# help me make a list of hardening / security procedures

## noobstate

i was reading through the forum, and i tought it would be nice if we had a thread on listing many MANY things people do to harden and secure their boxes .

ill start this in order what i would do inorder to secure a desktop gentoo box

and i welcome others to post their procedure too that way we can share and swap ideas making all of our security better (even if u use the same techniques or procedures list them please. that way we can compare and see. 

 *Quote:*   

> 
> 
> gentoo minimal cd for install (make sure network is only on when downloading files) not through the entire install
> 
> password protect grub
> ...

 

i find basttille wont compile anymore so i leave all those settings alone also i tried the security handbook on disabling World/Group writable files  but it would lock me and and freeze the system, so i havnt run that. 

/temp is allowed to exec (cause if i turn it to noexec) it wont compile certain packages

and i dont run a proxy (even tough i prolly should)

what are you harending techniques ? what do u do to secure ur gentoo box ? and if u can recommend any thing or point out flaws / mistakes / overlooked security procedure i should be following please PLEASE I beg u post it.

----------

## schachti

 *noobstate wrote:*   

> ssh has root login disabled

 

Use fail2ban or denyhosts to protect your box against ssh brute force attacks.

Have a look at the Gentoo Security Handbook.

 *noobstate wrote:*   

> chrooting web browsers and any service possible that supports it 

 

Did you find any documentation on how for example firefox could be put into a chroot jail?

----------

## noobstate

 *schachti wrote:*   

>  *noobstate wrote:*   ssh has root login disabled 
> 
> Use fail2ban or denyhosts to protect your box against ssh brute force attacks.
> 
> Have a look at the Gentoo Security Handbook.
> ...

 

denyhosts and fail2ban ... so simple and powerful . thanks for point that out . (stupid me) i would like to know if anyone could recommend what to do about the world writable and readable files without bjorkin the system ?!?! 

i stopped doing this a while ago but it went something like making a chroot directory with bash dependencies then checking all linked files and included/needed files against firefox copying them into the chroot directory 

and chrooting in then starting it (i stopped doing this cause last time i tried it = failure) dependencies were hell so i would recommend using firefox-bin or a static opera install. the simplest way is to do a basic minimal system chroot and use that for all applications u dont trust that connect to the internet (although it wastes space) its nice to be able to diff the directory and know atleast some level of security is provided to the applications running inside it

----------

## schachti

Another possibility to protect your box against ssh brute force attacks is described in http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_IP_Tables (thanks to furanku who linked it in the German forums).

----------

## noobstate

 *schachti wrote:*   

> Another possibility to protect your box against ssh brute force attacks is described in http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_IP_Tables (thanks to furanku who linked it in the German forums).

 

i tend to leave SSH disabled i dont trust remote logins or VNCs (unless its absolutely necessary ill bring it up use it then bring it down) 

im more worried about web based attack when surfing (when they come in through the browser with a one shot luck chance rootkit) 

do u know anything about securing UIDs ?! or making user accounts more secure to those types of attacks ?

these days all u really have to do is visit a shady website or be part of a forum in which people know u run linux and can target u specifically and ur done ...

...packet injection too and spoofing protection if anyone knows of prevention methods against these. i dont trust people working @ my local telco im under great suspicion and belief that they are out to get me (especially people that know me specifically) whats stopping a rouge employee from using his position within the company to enter your computer these days ?

----------

## mmoufid

 Daemon protection

 *schachti wrote:*   

> Use fail2ban or denyhosts to protect your box against ssh brute force attacks.

  *schachti wrote:*   

> Another possibility to protect your box against ssh brute force attacks is described in http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_IP_Tables (thanks to furanku who linked it in the German forums).

 

In addition to Netfilter/IPtables and Denyhosts, you may find TCP Wrappers helpful.

```
emerge sys-apps/tcp-wrappers
```

 then simply emerge net-misc/openssh with the tcpd USE flag

```
echo "net-misc/openssh tcpd" >> /etc/portage/package.use
```

and edit your /etc/hosts.deny and /etc/hosts.allow files accordingly.

For example:

/etc/hosts.deny:

```
ALL EXCEPT sshd: ALL

sshd: ALL EXCEPT localhost .yourfavouritedomain.com

```

For more information, see the Gentoo Security Handbook chapter on TCP Wrappers.

 Browser Security

 *noobstate wrote:*   

> im more worried about web based attack when surfing (when they come in through the browser with a one shot luck chance rootkit)

 

Disabling Javascript/Java and/or images in your browser can provide some protection from web-based attacks. There is an add-on for Firefox called NoScript:

 *Quote:*   

> It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, and guards the "trust boundaries" against cross-site scripting attacks (XSS).
> 
> Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
> 
> Experts do agree: Firefox is really safer with NoScript 

 

You can also get the add-on by setting the restrict-javascript USE flag for www-client/mozilla-firefox and www-client/mozilla-firefox-bin:

```
echo "www-client/mozilla-firefox restrict-javascript" >> /etc/portage/package.use
```

 *noobstate wrote:*   

> ...packet injection too and spoofing protection if anyone knows of prevention methods against these. i dont trust people working @ my local telco im under great suspicion and belief that they are out to get me (especially people that know me specifically) whats stopping a rouge employee from using his position within the company to enter your computer these days ?

 

If you're worried about these things, or just like privacy, you can always make use of Tor:

 *Quote:*   

> Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, ...

 Read the Gentoo Wiki article HOWTO Anonymity with Tor and Privoxy to help you get that set up. Once again, there is a handy Firefox addon: Torbutton.

 Kernel-based security

 *noobstate wrote:*   

> do u know anything about securing UIDs ?! or making user accounts more secure to those types of attacks ?
> 
> these days all u really have to do is visit a shady website or be part of a forum in which people know u run linux and can target u specifically and ur done ... 

 

If you're still not feeling secure with the above, you might like PaX, which is available with the Gentoo Hardened kernel sources. The Hardened Gentoo PaX Quickstart can get you started with that.

Its "non-executable memory" feature will help protect your browser from "a common form of attack where executable code is inserted into memory by an attacker." Long story short, if a website tries anything funny, your kernel kills the firefox process.Last edited by mmoufid on Mon Feb 25, 2008 7:54 am; edited 1 time in total

----------

## tarpman

 *noobstate wrote:*   

> these days all u really have to do is visit a shady website or be part of a forum in which people know u run linux and can target u specifically and ur done ...
> 
> ...packet injection too and spoofing protection if anyone knows of prevention methods against these. i dont trust people working @ my local telco im under great suspicion and belief that they are out to get me (especially people that know me specifically) whats stopping a rouge employee from using his position within the company to enter your computer these days ?

 

Are you by chance related to this guy?

DISCLAIMER: joke.  Seriously, though, be less paranoid.

----------

