Securing a Linux machine
I have a Linux machine at home and I'm wondering if there is anything I can do to protect the machine against attacks. I have iptables up and running, blocking all ports except 23 (ssh), 80 (http) and a few other, i.e. for Samba. It is open to the internet because it is running a web site. My worry is that I've left a back door open and that a spammer will hijacked my machine to do his dirty deed.
Any hints and tips welcome. Regards Stoney |
I don't much myself, but you could try LinuxQuestions or maybe the Linux Documentation Project (don't know the link).
goates |
The main rules are (a) offer only what you need and (b) keep it patched. If it's running a website then i'd have thought that you'd only need port 80 open externally (i.e. outside any local subnet), possibly ssh if you really need to access it remotely. Why Samba?
|
Evo, I use Samba to access the Linux disk from my Windows machine. I have to say it's not the greatest way of connecting but it works well enough that I haven't looked for anything better. Do you recommend something else, i.e. NFS?
Regards Stoney |
No, Samba's fine IMHO - haven't used NFS in years but I remember it being a pain. However, couldn't figure out from your post if Samba's port (139?) was open externally, and if so, why?
I'd only have http and ssh open to non-LAN traffic, and for most purposes it's probably ok not to worry too much about packets from within your own LAN. |
|
ORAC, did you look up the price too? It's probably a bit expensive for what Stoney needs.
|
Thanks for the link, ORAC, but it's definitly a bit OTT for my setup.
Evo, I'll have to 'adjust' my iptables a bit. I've got Samba ports (both 137 and 139 for some reason) open to all, i.e. not just the LAN. In fact I have four ports open: http, ssh, mysql and samba. Best I figure out quick how to restrict both mysql and samba to LAN only. Thanks for the tips. Regards Stoney |
I haven't used it, but the iptables-HOWTO might help.
|
Locking down your system requires more than using iptables to close ports. I recommend you visit http://www.bastille-linux.org/ and follow the advice there. You can download a perl script which will guide you through the steps you need to take.
|
I'll have to investigate that further, izod tester. I quite fancy the idea of having a hard system ;)
Evo, when I setup my iptables originally I followed an online guide quite similar to your link. I suspect I already know what's required. Drop all incoming except port 22, 80 or from 192.168.etc. Just got to find some time to go over it again. Regards Stoney |
Stoney, sounds right to me. If you haven't found it already, i've found nmap to be a good tool for testing how successful i've been in restricting services.
|
All times are GMT. The time now is 05:30. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.