» »

Varnost v Linuxu

Varnost v Linuxu

d0rK ::

Torej.....Uceri so me Winsi neki generalno zajebaval...Spet. In sm se odlocu da vrzm gor Fedoro.
Net sm vzpostavu, zvok tut in take hardware stvari.

Bolj ko le-te me pa skrbi za varnost. Saj imam nek filing da je v svetu Linuxa, klub temu da je manj virusov ter wormov vec vdiranj v sistem. In zato bi rad poskrbel, da je moj sistem cim bolj updejtan in zasciten.

Torej zanima me naslednje:

-Nastimal bi si firewall z iptables. Ma kdo kaksen dober link da bi se dodobra naucil uporabljati?
-Kksni updejti, kje spremlam? Navedite cim vec strani...
-Razni exploiti, kje spremlam? Da ce se glih ni updejta da usej vem ce mam v sistemu kksno mozno znano lukno.

Pa se vi kaj predlagajte...Kako lahko naredim moj sistem bolj varen?
  • spremenil: d0rK ()

hruske ::

1. Izklopiš vse servise ki jih ne rabiš.
z netstat -natup | grep LISTEN pogledaš kaj vse posluša na ip protokolih, čisto desno ti piše ime procesa, potem pa zgooglaš zadevo.

2. popravki ... za fedoro žal ne vem kje jih najdeš..:\

3. iptables .. kar uredu firewall za začetek, sicer pa za uporabo iptables potrebuješ precej znanja, lahko si ogledaš tudi kak shorewall.
Kalkulator nove omrežnine 2024 - https://omreznina.karlas.si/Kalkulator

d0rK ::

Hvala za pomoc hruske ... Sicer me je pa mal presenetil, da je ta tema tko prazna... Tok uporabnikov...A se nuben nc ne zascit, al se jim sam ne da svetovat newbiju?....

1. Sm ugasnu kr neki servicov...Ampak tole me zanima:

1. Ker runlevel nej editiram? 3 al 5?
2. Kere od tehle lahka se ugsnem?

acpid - Listen and dispatch ACPI events from the kernel
anacron - Run cron jobs that were left out due to downtime
atd - Runs commands scheduled by the at command at the time specified when at was run, and runs batch commands when the load average is low enough.
autofs - Automounts filesystems on demand
cpuspeed - Run dynamic CPU speed daemon
crond - cron is a standard UNIX program that runs user-specified programs at periodic scheduled times. vixie cron adds a number of features to the basic UNIX cron, including better security and more powerful configuration options.
cups - Startup/shutdown script for the Common UNIX Printing System (CUPS).
cups-config-deamon
gpm - GPM adds mouse support to text-based Linux applications such as the Midnight Commander. It also allows mouse-based console cut-and-paste operations, and includes support for pop-up menus on the console.
haldeamon - This is a daemon for collecting and maintaing information about hardware from several sources. See http://www.freedesktop.org/Software/hal
ircbalance - The irqbalance daemon will distribute interrupts across the cpus on a multiprocessor system with the purpose of spreading the load. processname: irqbalance
kudzu - This runs the hardware probe, and optionally configures changed hardware.
Im-sensors - sensors is used for monitoring motherboard sensor values.
mDNSResponder - This is a daemon which runs on Howl clients to perform Zeroconf service discovery on a network. mDNSResponder must be running on systems that use Howl for service discovery. mDNSResponder should not be running otherwise.
mdmonitor - software RAID monitoring and management
massagebus - This is a daemon which broadcasts notifications of system events and other messages. See http://www.freedesktop.org/software/dbu...
netfs - ounts and unmounts all Network File System (NFS), SMB/CIFS (Lan Manager/Windows), and NCP (NetWare) mount points.
network - Activates/Deactivates all network interfaces configured to start at boot time.
nfslock - NFS is a popular protocol for file sharing across TCP/IP networks. This service provides NFS file locking functionality.
nifd - This is a daemon which runs on Howl clients to monitor the state of a network interface. nifd must be running on systems that use autoipd and mDNSResponder to automatically obtain a Link-Local IPv4 address and do Zeroconf service discovery. nifd should not be running otherwise.
pcmcia
portmap - The portmapper manages RPC connections, which are used by protocols such as NFS and NIS. The portmap server must be running on machines which act as servers for protocols which make use of the RPC mechanism.
readahead - This service causes the programs used during startup to be loaded into memory before they are needed, thus improving startup performance
readahead-early - This service causes the programs used during startup to be loaded into memory before they are needed, thus improving startup performance
rpcgssd - Starts user-level daemon that manages RPCSEC GSS contexts for the NFSv4 client.
rpcidpamd - Starts user-level daemon for NFSv4 that maps user names to UID and GID numbers.
rpcsvcgssd - Starts user-level daemon that manages RPCSEC GSS contexts for the NFSv4 server.
smartd - Self Monitoring and Reporting Technology (SMART) Daemon
syslog
xinetd

