Linux Security

phobos

To continue on my list of questions brings me to security and built in features in linux.

Now that I'm online at last, I can't help but feel vulnerable using an OS that I'm very much in the learning stage of using, and connecting my machine to the net. There a min ago, I decided to netstat to see what kind of stuff my computer was connecting to and if I was running any servers. The amount of stuff that came back was unreal. I expected it to list a few server domains, but instead all I got was a connection to this file and that (local). I would hate to think I have (m)any open ports on my machine. Surely there is a way I can find out without downloading some port scanner or something. I will of course be implementing a firewall once I understand a little bit more on how this OS interacts with networks (around & above the TCP/IP layer).

My analogy that I used yesterday, about being thrown in to an unknown space blindfolded, and having to learn about it, still stands. At the moment my undstanding are only of a high level. I know what should be going on, but I don't know how to monitor anything. I suppose I don't know about the resources (tools) I have in front of me, yet alone how to use them

;-phobos-)

flamegrill

General Secuity in linux starts at a daemon level IMO. So disabling all the daemons you dont need is somewhere to start. You are on a dial-up so you dont need telnet/ftp/ssh running. You dont need finger/ident or any of those daemons.

When you connect to the net while using X windows there will be several ports open by X that the outside world can connect to. A basic firewall is the best way to go about this.

Once you have done this your linux distro is fairly well secured from the outside world and you should be happy .

Theres no point yet in going on about securing the file system yet because it isnt a multi user environment because you are only on a dial-up and its a workstation.

Get the above done and you should be sailing

Also have a look here - http://www.mandrakelinux.com/en/errata.php3
and also look here - http://www.mandrakelinux.com/en/security/mdk-updates.php3?dis=8.1
and here for mailing lists - http://www.mandrakesecure.net/en/mlist.php

If you intend to use linux and get to know it well id recommend subscribing to bugtraq aswell, by keeping on top of exploits and the like you can futher your knowledge about the OS.

In closing maybe you would consider a move away from mandrake and a GUI to a pure console distro in the not to distant future. I find its best to get to know the OS the hard way as apposed to a GUI.

Have fun,

Paul

Gavin

In closing maybe you would consider a move away from mandrake and a GUI to a pure console distro in the not to distant future. I find its best to get to know the OS the hard way as apposed to a GUI.

That's not much use to him if he wants to watch a dvd. View images on the web. What exactly is a console distrib meant to be ? Is it not sufficient that he just configure stuff from a nice xterm in a hated gui ?

Gav

flamegrill

Originally posted by Verb


That's not much use to him if he wants to watch a dvd. View images on the web. What exactly is a console distrib meant to be ? Is it not sufficient that he just configure stuff from a nice xterm in a hated gui ?

Gav

Yes indeed. I agree, but and theres always a but , the main reason people want to get into using linux is to maybe someday get a job admining it. When it comes to the crunch you wont have a GUI to actually do the setup for you. If something goes wrong he or anyone else wouldnt know where to look to see why apache wont start in ssl mode or why the mysqld wont start etc.

if people purely want to use it as a workstation as many people no doubt do, then by all means use mandrake and red hat. (Please dont flame this thread). But i assure you that if you use the console only you will become more familiar with the OS 5 times quicker and be able to get more apps working etc.

Recently a friend of mine wasnt able to get X working on his pc. So he let me ssh in and gave me root (over dialup) and i was able to config XFree by hand. Things like that are where getting rid of the GUI comes into it.

This could get very spammy. But id like if people didnt fly off the handle

Now back to securing linux.....

Regards,

Paul

Gavin

Fair enough. My point was as you ascertained. That not everyone is interested in how it works, just in how to get it to do things. Definitely if you are an admin then you will need to know how to configure things via configuration files.

Gav

phobos

Some excellent points made by all there, which I completely agree with

ATM I want to use my linux box as a workstation, enabling me to perform similar tasks that I previously would have done using Windows. Having said that when I boot linux the first thing that I tend to do is start an instance of a shell. I am not one of those people that runs from the command line, and I am definately not one of those people that doesn't care how things work as long as they work. Take connecting to the web for example, it was down to file access privilages that prohibited me as an ordinary user from getting online. Now I know that and everything works. But if I had got it working, and didn't know why, I would still be posting in the Linux/Modems thread with further questions.

I can see reason to why it is a good idea to use the command line over GUIs. From what I can see, all the GUI apps in linux just represent a fancy (wizard like) interface to command line utilities. Basically everything you can do in a GUI, you can do equally or more on the command line. If this is true, then it all makes sense to me. Take WvDial for example, it was an app that was coded in C++, I as a programmer could go ahead, and create a GUI for that program quite easily. Thus making the utility more user friendly to people who don't like the command line. I quite like to tie between the two TBH.

At the moment my first priority is to use the shell (& shell programming) as much as I can, hopefully in doing that I will be able to get the right exprerience.

Cheers

;-phobos-)