hardening Linux - Setup

This is a discussion on hardening Linux - Setup ; Hi all I am relatively new to Linux Internals but fairly acquainted with Linux administration. How do i go about Hardening LINUX. can anyine suggest me good and easy doccumentation. thanks in advance. shashank...

+ Reply to Thread
Results 1 to 8 of 8

Thread: hardening Linux

  1. hardening Linux

    Hi all

    I am relatively new to Linux Internals but fairly acquainted with
    Linux administration. How do i go about
    Hardening LINUX. can anyine suggest me good and easy doccumentation.

    thanks in advance.
    shashank

  2. Re: hardening Linux

    In comp.os.linux.setup on Sun, 17 Aug 2008 23:55:01 -0700 (PDT), shank
    wrote:

    > Hi all
    >
    > I am relatively new to Linux Internals but fairly acquainted with
    > Linux administration. How do i go about
    > Hardening LINUX. can anyine suggest me good and easy doccumentation.


    This HOWTO is Debian-specific, but a lot of the advice can be applied
    to other distros:


    See also:

    And of course:



    --
    PJR :-)

    Version 0.9.9 of the slrn newsreader has been released:


  3. Re: hardening Linux

    shank wrote:
    > Hi all
    >
    > I am relatively new to Linux Internals but fairly acquainted with
    > Linux administration. How do i go about
    > Hardening LINUX. can anyine suggest me good and easy doccumentation.
    >

    By "hardening" I assume you mean making it more secure. If you want to do
    that, I suggest you run SELINUX. SELINUX is part of Red Hat Enterprise Linux
    5 (if you want it; if not, you can turn it off), so I am confident it also
    comes with CentOS5.

    As far as documentation, some comes with the distribution. The book "SELINUX
    NSA's Open Source Security Enhanced Linux" by Bill McCarty purblished by
    O'Reilly seems pretty good. I skimmed the book, but do not actually run SELINUX.

    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 07:05:01 up 11 days, 13:11, 4 users, load average: 4.21, 4.15, 4.09

  4. Re: hardening Linux

    Jean-David Beyer wrote:
    > shank wrote:
    >> Hi all
    >>
    >> I am relatively new to Linux Internals but fairly acquainted with
    >> Linux administration. How do i go about
    >> Hardening LINUX. can anyine suggest me good and easy doccumentation.
    >>

    > By "hardening" I assume you mean making it more secure. If you want to do
    > that, I suggest you run SELINUX. SELINUX is part of Red Hat Enterprise Linux
    > 5 (if you want it; if not, you can turn it off), so I am confident it also
    > comes with CentOS5.
    >
    > As far as documentation, some comes with the distribution. The book "SELINUX
    > NSA's Open Source Security Enhanced Linux" by Bill McCarty purblished by
    > O'Reilly seems pretty good. I skimmed the book, but do not actually run SELINUX.
    >


    SELinux is one of the most painfully and poorly managed pieces of wishful
    thinking I have ever seen. It protects against classes of attack that are
    fairly unusual, and in use, so interferes with normal software that it creates
    a debugging nightmare. The mere fact that you, and many developers and admins
    I know, do not actually use it is compelling evidence of its awkwardness.

    Many packages are well integrated with it, as part of operating system
    releases, but most casually written and tested projects are *not*. The results
    are *nasty* when software starts failing without warning.

  5. Re: hardening Linux

    Nico Kadel-Garcia wrote:
    > Jean-David Beyer wrote:
    >> shank wrote:
    >>> Hi all
    >>>
    >>> I am relatively new to Linux Internals but fairly acquainted with
    >>> Linux administration. How do i go about
    >>> Hardening LINUX. can anyine suggest me good and easy doccumentation.
    >>>

    >> By "hardening" I assume you mean making it more secure. If you want to do
    >> that, I suggest you run SELINUX. SELINUX is part of Red Hat Enterprise
    >> Linux
    >> 5 (if you want it; if not, you can turn it off), so I am confident it
    >> also
    >> comes with CentOS5.
    >>
    >> As far as documentation, some comes with the distribution. The book
    >> "SELINUX
    >> NSA's Open Source Security Enhanced Linux" by Bill McCarty purblished by
    >> O'Reilly seems pretty good. I skimmed the book, but do not actually
    >> run SELINUX.
    >>

    >
    > SELinux is one of the most painfully and poorly managed pieces of
    > wishful thinking I have ever seen. It protects against classes of attack
    > that are fairly unusual, and in use, so interferes with normal software
    > that it creates a debugging nightmare. The mere fact that you, and many
    > developers and admins I know, do not actually use it is compelling
    > evidence of its awkwardness.
    >
    > Many packages are well integrated with it, as part of operating system
    > releases, but most casually written and tested projects are *not*. The
    > results are *nasty* when software starts failing without warning.


    What about using iptables and its associated documentation?

