LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   <Linux Security HOWTO> (https://www.linuxquestions.org/questions/linux-security-4/linux-security-howto-15175/)

LinuxGod 02-27-2002 03:53 AM
<Linux Security HOWTO>
 
After reading some post alot of you have made I have notice questions about security and which linux os is the best and how can I stop hackers from hacking me. Well I am going to answer those questions and hope you take heed to them.

1. How can I secure my system?
Well using any distribution of linux requires some common sense as well, as we all know your system is as secure as your weakest point.

Never install rpm or deb or tgz applications you do not attend to use, or if you do follow-up with paches. Also disable ports you don't attend to use (Alot of you are wondering....How do I do that?) change directory to /etc/ and vi or pico services, now be careful and don't disable critical ports to stop you from logging in. Also remove daemons you don't use or shut them off and make sure you get rid of that telnet and install ssh2 not ssh1 as we know there is a major hack for ssh1 now you can disable ssh1 by pico or vi /etc/ssh/sshd_config
and making sure [ protocol 2 ] not 1 then restart ssh. Also get rid of wu-ftpd and install proftpd you can download this at proftpd.org, I recommend the rpm for redhat users. Also there is a nice package called portsentry that allows you to detect port scans and block them using ipchains or iptables . Sendmail the biggest hole of them all, well I don't use it I use postfix which is easy to install and upgrade from sendmail to it just by downloading the rpm file and typing rpm -uvh postf*.rpm make sure you read the docs to get a clear understanding on how it works, but I think it is pretty simple.

There is alot more I can tell you on this issue but first digest then we will see.

Thanks

trickykid 02-27-2002 08:33 AM
you know they will still ask, as time goes by, this thread will keep getting further down the list as more questions are asked in this forum.... good information, just not a good idea to post stuff like this, it just gets ignored most of the time.

-trickykid

unSpawn 02-27-2002 12:02 PM
I applaud your effort to try and set up some kind of howto, and not to put you off of it, but I think you should be way and way more specific if you want to succeed.

I would like to invite you (all) to add your knowledge to a /security forum FAQ we should start building. This won't become a "howto" I think, cuz there's lotsa howto's (fi. at linuxdoc.org, sans.org or cert.org) that handle (aspects of) security in general or specific, factual and meticulously...

scottpioso 05-14-2003 01:56 PM
This is for Linux God. You mention "rid of that telnet and install ssh2 not ssh1 as we know there is a major hack for ssh1 now you can disable ssh1 by pico or vi /etc/ssh/sshd_config"

As you can see, I have included my sshdconfig file. Where would I do what you are suggesting?

# $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
"ssh_config" 38L, 1167C
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Host *
ForwardX11 yes
"ssh_config" 38L, 1167C

unSpawn 05-14-2003 02:54 PM
Moderator note: Scottpioso, please do not tack on your off topic question to a thread that is rather stale and over a year old: please create your own thread.

scottpioso 05-14-2003 03:44 PM
I have no idea what you mean.

unSpawn 05-14-2003 05:11 PM
I have no idea what you mean.
1. This thread was made and last added to in 02/2002. In my book that's a rather old thread. Old threads don't need resurrection unless there's a damn good reason. Besides that we haven't heard from Linuxgod since 03/2002 so I would be surprised if he would actually answer :-]
2. The question you ask does not contribute to the topic of this thread.

Vous comprendez?

scottpioso 05-14-2003 05:25 PM
Okay, fine.

unSpawn 05-14-2003 05:34 PM
Btw, answering your question, if you have OpenSSH-v3.x, in the sshd_config the "Protocol 2,1" directive tells sshd what protocol versions to accept.
This should read "Protocol 2" to get rid of ssh clients trying to connect with ssh1.


All times are GMT -5. The time now is 05:10 PM.