[PleaseSimplify]

I wanted to play around with Linux and its security, so I'm in the process of setting up a little server.
Here is my question: Does anyone have suggestions for learning how to set up tight security?

I want to start out a local transparent NFS system, and move on to setting up a small Apache server on my home network. I feel as if the best approach to security would be knowing how to bypass it as well, so I know what I need to look out for. Note: I'm not looking for cracking advice, I don't have aspirations of being a "hacker". I would, however, like to know about network security workarounds so I know where any security holes would be.

Basically, I'm operating under the principle that there is no better chaperon than an old stinker with a good memory.

[Savagelight]

Use a hardware firewall. Don't use the computer for anything other than hosting the web server, this means do not install a browser or any unnecessary programs which may have backdoors. Choose a secure 32 character random password. Change this password at least once a week. If you need absolute security change this password once a day.

If you follow these basic instructions its very unlikely that you'll get hacked into. If you need to harden your linux server then you can worry about that after you have it setup and running.

[tooboku]

A hardware firewall is overkill for a HOME setup. I wouldn't go overboard with the security because of that. The biggest thing is to not be a target and as long as your WiFi is setup properly and everything is hiding behind the NAT of your home router, you should be fine. The only other thing on top of that would be a good anti-virus for Linux and keep your patching up to date.

Honestly, the password suggestion is also overkill to the point where it is ridiculous. I hope Savagelight is joking. If you feel like setting it up, self signed certificates are even more secure and less pain in the long run... that is also overkill however.

Security isn't just about restricting access. There has to be a balance between making it work well and preventing unauthorized access. For a home setup, the balance is easy as the risk involved is minimal. Just be careful of what sites you visit, what personal information you put on the system, and what software you install.

Fedora is pretty simple and secure out of the box as with CentOS. I would move towards CentOS myself as it is a little more minimalistic. Stay away from Ubuntu, I use it to practice hacking techniques, it's also a pain if something ever goes wrong. DVL (Damn Vulnerable Linux) I believe is also loosely based off of Ubuntu or some perversion of Debian.

[rufsketch1]

Originally Posted by Savagelight To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

Use a hardware firewall. Don't use the computer for anything other than hosting the web server, this means do not install a browser or any unnecessary programs which may have backdoors. Choose a secure 32 character random password. Change this password at least once a week. If you need absolute security change this password once a day. If you follow these basic instructions its very unlikely that you'll get hacked into. If you need to harden your linux server then you can worry about that after you have it setup and running.

If every day someone runs the same dictionary attack on you; then by changing your password every day, you're increasing the odds that the dictionary attack is successful :-P.

[kesu]

	Originally Posted by rufsketch1 To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	If every day someone runs the same dictionary attack on you; then by changing your password every day, you're increasing the odds that the dictionary attack is successful :-P.

I don't see how that is statistically true.

[runrabbitrun]

Originally Posted by PleaseSimplify To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

I wanted to play around with Linux and its security, so I'm in the process of setting up a little server. Here is my question: Does anyone have suggestions for learning how to set up tight security? I want to start out a local transparent NFS system, and move on to setting up a small Apache server on my home network. I feel as if the best approach to security would be knowing how to bypass it as well, so I know what I need to look out for. Note: I'm not looking for cracking advice, I don't have aspirations of being a "hacker". I would, however, like to know about network security workarounds so I know where any security holes would be. Basically, I'm operating under the principle that there is no better chaperon than an old stinker with a good memory.

There are a lot of system hardening docs online. I'd search for "<distro_name> hardening", or just "Linux hardening" if you're using an obscure distribution. Most of this involves locking down system accounts, cranking up logging, maybe forwarding logs to another system, turning off unused services/daemons, and fine-tuning permissions.

Read up on nmap, iptables (ugh..), maybe check out wireshark & any other network tools out there. Probably wouldn't hurt to sign up for a security alert mailing list/rss feed.

[Savagelight]

	Originally Posted by rufsketch1 To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	If every day someone runs the same dictionary attack on you; then by changing your password every day, you're increasing the odds that the dictionary attack is successful :-P.

