Varnost v Linuxu

Torej.....Uceri so me Winsi neki generalno zajebaval...Spet. In sm se odlocu da vrzm gor Fedoro.
Net sm vzpostavu, zvok tut in take hardware stvari.

Bolj ko le-te me pa skrbi za varnost. Saj imam nek filing da je v svetu Linuxa, klub temu da je manj virusov ter wormov vec vdiranj v sistem. In zato bi rad poskrbel, da je moj sistem cim bolj updejtan in zasciten.

Torej zanima me naslednje:

-Nastimal bi si firewall z iptables. Ma kdo kaksen dober link da bi se dodobra naucil uporabljati?
-Kksni updejti, kje spremlam? Navedite cim vec strani...
-Razni exploiti, kje spremlam? Da ce se glih ni updejta da usej vem ce mam v sistemu kksno mozno znano lukno.

Pa se vi kaj predlagajte...Kako lahko naredim moj sistem bolj varen?

Hvala za pomoc hruske ... Sicer me je pa mal presenetil, da je ta tema tko prazna... Tok uporabnikov...A se nuben nc ne zascit, al se jim sam ne da svetovat newbiju?....

1. Sm ugasnu kr neki servicov...Ampak tole me zanima:

1. Ker runlevel nej editiram? 3 al 5?
2. Kere od tehle lahka se ugsnem?

acpid - Listen and dispatch ACPI events from the kernel
anacron - Run cron jobs that were left out due to downtime
atd - Runs commands scheduled by the at command at the time specified when at was run, and runs batch commands when the load average is low enough.
autofs - Automounts filesystems on demand
cpuspeed - Run dynamic CPU speed daemon
crond - cron is a standard UNIX program that runs user-specified programs at periodic scheduled times. vixie cron adds a number of features to the basic UNIX cron, including better security and more powerful configuration options.
cups - Startup/shutdown script for the Common UNIX Printing System (CUPS).
cups-config-deamon
gpm - GPM adds mouse support to text-based Linux applications such as the Midnight Commander. It also allows mouse-based console cut-and-paste operations, and includes support for pop-up menus on the console.
haldeamon - This is a daemon for collecting and maintaing information about hardware from several sources. See http://www.freedesktop.org/Software/hal
ircbalance - The irqbalance daemon will distribute interrupts across the cpus on a multiprocessor system with the purpose of spreading the load. processname: irqbalance
kudzu - This runs the hardware probe, and optionally configures changed hardware.
Im-sensors - sensors is used for monitoring motherboard sensor values.
mDNSResponder - This is a daemon which runs on Howl clients to perform Zeroconf service discovery on a network. mDNSResponder must be running on systems that use Howl for service discovery. mDNSResponder should not be running otherwise.
mdmonitor - software RAID monitoring and management
massagebus - This is a daemon which broadcasts notifications of system events and other messages. See http://www.freedesktop.org/software/dbu...
netfs - ounts and unmounts all Network File System (NFS), SMB/CIFS (Lan Manager/Windows), and NCP (NetWare) mount points.
network - Activates/Deactivates all network interfaces configured to start at boot time.
nfslock - NFS is a popular protocol for file sharing across TCP/IP networks. This service provides NFS file locking functionality.
nifd - This is a daemon which runs on Howl clients to monitor the state of a network interface. nifd must be running on systems that use autoipd and mDNSResponder to automatically obtain a Link-Local IPv4 address and do Zeroconf service discovery. nifd should not be running otherwise.
pcmcia
portmap - The portmapper manages RPC connections, which are used by protocols such as NFS and NIS. The portmap server must be running on machines which act as servers for protocols which make use of the RPC mechanism.
readahead - This service causes the programs used during startup to be loaded into memory before they are needed, thus improving startup performance
readahead-early - This service causes the programs used during startup to be loaded into memory before they are needed, thus improving startup performance
rpcgssd - Starts user-level daemon that manages RPCSEC GSS contexts for the NFSv4 client.
rpcidpamd - Starts user-level daemon for NFSv4 that maps user names to UID and GID numbers.
rpcsvcgssd - Starts user-level daemon that manages RPCSEC GSS contexts for the NFSv4 server.
smartd - Self Monitoring and Reporting Technology (SMART) Daemon
syslog
xinetd

Tole laufa na runlevel 3 .. Isto je za runlevel 5... Kere lahka se ugasnem?