Tole laufa na runlevel 3 .. Isto je za runlevel 5... Kere lahka se ugasnem?

2.netstat -natup | grep LISTEN mi tole vrze vn...

[root@localhost dork]# netstat -natup | grep LISTEN
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN 4487/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4467/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4680/cupsd
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 4647/mDNSResponder

Je to use kul?

3. Popravke za Fedoro opravlja up2date program, ki ni najboljsi glede na to da sm ucer prenesu skupej 150 updejtov in mi je recimo Thunderbirda updejtal na 0.9.

4. iptables laufajo.

Se kksn predlog?

hruske ::

Seveda so predlogi :D

Če kaj nucas poganjat na tcp, potem načeloma skušaš to spravit na 127.0.0.1, ker je to dostopno samo tebi.

primer:
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4680/cupsd
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 4647/mDNSResponder

ta servisa sta dostopna samo lokalno na tem računalniku, na mreži jih ni videt.

Ti dve se ti še splača izklopit, če nimaš linux/unix omrežja z NFS omrežnim datotečnim sistemom.

tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN 4487/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4467/portmap

Probi izklopit nfslock, rpcgssd, rpcidpamd, rpcsvcgssd in portmap.
Kalkulator nove omrežnine 2024 - https://omreznina.karlas.si/Kalkulator

d0rK ::

Okej sm ugasnu se une service k se napisu, ostale bom pa se zgooglu pa vidu ce jih rabm al ne.. Tole me pa se zanima:

1. Na racunalniku mam tele racune:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
dork:x:500:500:/home/dork:/bin/bash

Mi lahka prosim poves kerih ne rabm, in kako le-te zbrisem? userdel komanda ne prime....Cim vec bi jih zbrisu...Oz kr use razn root pa mene ;).

[root@localhost dork]# userdel -r games
bash: usrdel: command not found

2. Preveru sm /etc/securetty za kksne psevdo racune, ki bi omogodal remote login kot root in jih ni.

3. V .bash_progile sm dou " HISTFILESIZE=0 " tko da se mi nubena komanda ne shran v .bash_history.

4. Tole bi se rd naredu pa rabm tvojo pomoc...

First we will create the wheel group. The wheel group is a group of select individuals that can execute powerful commands, such as /bin/su. By limiting the people that can access these commands, you enhance the system security. To create the group, vi the file /etc/group, create the group wheel, and add the system admins to the group. Then identify critical system binaries, such as /bin/su. Change the group ownership to wheel, and the permissions to owner and group executable only (be sure to maintain the suid or guid bit for specific binaries). For /bin/su, the commands would be:

/bin/chgrp wheel /bin/su
/bin/chmod 4750 /bin/su

Ce bi zbrisu use racune razn mene in roota najbrz tega nebi rabu, ampak, ce je pa kksn o unih racunov se nujen za sistem bi pa tut tole lahka naredu pa me zanima. A tole potem ce bi v to "wheel" skupino dodou mene pa root, da bi lahka jz potem lahka sistemske komadne izvajou brez da bi se logirou kot root al ne?
Ker to mi nebi bilo vsec...