I think it's the exact opposite. Also it's not dictionary attacks you have to worry about.

---------- Post added 11-19-2010 at 06:25 PM ----------

Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

A hardware firewall is overkill for a HOME setup. I wouldn't go overboard with the security because of that. The biggest thing is to not be a target and as long as your WiFi is setup properly and everything is hiding behind the NAT of your home router, you should be fine. The only other thing on top of that would be a good anti-virus for Linux and keep your patching up to date. Honestly, the password suggestion is also overkill to the point where it is ridiculous. I hope Savagelight is joking. If you feel like setting it up, self signed certificates are even more secure and less pain in the long run... that is also overkill however. Security isn't just about restricting access. There has to be a balance between making it work well and preventing unauthorized access. For a home setup, the balance is easy as the risk involved is minimal. Just be careful of what sites you visit, what personal information you put on the system, and what software you install. Fedora is pretty simple and secure out of the box as with CentOS. I would move towards CentOS myself as it is a little more minimalistic. Stay away from Ubuntu, I use it to practice hacking techniques, it's also a pain if something ever goes wrong. DVL (Damn Vulnerable Linux) I believe is also loosely based off of Ubuntu or some perversion of Debian.

The password should always be long, random, and constantly changing. That is a critical part of security. Access control is also important, this has to do with the permissions.

Also it's stupid to use a server to visit ANY websites ever or do anything other than what it's set up for. The more stuff you put on it, the more sites you visit, the more openings you give.

[chaostheory]

The most important thing, if not the most important besides updating your passwords - always keep up-to-date with developer patches, keep everything updated.

Even still, and not to sound like a downer here, if a hacker has the determination and skill..and really wants into your box - he will find a way, it's only a matter of time. If you are really paranoid you could setup a mini-dmz for your home webserver.

[tooboku]

Originally Posted by Savagelight To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

I think it's the exact opposite. Also it's not dictionary attacks you have to worry about. ---------- Post added 11-19-2010 at 06:25 PM ---------- The password should always be long, random, and constantly changing. That is a critical part of security. Access control is also important, this has to do with the permissions. Also it's stupid to use a server to visit ANY websites ever or do anything other than what it's set up for. The more stuff you put on it, the more sites you visit, the more openings you give.

I don't know where this logic comes from but information security is what I do for a living. I manage vulnerability assessment and patch compliance management at the 2nd most secure bank on the continent.

If you mean that the root password is locked out and set on random password rotation, that would at least make some sense as long as there was at least one sudoer. My Fedora install on my laptop is setup to do this. However, the whole point of this exercise is being overlooked.

Dude wants a simple home server for his INTRANET. It's a toy for him to play around with and have fun. The level of restrictions you suggested in the first post is outweighed the utility lost, especially when a hardware firewall was suggested. Do you understand how much one of those costs and the level of aptitude you would need to configure it? This is well beyond the level to which the OP is targeted to operate at.

Again, it is simple as the requirements are simple. Secure the wireless, hide behind the NAT, minimize the installed applications, and keep your patching up to date.

As per learning how to bypass security, it is much to wide a field to cover in a few sentences.


To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

That is probably one of the better intermediate resources you can find.

Do you password trick if you want but if someone really wanted to, they could spawn a root shell regardless. Patching is much more important as it addresses the low level issues as suggested in the article. A randomized stack for example would make the suggested attack in the artcle very difficult to pull off. However, NOP sledding until you find the magic spot is a lot easier than hijacking a supercomputer to do a simple birthday attack, which is the route a serious hacker would take.

[Savagelight]

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	I don't know where this logic comes from but information security is what I do for a living. I manage vulnerability assessment and patch compliance management at the 2nd most secure bank on the continent.

We both do information security for a living. If you wont name the bank I'll take that as typical braggadocio in an attempt to improve your argument by catering to peoples tendencies to listen to those who claim to be "experts" in their fields.

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	If you mean that the root password is locked out and set on random password rotation, that would at least make some sense as long as there was at least one sudoer. My Fedora install on my laptop is setup to do this. However, the whole point of this exercise is being overlooked.

