This page contains my recomondations for home users on dialup
connections. For advice from a wide network of security
experts I recommend the newsgroup 'comp.os.linux.security'
and the c.o.l.s FAQ at
Set up Ssh,iptables, tcp-wrappers and Portsentry to secure the
machine and turn off unrequired services.
Portsentry-1.1 in Slackware's tgz format is available
`iptables -nxvL | $PAGER` gives a verbose output of iptable rules.
It is recommended to store user data on a separate partition that can be
umounted when not in use. This also helps for system upgrades as the
data partition will not be written over. Regular backups of important
files is essential for system recovery.
These commands help find running processes, modified files and permissions
which may indicate cracker rootkits.
Look for running tasks taking up cpu usage, heavy tcp traffic, open sockets
and rootkit binaries replacing original binaries or hidden elsewhere on
the filesystem as regular files. Log and configuration files may also have
ps aux | grep <command>
top -n 1 -b | $PAGER
lsof -i tcp
lsof -i udp
#check for malicous sniffers setting eth0 in promicuous mode
ip link show
#check for rootkit modules, do not use 'lsmod' which may be trojaned
#create md5 checksum file of the /etc directory.
#This is an example for the /etc directory.A examination of the whole
#filesystem tree using the / path should also be done.
#Store a copy of the checksums in a safe place such as a trusted floppy.
md5sum `find /etc -type f` > foobar.md5
#run this to check for alterations and grep md5sum fails.
`find /etc -type f` | xargs md5sum -c foobar.md5 > foobaz.md5 | xarg grep -i fail foobaz.md5
#inspect files for date changes, Samhain is better.
stat <binary> or <file>
#find configuration files modified in the last three days.
ls -l `find /etc -mtime -3` | $PAGER
#find configuration files usually 644
ls -l `find /etc -type f -perm 644` | $PAGER
#find suid root files
find / -user root -perm -4000 -print > foobar.txt
#check for haxor strings
Because 'find', 'ls', 'ps' and 'top' are often trojaned by crackers you
should use trusted copies from a backup floppy or the slackware iso
disks when inspecting for cracker activity.
'iptraf' and 'netwatch' are ncurses network monitors that show statistics
of network traffic and dump stats to logs.
'tcpdump -i ppp0 -w foobar.txt' dumps traffic data to foobar.txt file
for later analysis using 'tcpdump -r foobar.txt > foobaz.txt' which
outputs readable text to 'foobaz.txt'. See man tcpdump for info.
Samhain has superceded Tripwire as the file integrity tool of choice. Tripwire is patented software that is out of date and Samhain provides superior security as it catches fake syscalls to the kernel made by hidden haxor programmes.
If you want something simpler you can use 'md5sum' as shown above but make sure that a copy of the md5 checksum files are kept somewhere safe such as a trusted floppy.
For a automated check for rootkits the tool Chkrootkit is recommended.It uses commands such as find,ls,ps,netstat that cannot be trusted on a compromised machine so use the -p option to run trusted binaries copied from the linux install cd.
Secure Shell can be protected by using alphanumeric user names and moving the sshd from port 22 to evade dictionary attacks and probes. Disable the insecure sshd permit 'root' login and use of Protocol 1. See `man sshd_config`.
Slackware can use
to read the Changelog for security announcements and the downloading
of upgraded packages.
I recommend the following sites for security information and tools.
guides for all aspects of security.
Portsentry-1.1 Homepage. blocks and records the source address of port scanners.
Firehol a firewall generator script with ample documentation.
Nmap a port scanner that locates open ports plus docs about how crackers operate.
Ntop real time graph and table display of network traffic and location of external hosts. Viewed in a web browser with data dumps to log for extraction using perl scripts. Uses 'tcpdump'
Squid proxy caching server for web clients using http and ftp.
www.userlocal.com slackware tips and links
kSlackcheck a console or kde tool that checks Slackwares changelog and can download updated packages as a cron job or you view a list and select downloads manually. Easy to setup and use.
keithmg at e3netnz
home webpage: http://homepages.e3.net.nz/~keithmg/