Securing a Linux machine
Thread Starter
Join Date: Mar 2004
Location: Bournemouth, UK
Age: 53
Posts: 133
Likes: 0
Received 0 Likes
on
0 Posts
Securing a Linux machine
I have a Linux machine at home and I'm wondering if there is anything I can do to protect the machine against attacks. I have iptables up and running, blocking all ports except 23 (ssh), 80 (http) and a few other, i.e. for Samba. It is open to the internet because it is running a web site. My worry is that I've left a back door open and that a spammer will hijacked my machine to do his dirty deed.
Any hints and tips welcome.
Regards
Stoney
Any hints and tips welcome.
Regards
Stoney
Join Date: Jul 2002
Location: CYYC
Posts: 410
Likes: 0
Received 0 Likes
on
0 Posts
I don't much myself, but you could try LinuxQuestions or maybe the Linux Documentation Project (don't know the link).
goates
goates
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
The main rules are (a) offer only what you need and (b) keep it patched. If it's running a website then i'd have thought that you'd only need port 80 open externally (i.e. outside any local subnet), possibly ssh if you really need to access it remotely. Why Samba?
Thread Starter
Join Date: Mar 2004
Location: Bournemouth, UK
Age: 53
Posts: 133
Likes: 0
Received 0 Likes
on
0 Posts
Evo, I use Samba to access the Linux disk from my Windows machine. I have to say it's not the greatest way of connecting but it works well enough that I haven't looked for anything better. Do you recommend something else, i.e. NFS?
Regards
Stoney
Regards
Stoney
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
No, Samba's fine IMHO - haven't used NFS in years but I remember it being a pain. However, couldn't figure out from your post if Samba's port (139?) was open externally, and if so, why?
I'd only have http and ssh open to non-LAN traffic, and for most purposes it's probably ok not to worry too much about packets from within your own LAN.
I'd only have http and ssh open to non-LAN traffic, and for most purposes it's probably ok not to worry too much about packets from within your own LAN.
Thread Starter
Join Date: Mar 2004
Location: Bournemouth, UK
Age: 53
Posts: 133
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for the link, ORAC, but it's definitly a bit OTT for my setup.
Evo, I'll have to 'adjust' my iptables a bit. I've got Samba ports (both 137 and 139 for some reason) open to all, i.e. not just the LAN. In fact I have four ports open: http, ssh, mysql and samba. Best I figure out quick how to restrict both mysql and samba to LAN only.
Thanks for the tips.
Regards
Stoney
Evo, I'll have to 'adjust' my iptables a bit. I've got Samba ports (both 137 and 139 for some reason) open to all, i.e. not just the LAN. In fact I have four ports open: http, ssh, mysql and samba. Best I figure out quick how to restrict both mysql and samba to LAN only.
Thanks for the tips.
Regards
Stoney
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
I haven't used it, but the iptables-HOWTO might help.
Locking down your system requires more than using iptables to close ports. I recommend you visit http://www.bastille-linux.org/ and follow the advice there. You can download a perl script which will guide you through the steps you need to take.
Thread Starter
Join Date: Mar 2004
Location: Bournemouth, UK
Age: 53
Posts: 133
Likes: 0
Received 0 Likes
on
0 Posts
I'll have to investigate that further, izod tester. I quite fancy the idea of having a hard system
Evo, when I setup my iptables originally I followed an online guide quite similar to your link. I suspect I already know what's required. Drop all incoming except port 22, 80 or from 192.168.etc. Just got to find some time to go over it again.
Regards
Stoney
Evo, when I setup my iptables originally I followed an online guide quite similar to your link. I suspect I already know what's required. Drop all incoming except port 22, 80 or from 192.168.etc. Just got to find some time to go over it again.
Regards
Stoney