    Richard

    Posted Via Usenet.com Premium Usenet Newsgroup Services
    ----------------------------------------------------------
    http://www.usenet.com

  6. Re: hardening Linux

    Richard wrote:
    > Nico Kadel-Garcia wrote:
    >> Jean-David Beyer wrote:
    >>> shank wrote:
    >>>> Hi all
    >>>>
    >>>> I am relatively new to Linux Internals but fairly acquainted with
    >>>> Linux administration. How do i go about
    >>>> Hardening LINUX. can anyine suggest me good and easy doccumentation.
    >>>>
    >>> By "hardening" I assume you mean making it more secure. If you want to do
    >>> that, I suggest you run SELINUX. SELINUX is part of Red Hat Enterprise
    >>> Linux
    >>> 5 (if you want it; if not, you can turn it off), so I am confident it
    >>> also
    >>> comes with CentOS5.
    >>>
    >>> As far as documentation, some comes with the distribution. The book
    >>> "SELINUX
    >>> NSA's Open Source Security Enhanced Linux" by Bill McCarty purblished by
    >>> O'Reilly seems pretty good. I skimmed the book, but do not actually
    >>> run SELINUX.
    >>>

    >> SELinux is one of the most painfully and poorly managed pieces of
    >> wishful thinking I have ever seen. It protects against classes of attack
    >> that are fairly unusual, and in use, so interferes with normal software
    >> that it creates a debugging nightmare. The mere fact that you, and many
    >> developers and admins I know, do not actually use it is compelling
    >> evidence of its awkwardness.
    >>
    >> Many packages are well integrated with it, as part of operating system
    >> releases, but most casually written and tested projects are *not*. The
    >> results are *nasty* when software starts failing without warning.

    >
    > What about using iptables and its associated documentation?
    >

    I like to use that. It makes firewalls and does NAT. But that is hardly
    hardening a system. Better than nothing.

    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 20:50:01 up 12 days, 2:56, 4 users, load average: 4.08, 4.24, 4.25

  7. Re: hardening Linux

    On 19 Aug, 01:54, Jean-David Beyer wrote:
    > Richard wrote:
    > > Nico Kadel-Garcia wrote:
    > >> Jean-David Beyer wrote:
    > >>> shank wrote:
    > >>>> Hi all

    >
    > >>>> I am relatively new to Linux Internals but fairly acquainted with
    > >>>> Linux administration. How do i go about
    > >>>> Hardening LINUX. can anyine suggest me good and easy *doccumentation.

    >
    > >>> By "hardening" I assume you mean making it more secure. If you want to do
    > >>> that, I suggest you run SELINUX. SELINUX is part of Red Hat Enterprise
    > >>> Linux
    > >>> 5 (if you want it; if not, you can turn it off), so I am confident it
    > >>> also
    > >>> comes with CentOS5.

    >
    > >>> As far as documentation, some comes with the distribution. The book
    > >>> "SELINUX
    > >>> NSA's Open Source Security Enhanced Linux" by Bill McCarty purblishedby
    > >>> O'Reilly seems pretty good. I skimmed the book, but do not actually
    > >>> run SELINUX.

    >
    > >> SELinux is one of the most painfully and poorly managed pieces of
    > >> wishful thinking I have ever seen. It protects against classes of attack
    > >> that are fairly unusual, and in use, so interferes with normal software
    > >> that it creates a debugging nightmare. The mere fact that you, and many
    > >> developers and admins I know, do not actually use it is compelling
    > >> evidence of its awkwardness.

    >
    > >> Many packages are well integrated with it, as part of operating system
    > >> releases, but most casually written and tested projects are *not*. The
    > >> results are *nasty* when software starts failing without warning.

    >
    > > What about using iptables and its associated documentation?

    >
    > I like to use that. It makes firewalls and does NAT. But that is hardly
    > hardening a system. Better than nothing.


    There's no simple answer. Much of it depends on what the system needs
    to do: does it need a compiler? Web services? Access to the outside
    Internet? User logins? Network monitoring? Off-site backup and logging?

  8. Re: hardening Linux

    Nico Kadel-Garcia wrote:
    >>>>> shank wrote:
    >>>>>> Hi all
    >>>>>> I am relatively new to Linux Internals but fairly acquainted with
    >>>>>> Linux administration. How do i go about
    >>>>>> Hardening LINUX. can anyine suggest me good and easy doccumentation.

    >
    > There's no simple answer. Much of it depends on what the system needs
    > to do: does it need a compiler? Web services? Access to the outside
    > Internet? User logins? Network monitoring? Off-site backup and logging?


    The *simple* answer is don't install things you don't need, like "Do you
    really need gcc on an Internet-facing web server?" Actually figuring
    out what you don't need can be a challenge.

    SANS (www.sans.org) is an organization devoted to secure system and
    network administration. It has an extensive reading room of contributed
    materials, which are free. It also *sells* a pdf on hardening Linux
    step-by-step, which may be a bit out of date by now, although they do
    update it from time to time. Note that SANS is *not* Linux-specific.
    You'll find stuff there on Windows, Cisco, etc., too.

    There's Bastille (aka Bastille-Linux.org or Bastille-UNIX.org). It's a
    set of scripts that will either do a bunch of stuff to harden your box
    or just run a report to tell you what it would do if you let it. I
    recommend the second option. It doesn't work on every distro, though.

    There's Armor (www.spitzner.net/armoring.html) and Titan (which became
    Sun JASS), which are for Sun Solaris and are kind of old by now, but the
    ideas still apply.

    Then there's SELinux, on which folks have already commented. It keeps
    processes from doing things they're not allowed to do, even if they're
    running as root. I think it's actually become quite usable under
    Fedora. YMMV on other distros. It's definitely not for beginners, but
    you don't have to be a 10-dimensional chess grand master in your spare
    time, either.

+ Reply to Thread