4. Second, we will lock down the files .rhosts, .netrc, and /etc/hosts.equiv. The r commands use these files to access systems. To lock them down, touch the files, then change the permissions to zero, locking them down. This way no one can create or alter the files. For example,

/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv

Pa tole ce mi lahko razlozis kako to storim....


Pa se enkrat hvala za pomoc :).


Lep pozdrav,

d0rK

Zgodovina sprememb…

  • spremenil: perci ()

borchi ::

Mi lahka prosim poves kerih ne rabm, in kako le-te zbrisem? userdel komanda ne prime....Cim vec bi jih zbrisu...Oz kr use razn root pa mene ;).


DON'T!!! itak vidiš, da imata shell dostop samo root in ti.
glede wheel grupe, dej v njo samo sebe, da se boš lahko prijavu kot root iz svojega accounta. če si v wheel ne pomeni, da lahko delaš vse kar dela root! mal si poglej /etc/group. pa ne kj na pamet spreminjat, ker bo kr naenkrat ugotovil, da pol stvari ne dela, ker se boš povsod zaletaval v permissions zidove.
l'jga

CCfly ::

Ne briši uporabnikov, ker so nekateri namenjeni poganjanju servisov, kot so ftp, apache, ...
Ti uporabniki so ti le v pomoč, kar se tiče varnosti.
"My goodness, we forgot generics!" -- Danny Kalev

hruske ::

NE brisat uporabnikov. Tisti, ki so tam, so z namenom tam.

Samo imej posodobljene programe, ki se povezujejo na internet in strežnike izklopljene, pa si precej varen.
Kalkulator nove omrežnine 2024 - https://omreznina.karlas.si/Kalkulator

mte ::

hm..zanima me s kakšnim namenom je tam grupa games?

CCfly ::

Notri so uporabniki, ki jim je dovoljeno igrati igrice, ki so shranjene v /usr/games
"My goodness, we forgot generics!" -- Danny Kalev

mte ::

Se pravi praktično če nimaš nobene igrice tam in tudi nimaš nobenega namena da bi jih inštaliral, potem ne bi smelo bit problema če se grupo izbriše? sicer je ne nameravam izbrisati (pač ne popravljaj nečesa kar dela), ampak me zanima kakšno je teoretično ozadje zadeve..

CCfly ::

Ja lahko bi jo zbrisal ampak kar se tiče varnosti je nenevarna, ker uporabniki skupine nimajo določene prave lupine ampak /bin/false.
"My goodness, we forgot generics!" -- Danny Kalev

Poldi112 ::

Moja iptables pravila so 100X primitivnejsa. V tistih je vse zivo. Se nat.

iptables="/sbin/iptables"
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -A INPUT -p tcp -m tcp --destination-port 22 -j ACCEPT
$iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -s 127.0.0.1 -j ACCEPT
$iptables -A INPUT -i ! lo -j DROP
Where all think alike, no one thinks very much.
Walter Lippmann, leta 1922, o predpogoju za demokracijo.

d0rK ::

Uredu, bom pol pustu tiste accje .... Te dni se ze kr dobr znajdm v sistemu ...


Meu sm ene komplikacije sam s aMule in pa Fortune igrico. Ampak bom ze nekak resu.


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Dnsmasq problem

Oddelek: Omrežja in internet
131056 (683) BlaY0
»

[Alternatvni Firmware za router] Vprašanja in težave

Oddelek: Operacijski sistemi
51565 (835) BivšiUser2
»

dnsmasq problem

Oddelek: Omrežja in internet
121884 (1624) poweroff
»

iptables problem

Oddelek: Operacijski sistemi
242275 (2041) poweroff
»

ProtFtp Passive mode in iptables

Oddelek: Programska oprema
252268 (2090) SasoS

Več podobnih tem