Info

At this section you can find some technical info. At the moment this is limited to security related software.

Security


First of all: Security is NOT installing a (good) firewall. Good security will NOT last forever. Security is only as good as your weakest link. Perfect security doesn't exist, it's better to talk about hardening instead.

 

With this in mind it's always good to visit security related sites like securityfocus, neworder and sans often to learn about new vulnerabilities and exploits no matter how good you hardened your system. Also if your operating system has an update service, for example Redhat Network or Windows Update, you should subscribe to it, so you always have the latest security patches installed on your system. And finally don't rely on good security alone, always make backups for a worst case scenario!!

 

Security related software is available for all major operating systems. The scope of this text however is limited to my own experience, Microsoft Windows and Linux that is. I believe that good security is essential for any system that is connected to the Internet and not an optional purchase. Because of this I will only briefly talk about commercial security solutions for Microsoft Windows and describe some excellent opensource and freeware solutions for Linux in detail.

 

No matter what operating system you want to harden, the first thing you want to know is what you should protect in the first place. There are general guidelines for this, for example don't share your drives over the Internet with Microsoft Windows and don't use telnet under Linux over the Internet, but since we all use different setups it's better to look for the vulnerabilities that apply to your system. A good way to achieve this is to use a security audit tool. This can be a simple portscanner (like the one you can find on the main page of this site), but also a sophisticated scanner like sara, saint or nessus. Since both types of tools provide different data I recommend using both. Tools like sara, saint and nessus don't just scan your system for open ports, instead they use a database of vulnerabilities to check against. This way it can tell you for example that your mail server, which is a piece of software that is normally connected to the Internet, allows certain commands that could be dangerous and more important how you can disable this!!

 

After this you know which vulnerabilities apply to your system, how to fix them and which ports are open.

Every port corresponds with a certain service which is provided by a server, most port scanner know which service corresponds with each port, but you can also use your /etc/services file which looks like this

 

You should ask yourself which ports you want to give public access, ie do you want to allow ftp, telnet etc.

Under Windows NT (Windows NT, 2000, XP) you can block certain ports with the supplied firewall, otherwise you can use software like Zonealarm (not my favorite, exploits are continuously discovered!! But it's freeware), Mcafee Personal Firewall or NAI PGPdesktop (better but expensive). Under Linux you can use either a ipchains (2.2) or iptables (2.4) depending which version you use. Look at the howto's or use your favorite searchengine to find more sites on this subject:

 

- ipchains Howto

- iptables Howto

 

Now you have a server that's up to date, more secure (because of the vulnerabilities you found and fixed) and that only allows traffic you approved.

 

Most people are perfectly happy with this, there is however no way to detect attacks on the ports you left open and absolutely no way to detect or protect your system from successful intrusions. So we can call this bad security!!

 

What is needed is some kind of software so detect suspicious packets, this is called an Intrusion Detection System (IDS). Many different solutions exist so I won't give you the full list but instead limit myself to the ones I know about and favor.

 

Probably one of the best IDS systems for windows is blackice, because it monitors your network on the application level. This means it doesn't simply grants or denies access on any given port, but instead analyses all network traffic to find intrusion attempts including fragmented attacks and portscans. A good opensource free replacement for this commercial piece of software is without a doubt snort, but I consider this experimental.

 

Under Linux you should use snort, and perhaps also Guardian (included with snort) to block the hosts logged by snort entirely.

 

A different approach is to setup 'booby traps' on your system, most firewalls for Windows for example allow you to block an entire host if a connection to a blocked port is attempted. To achieve this under Linux you can use portsentry or dynfw. Portsentry opens a lot of ports that are known to be exploited by hackers and blocks every host that connects to one of these. With dynfw you setup certain ipchains / iptables rules to be logged, for example blocked connections to port 1080, dynfw then blocks the entire originating host.

 

Now we have a server that's up to date, more secure, that allows only certain traffic and that logs intrusion attempts.

 

Under Windows there's not much more to do then:

 

- Keep your system up to date

- Visit security related sites often:

 

securityfocus, neworder and sans

 

- Install a good virus scanner

- Make backups of your system

- Be careful with e-mail and software from unknown sources and scan your system often with a portscanner or security audit tool to look for possible listening trojans:

 

sara, saint and nessus

 

- If you're prepared to pay a large amount of money for a good piece of software, you can use your favorite searchengine to look for commercial software with functionality similar to the software for Linux I describe below. But there are alternatives, for example some virus scanners also detect changed files like a opensource solution like tripwire does.

 

The same applies for Linux, but we will take things a bit further. A good way to protect your system is to look for changed files. So install tripwire, this makes a password protected database with md5 hashes of your entire filetree which you can run later to look for files that shouldn't have changed. Another way is to alter the system itself to harden it against attacks, I will discuss three approaches:

 

- Libsafe, A library which defends against buffer overflow and format string attacks. This is the trick many exploits use to get access to your system. Easy to install.

 

- Openwall, a big project, I will only discuss their kernel patch. This changes your system on the kernel level to make many exploits impossible. Downside is that you will have to patch your kernel source and compile a new kernel.

 

- Lids, this is also a kernel patch that allows you to make system resources and your filesystem available in the same way as with ipchains. You can deny file access and raw io access to every file process and user for example!! Look at securityfocus for a detailed description on how to use lids.

 

If you are new to compiling kernels the best way is to look at your Documentation directory inside your source tree. Then compile with 'make xconfig' to get an easy to use interface with extensive help.

 

Now we have a server that is UNSTOPPABLE ....

 

 

Suggestions, typo's etc:

           

    

 

 

 

 

 

 

 

 

   

© JB 2001

 

Apache webserverAnimfactoryApache mod_perl

 

 

Modssl, SSL for Apache webserver

PHP, high level scripting language
MySQL website

 

 

 

 

 

 

 

Redhat.com[back to main page]

Last Modified: