Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Secure Linux 1
- Thread starter hnd
- Start date
-
1
- #3
The question is vague, but I will assume it was a web server that was hacked. I have used a distro call Engarde linux for my webserver. It has been up on the public net for a year now with no hacks. This is relying only on application security, there was no firewall.
It uses LIDS and tripwire among other technologies. I suggest you pay the 50$ to purchase it as the updates are quite valuable. You can however get a community version and do the updates by hand. Make sure you join the mailing list!
It uses LIDS and tripwire among other technologies. I suggest you pay the 50$ to purchase it as the updates are quite valuable. You can however get a community version and do the updates by hand. Make sure you join the mailing list!
- Thread starter
- #4
I do not know details on security features installed on that place.
The Hack was very sophisticated. Basically a windows Computer was hacked and a keylogger was installed there to get the Superuser Password of the Linux Server. Nobody was aware of that hack.
In the last 6 (?) weeks there had been made a lot of very sophisticated System Modifications (for example: make an entry in the Backup log, but don't perform a Backup....)
This week the Hacker erased all logfiles, all databases, User Programs, Websites.... really everything from the disks and crashed the System.
My Idea: I know from UNIX System 5, there is an enhanced Security Package which raises the security level at least to C2 (see Orange book), perhaps higher. Is there something like this for Linux?
Thank you very much
hnd
hasso55@yahoo.com
I would say the hack was not sophisticated at all. I would also say that the hack did not occur because of a breach in linux security. Even if you were logging into a system with C2 security it would not help you because you left yourself wide open by logging in from a Windows box with nonexistant security.
If you would look at the web page I have already posted, you would see an easy to use Linux with kernel level access control and as much auditing as you can handle.
SUSE is a good linux with good security. You need to start by securing your windows box. Wipe your hard drive and reinstall windows. Apply all service packs and don't run any services. Do not use an instant messenger client. Download Tiny Personal firewall and learn how to use it. Download a decent antivirus.
There is no magic "C2" bullet that is going to make security effortless. You need to start by simply taking common sense steps so that you are not rooted by a script kiddie once again.
C2 Specifications:
I would say off hand that engarde meets these specs, however It's up to you to at least do a little research.
If you would look at the web page I have already posted, you would see an easy to use Linux with kernel level access control and as much auditing as you can handle.
SUSE is a good linux with good security. You need to start by securing your windows box. Wipe your hard drive and reinstall windows. Apply all service packs and don't run any services. Do not use an instant messenger client. Download Tiny Personal firewall and learn how to use it. Download a decent antivirus.
There is no magic "C2" bullet that is going to make security effortless. You need to start by simply taking common sense steps so that you are not rooted by a script kiddie once again.
C2 Specifications:
I would say off hand that engarde meets these specs, however It's up to you to at least do a little research.
- Thread starter
- #6
Meekro:
Thank you for your rapid answer. The purpose why i am asking at least C2 Level is The audit function. The problem was that: How could a Hacker prepare this crash for minimum 6 Weeks and nobody detected him. Therefore I am looking for better Trace and Audit facilities which are usually implemented in C2/B1 Packages.
I know that a lot of Security is Handling or Misshandling the security guidelines. But some things have to be supported by OS.
I think: each system may become compromised. But with a high Level Security Package such a hack may be detected very easy.
hnd
hasso55@yahoo.com
Thank you for your rapid answer. The purpose why i am asking at least C2 Level is The audit function. The problem was that: How could a Hacker prepare this crash for minimum 6 Weeks and nobody detected him. Therefore I am looking for better Trace and Audit facilities which are usually implemented in C2/B1 Packages.
I know that a lot of Security is Handling or Misshandling the security guidelines. But some things have to be supported by OS.
