Securing Slackware.


This page contains my recomondations for home users on dialup connections. For advice from a wide network of security experts I recommend the newsgroup 'comp.os.linux.security' and the c.o.l.s FAQ at colsfaq.

Set up Ssh,iptables, tcp-wrappers and Portsentry to secure the machine and turn off unrequired services.

Portsentry-1.1 in Slackware's tgz format is available here.

`iptables -nxvL | $PAGER` gives a verbose output of iptable rules.

It is recommended to store user data on a separate partition that can be umounted when not in use. This also helps for system upgrades as the data partition will not be written over. Regular backups of important files is essential for system recovery.

These commands help find running processes, modified files and permissions which may indicate cracker rootkits. Look for running tasks taking up cpu usage, heavy tcp traffic, open sockets and rootkit binaries replacing original binaries or hidden elsewhere on the filesystem as regular files. Log and configuration files may also have been altered.

ps aux | grep <command>

top -n 1 -b | $PAGER


lsof -i tcp
lsof -i udp

#check for malicous sniffers setting eth0 in promicuous mode
ip link show

#check for rootkit modules, do not use 'lsmod' which may be trojaned
cat /proc/modules

#create md5 checksum file of the /etc directory.
#This is an example for the /etc directory.A examination of the whole
#filesystem tree using the / path should also be done.
#Store a copy of the checksums in a safe place such as a trusted floppy.
md5sum `find /etc -type f` > foobar.md5

#run this to check for alterations and grep md5sum fails.
`find /etc -type f` | xargs md5sum -c foobar.md5 > foobaz.md5 | xarg grep -i fail foobaz.md5

#inspect files for date changes, Samhain is better.
stat <binary> or <file>

#find configuration files modified in the last three days.
ls -l `find /etc -mtime -3` | $PAGER

#find configuration files usually 644
ls -l `find /etc -type f -perm 644` | $PAGER

#find suid root files
find / -user root -perm -4000 -print > foobar.txt

#check for haxor strings
file <binary>
string <binary>

Because 'find', 'ls', 'ps' and 'top' are often trojaned by crackers you should use trusted copies from a backup floppy or the slackware iso disks when inspecting for cracker activity.

'iptraf' and 'netwatch' are ncurses network monitors that show statistics of network traffic and dump stats to logs.

'tcpdump -i ppp0 -w foobar.txt' dumps traffic data to foobar.txt file for later analysis using 'tcpdump -r foobar.txt > foobaz.txt' which outputs readable text to 'foobaz.txt'. See man tcpdump for info.

Samhain has superceded Tripwire as the file integrity tool of choice. Tripwire is patented software that is out of date and Samhain provides superior security as it catches fake syscalls to the kernel made by hidden haxor programmes.

If you want something simpler you can use 'md5sum' as shown above but make sure that a copy of the md5 checksum files are kept somewhere safe such as a trusted floppy.

For a automated check for rootkits the tool Chkrootkit is recommended.It uses commands such as find,ls,ps,netstat that cannot be trusted on a compromised machine so use the -p option to run trusted binaries copied from the linux install cd.

Secure Shell can be protected by using alphanumeric user names and moving the sshd from port 22 to evade dictionary attacks and probes. Disable the insecure sshd permit 'root' login and use of Protocol 1. See `man sshd_config`.

Slackware can use kSlackcheck to read the Changelog for security announcements and the downloading of upgraded packages.

I recommend the following sites for security information and tools.

www.linuxsecurity.com  guides for all aspects of security.
Portsentry-1.1 Homepage.   blocks and records the source address of port scanners.
Firehol   a firewall generator script with ample documentation.
Nmap   a port scanner that locates open ports plus docs about how crackers operate.
Ntop  real time graph and table display of network traffic and location of external hosts. Viewed in a web browser with data dumps to log for extraction using perl scripts. Uses 'tcpdump'
Squid  proxy caching server for web clients using http and ftp.

Slackware specific
www.userlocal.com   slackware tips and links
kSlackcheck a console or kde tool that checks Slackwares changelog and can download updated packages as a cron job or you view a list and select downloads manually. Easy to setup and use.

vi-pic       comments to  keithmg at e3netnz
home webpage: http://homepages.e3.net.nz/~keithmg/