# Securing gentoo

## Promy

Can someone help me on some info about securing my gentoo linux distribution against hacking?

----------

## delta407

Easy; don't load any insecure software  :Smile: 

Seriously, though, the base distro is reasonably secure as-is, assuming you pick good passwords. As soon as you start adding services, things can open holes. If you don't need remote login, don't enable SSH. And so forth.

----------

## meekrob

A Gentoo Security Guide is in the works.  It's a huge effort but it's nearing completion.

----------

## imadork

One of the things you might want to use to help secure your system is a port monitor, which will bind to inactive ports and actively try and repel connection attempts.

I use portsentry on my (non-gentoo'ed) linux firewall, and I noticed that it is in the list of gentoo packages, so you can probably emerge it.

portsentry will detect port scanning attempts and log them, as well as take reactive measures like dropping their IP into hosts.deny and playing with forwarding rules to drop their packets before the kernel hands them off. You can even have it lanch an offensive script, but I wouldn't reccomend it.

I'm sure there are other packages that do the same thing, but I haven't been hacked while portsentry was running (and I have with it not running, but that was my own fault....)

----------

## Guest

[quote="imadork"...help secure your system is a port monitor, which will bind to inactive ports and actively try and repel connection attempts....

[/quote]

Huh?

Why on earch would you want to have a userland program bind to ports that are not open to begin with? The whole point of removing services, and hence creating a more secure system, is that there is nothing listening, other than what you absolutely need. The kernel will do just find rejecting connection attemps, if you dont want users to install programs that listen for connections, setup firewalling to block them.

----------

## NU-Slacker

The point of the scanner is to see when somebody is preparing for an attack by watching for a port scan.  When the userland program detects a port scan the offending IP will be blocked and all traffic originating from there will be sent to /dev/null.  In that way, you can proactively prevent an attack since (theoretically) once someone scans your computer, they will no longer be able to contact it.

----------

## Guest

 *imadork wrote:*   

> One of the things you might want to use to help secure your system is a port monitor, which will bind to inactive ports and actively try and repel connection attempts.
> 
> <skip>
> 
> I'm sure there are other packages that do the same thing, but I haven't been hacked while portsentry was running (and I have with it not running, but that was my own fault....)

 

just using iptables can do most of that for you(except rewriting the ruleset). for most people that's enough. My computer drops everything coming in(except ssh), for personal use it's a fine strategy, it simply isn't there at all.

Im currently using ferm to generate my iptables rules(doing them by hand is a little nightmare).

----------

## pjp

Will a linux generic security how-to help, or are there some major differences in securing Gentoo?

----------

## dup2

 *kanuslupus wrote:*   

> Will a linux generic security how-to help, or are there some major differences in securing Gentoo?

 

No big differences. Start by checking all running daemons and kill everything you don't need. Use encryption where possible (ssh instead of telnet). Install tcp-wrappers. Configure iptables/ipchains or similar. Never work as root. Wipe all (almost) setuid-root programs. Disable Javascript for your mail-client.

-dup2

----------

## pjp

Thanks.  I at least know what you're talking about.  

Which setuid-root programs are needed, and whats the easiest way to find the ones that aren't needed?  Or is there a doc for that somewhere?

----------

## Psychephylax

I'm quiet impressed, after I installed Gentoo, I installed nmap and did a full port scan on the localhost (which usually reveals all the ports that are listening)

To my surprise, the only port that was open was X

I must say that it is quiet impressive since a default Red hat install will leave you with at least 10 open ports.

----------

## jay

you could even securing this by adding the -nolisten tcp option.

----------

## ali3nx

iptables has my vote... When  setup properly the only response yer gonna get is "Connection Timed Out"   :Cool:  The scripting for iptables can be a bit daunting at first however a good iptables script creator for novice linux users would definitely be quicktables. As of this writing it wasn't available in portage... Perhaps one of the dev-demigods might alleviate us underlings of this situation  :Razz:  See this url for project homepage http://qtables.radom.org

----------

## EvilTwinSkippy

I realize a few people have said so already, but iptables and avoiding 

buggy software. I have a simple razor for my IPTABLES setup. Unless I know who it is or what it is doing, I don't let it through.

