Home Forums Reviews Tutorials Articles Register Search Today's Posts Mark Forums Read User Name Remember Me? Password

Notices



5 : Excellent 4 : Good 3 : Average 2 : Bad 1 : Terrible Rate this Entry Slackware-13.37-Hacks-Hardening Tips Posted 02-04-2012 at 09:17 PM by arniekat These suggestions are based on advice from the SlackWiki Basic Security Fixes, The Center For Internet Security Slackware Benchmarks and on the General Hardening Tips for Red Hat Enterprise Linux. I condensed and categorized as many of the suggestions as I could glean, however, it is your choice as to how many of them apply in your case.



PHYSICAL SECURITY



Create a BIOS Password to keep others from changing your BIOS settings. After you have installed Slackware, you can disable booting from CD/DVD and USB so that your computer will be forced to boot from the Hard Drive. You can still use the CD/DVD and USB once the machine is running. The BIOS Password keeps others from changing the settings. Since the BIOS can be reset to default setting by removing the watch battery on the motherboard, you should consider adding tamper-resistant computer case screws. The two I have seen are the Torx Security Screws which require a special screwdriver bit to install/remove and the CPU Security Lock, which replaces one of the computer case screws and uses a special barrel-shaped key to install/remove. Setting a lilo password will keep someone else from booting to single-user mode (runlevel 1) or from changing the settings at boot-time.



SEPARATE PARTITIONS



When you first install Slackware, keep the /home, /tmp, /usr and /var on separate partitions so that you can change mount options in /etc/fstab to limit what files on those partitions can do. If you look at your /etc/fstab file and see the 4th column (mount options) as "defaults", this means that the file system being mounted is using the default values for the file system in question. In the case of ext4 (see man mount) these are: rw, suid, dev, exec, auto, nouser, and async. Here are some suggested defaults from the RHEL Hardening Manual.



/home defaults,nodev

/tmp defaults,nodev,nosuid,noexec

/usr defaults,nodev

/var defaults,nodev

tmpfs defaults,nodev,nosuid,noexec



ENCRYPTION



Setting up encryption is fairly easy with Slackware. The README_CRYPT.TXT has all the details on how to do this. You can setup swap space encryption during or after installation and it uses a random key on every boot. You do not need to enter a password to have swap space encryption. To have /home encryption, you will need to do this when you first install the system. With swap and /home encryption, you only need to remember one password to decrypt. Of course you will also need your login password.



USE STRONG PASSWORDS



Weak passwords make your system vulnerable. You can use John The Ripper (current version 1.7.9 available from SlackBuilds) to check your /etc/passwd file and see if the application can crack your password. If it can, you might consider strengthening it up a bit by adding capital letters, numbers, characters, etc.



TURN OFF SERVICES



Turning off services not only saves you resources and RAM, it also makes your computer more secure since it is one less application running that can be hacked or compromised. There is a tutorial for turning off services on Linux Questions.



REMOVE UNUSED SOFTWARE



Normally, I do a Full Installation to have all the tools and compilers available to me since I like compiling everything I need and personalizing my system. However, from a security standpoint, the more unused software you remove, the less chance you have of being affected by a vulnerability in any one piece of software. Here are potential candidates for removal: 1. Games (bsd-games) 2. Extra Shells (ksh93, tcsh, zsh) 3. Server Applications (apache, bluetooth, cups, nfs, samba, sendmail) 4. Window Managers (fluxbox, fvwm, windowmaker, xfce) 5. Misc Applications (emacs) 6. Compilers (gcc-gnat, gcc-objc, others from the "D" Series). With regard to the Compilers and Developer Tools, the reasoning being that if someone were to break-in to your machine, they would try to compile/install a rootkit with kernel modules. If the tools to compile are not there, then you are making it harder for someone to root your box. If you compile your packages on another machine and use the patches provided by Slackware, then you don't need to compile software on your box.



KEEP YOUR SYSTEM UPDATED



You can go to the Slackware website and download the patches to your machine, then use the command "upgradepkg" to install the patches. The automated way to do updates is by using the slackpkg tool included with the Full Installation of Slackware. This will check the packages and perform the update using an ncurses menu. There is a tutorial for installing/configuring slackpkg on Linux Questions.



USE SECURITY-ENHANCING SOFTWARE AND TOOLS



Aide - Available from SlackBuilds. Aide monitors for file system changes. It does this by creating a database with MD5SUM's and SHA1SUM's of your files and binaries. When you run aide later on, if the checksum's don't match, it will let you know. It may mean you have upgraded a package or it could mean you have been hacked.



Chkrootkit - Available from SlackBuilds. Chkrootkit checks your system for known rootkits.



FireHOL - Available from SlackBuilds. FireHOL is a tool for configuring a firewall. There is a tutorial for installing/configuring FireHOL on Linux Questions.



UFW - Available from SlackBuilds. UFW is a tool for configuring a firewall. It is called the Uncomplicated Firewall and comes from the Ubuntu Project. There is a tutorial for installing/configuring UFW on Linux Questions.



LOGIN HARDENING



If you choose to have automatic login, anyone can turn on your machine and get to your files, etc. Configure the Login Manager (KDM, GDM, XDM, SLiM) so that the Login Name is BLANK. If you let the Login Manager display the Login Name, you have just given away half of the information required to login to your machine. Increasing the login delay to 10 seconds in case the wrong password is entered makes a cracker have to take more time guessing at the login password since it creates a time delay.



CONFIGURE SU/SUDO



This will restrict who is able to su to root and use sudo so that if you have multiple users on the computer, they will not be able to do too much damage to the box. Hopefully. Posted in Uncategorized Views 3012 Comments 3012 Total Comments LinuxQuestions.org Message arniekat Registered Oct 2008

Oct 2008 Location Round Rock, TX

Round Rock, TX Posts 18

18 Blog Entries 66 Find Blog Entries by arniekat Containing Text: Search Titles Only Advanced Search

Blog Categories Local Categories Uncategorized

Recent Entries Slackware-14.2-Pdns-Recursor-4.0.6-Dnssec-Dnscrypt Slackware-14.2-Unbound-1.6.3-Dnssec-Dnscrypt-Part-1 Slackware-14.2-Unbound-1.6.3-Dnssec-Dnscrypt-Part-2 Slackware 14.2-Dnsmasq-2.77-Dnssec-Dnscrypt-Part-1 Slackware 14.2-Dnsmasq-2.77-Dnssec-Dnscrypt-Part-2

Recent Visitors enorbet Ilgar JYCoret kmreiserfs martinb3152 niahson PROBLEMCHYLD SavoTU speck TexasBoiler

Archive < September 2020 Su Mo Tu We Th Fr Sa 23 24 25 26 27 28 29 30 31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 1 2 3







All times are GMT -5. The time now is 08:21 PM .