2.netstat -natup | grep LISTEN mi tole vrze vn...

[root@localhost dork]# netstat -natup | grep LISTEN
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN 4487/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4467/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4680/cupsd
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 4647/mDNSResponder

Je to use kul?

3. Popravke za Fedoro opravlja up2date program, ki ni najboljsi glede na to da sm ucer prenesu skupej 150 updejtov in mi je recimo Thunderbirda updejtal na 0.9.

4. iptables laufajo.

Se kksn predlog?

Okej sm ugasnu se une service k se napisu, ostale bom pa se zgooglu pa vidu ce jih rabm al ne.. Tole me pa se zanima:

1. Na racunalniku mam tele racune:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
dork:x:500:500:/home/dork:/bin/bash

Mi lahka prosim poves kerih ne rabm, in kako le-te zbrisem? userdel komanda ne prime....Cim vec bi jih zbrisu...Oz kr use razn root pa mene ;).

[root@localhost dork]# userdel -r games
bash: usrdel: command not found

2. Preveru sm /etc/securetty za kksne psevdo racune, ki bi omogodal remote login kot root in jih ni.

3. V .bash_progile sm dou " HISTFILESIZE=0 " tko da se mi nubena komanda ne shran v .bash_history.

4. Tole bi se rd naredu pa rabm tvojo pomoc...

First we will create the wheel group. The wheel group is a group of select individuals that can execute powerful commands, such as /bin/su. By limiting the people that can access these commands, you enhance the system security. To create the group, vi the file /etc/group, create the group wheel, and add the system admins to the group. Then identify critical system binaries, such as /bin/su. Change the group ownership to wheel, and the permissions to owner and group executable only (be sure to maintain the suid or guid bit for specific binaries). For /bin/su, the commands would be:

/bin/chgrp wheel /bin/su
/bin/chmod 4750 /bin/su

Ce bi zbrisu use racune razn mene in roota najbrz tega nebi rabu, ampak, ce je pa kksn o unih racunov se nujen za sistem bi pa tut tole lahka naredu pa me zanima. A tole potem ce bi v to "wheel" skupino dodou mene pa root, da bi lahka jz potem lahka sistemske komadne izvajou brez da bi se logirou kot root al ne?
Ker to mi nebi bilo vsec...


4. Second, we will lock down the files .rhosts, .netrc, and /etc/hosts.equiv. The r commands use these files to access systems. To lock them down, touch the files, then change the permissions to zero, locking them down. This way no one can create or alter the files. For example,

/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv

Pa tole ce mi lahko razlozis kako to storim....


Pa se enkrat hvala za pomoc :).


Lep pozdrav,

d0rK

Ne briši uporabnikov, ker so nekateri namenjeni poganjanju servisov, kot so ftp, apache, ...
Ti uporabniki so ti le v pomoč, kar se tiče varnosti.

hm..zanima me s kakšnim namenom je tam grupa games?

Se pravi praktično če nimaš nobene igrice tam in tudi nimaš nobenega namena da bi jih inštaliral, potem ne bi smelo bit problema če se grupo izbriše? sicer je ne nameravam izbrisati (pač ne popravljaj nečesa kar dela), ampak me zanima kakšno je teoretično ozadje zadeve..

Moja iptables pravila so 100X primitivnejsa. V tistih je vse zivo. Se nat.

iptables="/sbin/iptables"
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -A INPUT -p tcp -m tcp --destination-port 22 -j ACCEPT
$iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -s 127.0.0.1 -j ACCEPT
$iptables -A INPUT -i ! lo -j DROP