I also don't leave any software running I don't intend to use. Some things I can tell you that you definitely want to lock down from the world at large: NFS, X11, any database software (MySQL, PostGres, etc.), and use something other than apache for web. Yes apache is popular. Cocaine is popular too. I personally recommend tclhttpd. (I've had the ebuild in the system since May.)

Here's my script for IP Tables:

```

#! /bin/sh

###

# Sean's Netfilter Lockdown

# Should run on most distros of Linux with IPTABLES installed

#

# This file is released under terms of the GNU Public License (GPL).

#

# You must be root to run this script!

#

# This script works by opening only a known set of ports to the outside

# world, and blocking everything else with extreme predjudice.

#

# Please review the ports blocked and add any networks that require

# unrestricted access. Note: SSH is left enabled. This is a safety

# for those folks who are remote managing a box and forget to whitelist

# themselves.

###

###

# iptables:  Where is the iptables commmand (/sbin)

# rcpath:    Where are your init scripts (/etc/init.d)

# untrusted: Which ethernet device are we locking down (eth0)

###

iptables="/sbin/iptables"

rcpath="/etc/init.d"

untrusted="eth0"

###

# Shut down iptables

###

# Comment this line to prevent this script from blanking any

# fancy Masquerading rules you might have

${rcpath}/iptables stop

###

# Traffic that is allowed

###

# Allow all traffic from a range of addresses

# Add a new line for each network

#${iptables} -A INPUT -i $untrusted -s 192.168.1.0/255.255.255.0 -j ACCEPT

# Allow the box to be pinged

${iptables} -A INPUT -i $untrusted -p icmp -j ACCEPT

# Allow certain traffic by port

${iptables} -A INPUT -i $untrusted -p tcp --dport domain -j ACCEPT

${iptables} -A INPUT -i $untrusted -p udp --dport domain -j ACCEPT

${iptables} -A INPUT -i $untrusted -p tcp --dport http -j ACCEPT

${iptables} -A INPUT -i $untrusted -p tcp --dport https -j ACCEPT

${iptables} -A INPUT -i $untrusted -p tcp --dport smtp -j ACCEPT

${iptables} -A INPUT -i $untrusted -p tcp --dport ssh -j ACCEPT

##

# Allow all connections initiated by this computer to get out

# to the world at large

###

${iptables} -A INPUT -i $untrusted -m state --state RELATED,ESTABLISHED -j ACCEPT

########

###

# Block ALL other traffic

###

${iptables} -A INPUT -i $untrusted -j DROP

${rcpath}/iptables save

```

----------

## Oopsz

 *EvilTwinSkippy wrote:*   

> and use something other than apache for web. Yes apache is popular. Cocaine is popular too. I personally recommend tclhttpd. (I've had the ebuild in the system since May.)

 

tclhttpd support mod_php and/or mod_perl?  how's ssl support?

----------

## EvilTwinSkippy

 *Quote:*   

> 
> 
> tclhttpd support mod_php and/or mod_perl? how's ssl support?
> 
> 

 

Tclhttpd doesn't support mod_php or mod_perl. It has 2 ways for delivering dynamic content: templates (using tcl embedded in marked up HTML files) and direct URLs. Templates are just like PHP and mod_perl, only in TCL. DirectURLs are like EJB, instead of having templates each page is implemented as a procedure or a method in a library.

It uses TLS for SSL support.

I'm a big fan of the DirectURL system. I've written a couple of intranets in it, and it's a lot easier to assemble big projects with. My projects tend to be uber-complex as opposed to uber-popular. It has the ability to spawn off multiple threads for parallel performance, but I've never needed it to. 

About the only thing it really needs is a good webmail package. TCL has a pretty good POPmail and SMTP library, as well as a mime parser. It lacks a general purpose IMAP library, but one should be straightforward to implement. I've personally written a pretty decent calendar and an object oriented interface to MySQL.

----------