What other password did you think I was talking about? The root password is the most important password on the system.

Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

Dude wants a simple home server for his INTRANET. It's a toy for him to play around with and have fun. The level of restrictions you suggested in the first post is outweighed the utility lost, especially when a hardware firewall was suggested. Do you understand how much one of those costs and the level of aptitude you would need to configure it? This is well beyond the level to which the OP is targeted to operate at.

It's not difficult change the password each week, print it out or write it down, and keep it in a login notebook. The root password ought to be changed at regular intervals just because it's a good habit if you want to take security seriously. If it's a server that isn't just a toy or if hes interested in actually learning about security he should do this.
Example:

To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.


You take a list of files and write that down or memorize the order of those files. Each file is an object password. So if you simple write down or remember the list of files you can remember the list of passwords for 12 months and have the password change for 12 months. Just write the name of the file on your calender and it's firefox.exe month. You can also use photos of certain people each month. Simple.

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	Again, it is simple as the requirements are simple. Secure the wireless, hide behind the NAT, minimize the installed applications, and keep your patching up to date.

I would not advocate using wireless at all but if you must use it then secure it behind a pseudo randomly generated password which changes at set intervals. Chances are if hackers want to get in they'll get in through wifi but with this password he can store it in cache and not have to remember it. He just has to store it behind his master password or root password. All of his passwords should be stored in a file behind a master password and never stored in cleartext.

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	As per learning how to bypass security, it is much to wide a field to cover in a few sentences. To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts. That is probably one of the better intermediate resources you can find.

To bypass wireless is not all that difficult. If he uses wireless there is probably software out there to crack the password.

Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

Do you password trick if you want but if someone really wanted to, they could spawn a root shell regardless. Patching is much more important as it addresses the low level issues as suggested in the article. A randomized stack for example would make the suggested attack in the artcle very difficult to pull off. However, NOP sledding until you find the magic spot is a lot easier than hijacking a supercomputer to do a simple birthday attack, which is the route a serious hacker would take.

The password trick isn't to stop remote exploitation. Changing the password is just about access control, it makes it more difficult but not impossible. By changing the password you can be sure they wont get in that way, but if you don't have a firewall and don't keep up with patches then you'll be open to a zero-day exploit. The most important thing is not to use the server computer for anything other than what it was built for.

This means you don't use that computer to browse the web. You don't use it to read emails or chat. You don't expose it to any openings which a hacker can exploit so as to keep it's profile low. Most hackers aren't sophisticated or determined and just hack anyone who is dumb enough to click on a certain link, open a certain file, or use a certain piece of software. If you don't click on any links, open any unnecessary files, run any unnecessary software, it's very difficult to find an opening remotely, especially if you are behind a firewall.

[tooboku]

You can say you're in IS as well. Fine.

At this point though, my advice is given. It is accepted or rejected at the discression of the reader. Nothing more.

Again, you are missing the context of the original request.

As per my employer, I've already given you enough information to figure it out.

[Savagelight]

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	You can say you're in IS as well. Fine. At this point though, my advice is given. It is accepted or rejected at the discression of the reader. Nothing more. Again, you are missing the context of the original request. As per my employer, I've already given you enough information to figure it out.

Thats fine but I hesitate on telling him how to bypass his security. As far as how to secure a server I gave him good advice. If he wants to try different methods to break into his own server this shouldn't be too difficult if he can read source code, compile it, use a port scanner or wifi sniffer. They found a huge bug in Linux (ubuntu) just recently that allows someone to get root remotely from a browser exploit. Of course if you patch it up it's not a problem but that still does not stop zero-day exploits and thats why I said do not use the browser on a computer you don't want to be hacked. If he wants to practice hacking into it, theres enough exploit code out there that he can. If he can read and write code or has a knack for it he may be able to find exploits of his own.

[Traverser]

	Originally Posted by Savagelight To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	To bypass wireless is not all that difficult. If he uses wireless there is probably software out there to crack the password.

You bring up a valid point, but I'd be more concerned about the individual users than a wireless hijacker, as they'll be the ones using this system 24/7. This is not to say that hijackers aren't a threat, just a less probable one given the measures tooboku described.

