :Sad: .  ... Fortunately it seems nothing was compromised. Not having used MS Windows in a LONG while, especially not from behind a router/firewall, it took those three attacks before I realized what was happening. ... I turned on XP's firewall, if that is actually the appropriate name for it, and finally connected to the internet.

Sad thing is MS has patches for a lot/most of these attacks, but the not-so-minor problem is getting connected to the internet and patching before being attacked. You pretty much HAVE to buy firewall/anti-virus software and install on MS Windows BEFORE ever connecting to the internet.

----------

## Jeremy_Z

Yeah, dont plug yopur modem before installing a firewall (and obviously you need one somewhere before).

BTW anyone know how the machines behind the router can be attacked ? (other than mail virus)

----------

## GenKreton

 *Jeremy_Z wrote:*   

> Yeah, dont plug yopur modem before installing a firewall (and obviously you need one somewhere before).
> 
> BTW anyone know how the machines behind the router can be attacked ? (other than mail virus)

 

If the router/firewall is properly setup only through two means, a forwarded packet exploits a program running on the machine, or the firewall itself is exploited. This, of course, isn't counting brute force attacks, where they could sit on your open ssh port or something and try to guess the pass through hundreds of thousands of attempts (this is ANOTHER reason to use a pass/ key on your ssh if its open to the net).

----------

## Jeremy_Z

No worry, the firewall is closed to any connection from the net iface (ppp0).

But i am not really familliar with masquerading, but i guess that from the net you can't target local machines easilly (since you got only the router ip) and that XP machines don't have to worry about most trojan/worms.

Any port scan would scan the router whcich is invisible from the internet ... a way i think would work is session hijacking..

----------

## Shotpiece

hmm, i believe i'll be emerging iptables today. Bottom line, if i'm behind a router and using iptables, i should have a decently secure box? Anyone got any information for me about starting with/using iptables?

----------

## Jeremy_Z

ipatbles' Manpage should be a good start. 

Then, what you will feed it with will depend of your setup.

----------

## GenKreton

 *Shotpiece wrote:*   

> hmm, i believe i'll be emerging iptables today. Bottom line, if i'm behind a router and using iptables, i should have a decently secure box? Anyone got any information for me about starting with/using iptables?

 

an ungodly great tut can be found here:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

----------

## mallchin

Warning: If you are running sshd make sure you have 'disabled protocol 1' and 'disallowed root login'.

This is one of the biggest threats to Linux system at present and I have had 2 boxes compromised through sshscan. Don't be so foolish.

----------

## GenKreton

 *mallchin wrote:*   

> Warning: If you are running sshd make sure you have 'disabled protocol 1' and 'disallowed root login'.
> 
> This is one of the biggest threats to Linux system at present and I have had 2 boxes compromised through sshscan. Don't be so foolish.

 

There has been the recent spike in port 22 scans and attempts to login as 'root', 'guest' and 'asdf.'

I suggest guest and asdf do not exist. If for some weird reason you need guest, try to get around it, assign it /bin/false as the default shell, or disallow it, at the very least, from ssh logins.

----------

## mallchin

Yep, I had many attempted logins for these users.

----------

## Jeremy_Z

SSH should be scarcely used on a home box., but since it is useful for remote admin / CVS / secured tunnels, it is a good idea to secure it using port knocking.

Also, it is fun   :Smile: 

----------

## mmealman

 *Shotpiece wrote:*   

> 
> 
> As far as firewalls are concerned, in the past i have relied on the winxp software firewall, and i was wondering if there was something similar for gentoo, and if it is an issue. Hope some of you all could clear this up for me.

 

If you really want to run a firewall I'd recommend something like guarddog or some other GUI tool that will setup a decent base config for you.

But Linux doesn't need firewalling so much as Windows does. The number one thing you can do to keep your box secure is keep the software up to date. Under Gentoo this is very easy to do using glsa-check which is part of gentoolkit. It'll scan your system and warn of packages that you may need to update to secure your system.

----------

## mallchin

A good router/firewall will help. Particulary SMB shouldn't be run on an external interface.

----------