I think: each system may become compromised. But with a high Level Security Package such a hack may be detected very easy.
hnd
hasso55@yahoo.com
You can add LIDS to SUSE, and Tripwire can help with intrusion detection as well. Also you can use LIDS to make certain files immutable. LIDS is difficult to install though, that's why I suggest Engarde as they have done most of the work already... I looked at the site, and they do not offer the 50$ version anymore though. You can still download the community version for free though. Try this site instead of the .com
- Thread starter
- #8
Hi,
Have you seen the nsa security enhanced linux project ( ? It doesn't specifically go for C2 (or above!) as its currently lacking in the audit trail area but, bearing in mind who is doing it, it is certainly worth a look. See also -->
Another one to look at is Bastille linux -->
Also have a look at this from sans which has a few more links at the bottom -->
Hope this helps
Have you seen the nsa security enhanced linux project ( ? It doesn't specifically go for C2 (or above!) as its currently lacking in the audit trail area but, bearing in mind who is doing it, it is certainly worth a look. See also -->
Another one to look at is Bastille linux -->
Also have a look at this from sans which has a few more links at the bottom -->
Hope this helps
Oh, in case anyone didn't know -- C2 security is void if you install a network card. It's only valid for standalone computers, and what's the use of that?
But, in case you are Uber-paranoid, you can run TinFoil Hat Linux:
Chip H.
But, in case you are Uber-paranoid, you can run TinFoil Hat Linux:
Chip H.
- Thread starter
- #11
Chiph
It is true, that those Classifications are valid as Standalone solutions only.
But as i have written before, I do not need a certification. I want to have a reliable Audit/Trace System which allows a fast detection of such an intruder.
Such Systems are required in C2 or better OS.
hnd
hasso55@yahoo.com
It is true, that those Classifications are valid as Standalone solutions only.
But as i have written before, I do not need a certification. I want to have a reliable Audit/Trace System which allows a fast detection of such an intruder.
Such Systems are required in C2 or better OS.
hnd
hasso55@yahoo.com
Guest_imported
New member
- Jan 1, 1970
- 0
You got rooted by allowing an insecure access client too
much info.
Allowing access from an unrestricted internal net is the
number one way to get rooted. Your server could be tighter than (anatomical reference) from the public internet but
unless your security is holistic you have nothing.
Trust nothing. Encrypt everything.
CIPE is good between linux peers on an intranet: there is even cipe for win32. Only use services that are encrypted or can be wrapped (stunnel sslwrap).
In the end you are still vulnerable if someone gets inside.
Using switches rather than hubs is not a huge obstacle anymore but it helps, running an internal ids is incredibly useful. Using managed, logging switches with access control is excellent alongside snort or another ids.
much info.
Allowing access from an unrestricted internal net is the
number one way to get rooted. Your server could be tighter than (anatomical reference) from the public internet but
unless your security is holistic you have nothing.
Trust nothing. Encrypt everything.
CIPE is good between linux peers on an intranet: there is even cipe for win32. Only use services that are encrypted or can be wrapped (stunnel sslwrap).
In the end you are still vulnerable if someone gets inside.
Using switches rather than hubs is not a huge obstacle anymore but it helps, running an internal ids is incredibly useful. Using managed, logging switches with access control is excellent alongside snort or another ids.
I use Red Hat as opposed to SuSE, but I would check out I belive they are preparing to offer support for SuSE. That is a nice one step plan to make Linux pretty hard.
I think securing a box attached to the internet is like padlocking a fence... you only deter the innocent and slow down the guilty.
You may be way beyond this, but I would start by cutting back on the services you run on the server. Also don't allow anyone to telnet into your server, use ssh unless you need to. Also don't allow root to telnet or ssh onto your server directly. And only logon to the servers root account from "known safe" machines. if SuSE has an eqivalent to ipchains I would consider that a must. I guess you will need to tighten security on your PCs (if you have NT or 2k that shouldn't be a problem, but 95/98 machines are almost in-securable), but I would put a IDS or packet analyzer on the network and look for bad traffic, stuff like bo2k.
I hope this is helpful.
I think securing a box attached to the internet is like padlocking a fence... you only deter the innocent and slow down the guilty.
You may be way beyond this, but I would start by cutting back on the services you run on the server. Also don't allow anyone to telnet into your server, use ssh unless you need to. Also don't allow root to telnet or ssh onto your server directly. And only logon to the servers root account from "known safe" machines. if SuSE has an eqivalent to ipchains I would consider that a must. I guess you will need to tighten security on your PCs (if you have NT or 2k that shouldn't be a problem, but 95/98 machines are almost in-securable), but I would put a IDS or packet analyzer on the network and look for bad traffic, stuff like bo2k.
I hope this is helpful.
- Status
Similar threads