	Originally Posted by Savagelight To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	Most hackers aren't sophisticated or determined and just hack anyone who is dumb enough to click on a certain link, open a certain file, or use a certain piece of software. If you don't click on any links, open any unnecessary files, run any unnecessary software, it's very difficult to find an opening remotely, especially if you are behind a firewall.

Agreed. Concerning Tooboku's stance on hardware firewalls being "overkill" in terms of expense, I believe anyone could transform an old machine into one using readily available software for ultra cheap.

However, I will agree with him that it is an unnecessary measure if the network is as severely limited as you suggested. No internet? Then why a firewall?

---------- Post added 11-21-2010 at 12:44 AM ----------

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	Stay away from Ubuntu, I use it to practice hacking techniques, it's also a pain if something ever goes wrong. DVL (Damn Vulnerable Linux) I believe is also loosely based off of Ubuntu or some perversion of Debian.

What on earth are you talking about? I will agree that the default comes with some flaws, but the system as a whole is a hell of a lot more secure and customizable than Windows. Closing ports and ditching unsecure programs is a breeze.

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	DVL (Damn Vulnerable Linux) I believe is also loosely based off of Ubuntu or some perversion of Debian.

DVL is a slackware-based linux distro, with intentionally-built-in exploits. You're way off.

[tooboku]

Originally Posted by Savagelight To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

Thats fine but I hesitate on telling him how to bypass his security. As far as how to secure a server I gave him good advice. If he wants to try different methods to break into his own server this shouldn't be too difficult if he can read source code, compile it, use a port scanner or wifi sniffer. They found a huge bug in Linux (ubuntu) just recently that allows someone to get root remotely from a browser exploit. Of course if you patch it up it's not a problem but that still does not stop zero-day exploits and thats why I said do not use the browser on a computer you don't want to be hacked. If he wants to practice hacking into it, theres enough exploit code out there that he can. If he can read and write code or has a knack for it he may be able to find exploits of his own.

That's exactly what he wants. I won't deny that the password thing does something, otherwise I wouldn't use it on my laptop.

I don't see why wifi would be anything a home user would want to sacrifice to be more secure.

Zero day vulnerabilities take a while to catch on. Once SANS or a vendor publishes they found something, someone is usually onboard with patching it right away. True some people *cough* Microsoft *cough* don't release vulnerabilities until they've got a patch for it but if they don't know, most hackers don't know either. It then becomes a race between the patach being released and the ones that know how to exploit it to get to you. If updating patches is something you can get done on a daily basis the time you spend vulnerable to that specific issue is minimized.

As per the browser issue, I never endorsed it. If the OP wanted to do it, then that's fine but I imagine for this setup it would be something that the OP would SSH into.

And yes, that's exactly what the OP wanted. It's not so much making a bullet proof system as it is making a bulletproof enough system and understanding how it can be broken into. We have no idea what his budget for this is so I would have assumed that he's making it out of spare parts or at least nothing too expensive.

Originally Posted by Traverser To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.

You bring up a valid point, but I'd be more concerned about the individual users than a wireless hijacker, as they'll be the ones using this system 24/7. This is not to say that hijackers aren't a threat, just a less probable one given the measures tooboku described. Agreed. Concerning Tooboku's stance on hardware firewalls being "overkill" in terms of expense, I believe anyone could transform an old machine into one using readily available software for ultra cheap. However, I will agree with him that it is an unnecessary measure if the network is as severely limited as you suggested. No internet? Then why a firewall? ---------- Post added 11-21-2010 at 12:44 AM ---------- What on earth are you talking about? I will agree that the default comes with some flaws, but the system as a whole is a hell of a lot more secure and customizable than Windows. Closing ports and ditching unsecure programs is a breeze.

Fine DVL based off of Slackware. Big deal.

I wasn't recommending that the OP goes to Windows but Ubuntu being more secure than Windows? What the hell? Windows XP SP3 properly patched is EAL 4+. Ubuntu meets no criteria whatsoever to qualify it for government use. Ubuntu is open source which means anyone can look at the code, find exploits, and take advantage of them before telling anyone else. True, it is the same with all distros but Ubuntu gets the most attention.

