# Security / Advise needed - lsat ?

## aCOSwt

Hello,

Being said that I am neither clever nor paranoid in terms of computer security.   :Confused: 

I force myself to very basic procedures that are rather heavy and that I would like to know if they are pertinent or just a pure waste of time.

In particular :

- After first install, I ran lsat to compute its md5 checksum

- Before any backup / emerge, I recompute the checksum and compare it with the last one.

- After any emerge, I recompute the checksum.

I have been systematically doing this for more than one year now under my gentoo (without anay alert) and really wonder what security gurus think.

(Previously I was using tcpdump to investigate firewalls logs but found this... hmmm... horrible !   :Evil or Very Mad: )

----------

## mikegpitt

I guess one problem with this approach (besides being time consuming) is that it doesn't protect against a system intrusion, but only tells you if one happened...  and if one happens you will only know it did happen, not what happened.

A better approach would be to run tools like snort and chkrootkit to monitor what is happening on the machine...  although if the attack is sophisticated and targeted at you (unlikely) they could modify your logs.  Most attacks, however, are automated and unsophisticated.

My best advice is to make sure you don't have a bunch of remote ports open on your machine, or firewall them off with shorewall.  Don't run ssh on a default port, and/or make sure your user accounts have strong passwords...  or better yet make remote services only available via openvpn (if possible in your situation).  ...and as long as you aren't downloading and executing scripts from the web browser, you should be quite safe.

----------

## mr.sande

If you want to check other system hardening / audit tools I recommend lynis and yasat (which is a "fork" of lynis). yasat can give a lot of information about your configuration, almost too much at times, but I find a valuable tool for system hardening and config checking.

----------

## aCOSwt

 *mikegpitt wrote:*   

> It doesn't protect against a system intrusion, but only tells you if one happened...

 

Exact !

But being said that my imagination in intrusion techniques is definitely under the level of a n00b, I believe I am definitely condemned to post-activity   :Rolling Eyes: 

The main point for me is not to have to throw everything away if something happened. If need a way to trust in my backups.

 *mikegpitt wrote:*   

> A better approach would be to run tools like snort and chkrootkit to monitor what is happening on the machine... 

 

Hmmm... I recently provided some basic help in some international subforum here to someone who had his sendmail sending spams via ssh.

He incidentally found the rootkit but chkrootkit had not seen anything wrong.

I am nevertheless interested in snort. The only thing I wonder about is if this tool is likely to do more (in prevention) than what I was doing spoilting my eyes and my brain with tcpdump.

 *mikegpitt wrote:*   

> although if the attack is sophisticated and targeted at you (unlikely) they could modify your logs.

 

Well... I just cannot afford being paranoid...   :Cool: 

 *mikegpitt wrote:*   

> My best advice is to make sure you don't have a bunch of remote ports open on your machine

 

This is a good advice indeed. I think I have done the maximum I could do but I am not sure either about the exhaustiveness of my work.

Is there some tool somewhere to control this ?

 *mikegpitt wrote:*   

> or firewall them off with shorewall

 

I use iptables with about half a dozen of very basic homemade rules. Do you mean that shorewall would be more efficient ?.

 *mikegpitt wrote:*   

> Don't run ssh on a default port

 

Well I think I am only using tcp port 22.   :Confused:   Is there a way to be dead sure ?

BTW my use of ssh as protocol is mainly restricted to tunneling pop3

My biggest concern is around ftp that I still need to use.   :Sad: 

 *mikegpitt wrote:*   

> make sure your user accounts have strong passwords

 

 :Laughing:  I was sure ! Absolutely sure about this ! ... until... I fell on John-the-ripper... and suggested my son to play sometime with it...   :Shocked: 

 *mikegpitt wrote:*   

> make remote services only available via openvpn

 

I will try it on my FreeBSD server.

 *mikegpitt wrote:*   

> as long as you aren't executing scripts from the web browser, you should be quite safe.

 

Well... as long as I did not disable javascript... I presume that... I do execute scripts from my web browser... don't I ?   :Confused: 

----------

## mikegpitt

Ok, lot's of points to cover   :Smile: 

Running md5sums on your backups is a decent idea, and will ensure their integrity, if not from tampering but also damage.

Snort is an IDS, so it doesn't prevent but it will monitor any odd behavior.  You might get a bunch of false positives, so it will require tweaking.  There might be snort modules that react to certain warnings, but I'm not 100% sure.

Shorewall is just a front end for iptables, so no worries there.  I just happen to like it.

It should be pretty easy to see if you are using port 22 for ssh... just ssh to your machine and if you don't select a different port number then it's using 22.  A lot of automated attacks try to brute force ssh logins on port 22 so it's a good idea to firewall it off or move the port.  Of course if you are usually behind your home router and it doesn't leave any ports open to the outside world then you should be ok there.

If you are usually behind a home router then you might want to run nmap on your external ip address to see what ports might be open.

As for strong passwords, I would suggest a minimum of 8 chars, mixing uppercase, lowercase, and numbers... you can use symbols if you are extra paranoid.  This would only be really necessary if you have remote logins allowed (such as with ssh).

As for the "scripts" I was referring to... I meant if you download executables (or a bash script) and run it without regard for what it does.  That is a bad idea   :Wink:   ...but most gentoo users would be savvy enough to not do that!

BTW - one other thing you might want to look into is tripwire.  Tripwire will monitor your filesystem for changes and lock things down if something occurs.

----------

## aCOSwt

 *mr.sande wrote:*   

> If you want to check other system hardening / audit tools I recommend lynis and yasat

 

Thank you mr.sande for suggesting this.

I tried lynis and... got a score of 46 !   :Cool:  If this is certainly meaningless if associated to a meaning of level of protection, it is certainly meaningful in terms of a what-is-done / what-can-be-done-ratio. This score being additionaly coherent with the a-priori I had about my system.

The good thing is that it suggested a dozen of easy to implement actions.

Surprisingly it apparently did not find my kernel configuration file   :Shocked: 

----------