But let's leave Wiundows out of this and just stick to linux. Ubuntu vs. Fedora ... um ... easy.
Even Ubuntu vs. straight out Debian. You catching my drift? Ubuntu is the Windows Vista of the Linux world.

[Traverser]

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	Ubuntu is open source which means anyone can look at the code, find exploits, and take advantage of them before telling anyone else.

Ubuntu is open-source which means anyone can look at the code, find exploits BEFORE installation, patch them, inform the world and share the patch. That's assuming you know how to read the source code anyway, or know someone who does.

	Originally Posted by tooboku To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	But let's leave Wiundows out of this and just stick to linux. Ubuntu vs. Fedora ... um ... easy.Even Ubuntu vs. straight out Debian. You catching my drift? Ubuntu is the Windows Vista of the Linux world.

Ugh, I don't care if you think Fedora is superior to Ubuntu. That's not the point. You tried to compare Ubuntu to DVL and failed. While I agree that Ubuntu is not the best choice when it comes to server OSs (god knows I've had my share of bugs to overcome) it's not nearly the nightmare that you make it out to be.

[tooboku]

	Originally Posted by Traverser To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	Ubuntu is open-source which means anyone can look at the code, find exploits BEFORE installation, patch them, inform the world and share the patch. That's assuming you know how to read the source code anyway, or know someone who does.

As a whole, the open source community is great. Some of the best utilities have come out of it but explain to me how someone who finds exploits and desires to profit off of them will be enforced to share his findings. This argument is naive and operates on the assumption that everyone will behave. If this were true, there wouldn't be any need for security in the first place.

Also, you always assume that the potential attacker has access to all the resources he needs - computing power and the ability to write kernels included. Learning how to code C to that level isn't that hard. Basic architechture knowledge, a couple Garry Nutt books and you're set.

	Originally Posted by Traverser To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	Ugh, I don't care if you think Fedora is superior to Ubuntu. That's not the point. You tried to compare Ubuntu to DVL and failed. While I agree that Ubuntu is not the best choice when it comes to server OSs (god knows I've had my share of bugs to overcome) it's not nearly the nightmare that you make it out to be.

I don't see how that was a failure, that DVL is based off of Slackware and not Debian? Big deal. Saying Ubuntu is more seure than Windows? That's what script kiddies say. Ubuntu was good at one point. It has passed its prime.

Again, the point of this exercise is being overlooked here.

- Build a server for the intranet
- Make it secure enough (why go Ubuntu when better options are just as easily accessible?)
- Understand how it might be exploited

[rufsketch1]

	Originally Posted by kesu To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	I don't see how that is statistically true.

	Originally Posted by Savagelight To view links or images in this forum your post count must be 2 or greater. You currently have 0 posts.
	I think it's the exact opposite. Also it's not dictionary attacks you have to worry about.

There are a finite number of characters in the unicode standard. There is also (for multiple reasons) a finite limit to the length a password can be.

For convenience. Let's assume that a password is limited to 4 bits.

Let's say I have a small dictionary comprised of just one word: 1011

I try it on your server one day, and it fails because the actual password is 1000. The next day, I try it again and it fails again, because the password has been changed to 1100. The following day, it fails yet again because the password has changed to 0001. The fourth day, you happen to change the password to 1011, and because of that, when I try my dictionary attack again, I have access to your server.

Whereas if you had never changed your password from 1000. My dictionary attack would constantly fail.

[tooboku]

Moving away from theory though, there are some practical disadvantages to setting up passwords this way.

With the assumption that the hacker..
- knows what method you are using
- has the computing resources to attack
- has read this thread

We have the following things to worry about
- The file suggested containing the passwords is in effect a dictionary. A dictionary attack would succeed in seconds.
- Memorizing such a long password can easily create lockouts
- Manual password entry eliminates several bit combinations which translate into escape characters which reduces entropy


A logging in with a certificate is a much more convenient and overall secure method if you wanted to go that route.