Slackware System Hardening Copyright (c) 2002 Jeffrey Denton Written by Jeffrey Denton 4 June 2002 version - 0.4 http://www.c2i2.com/~dentonj/system-hardening This is a list of some of the steps I take to improve the security on my Slackware systems. It is by no means complete. You can either do all of the things I do, or you can choose only the ones you feel would help secure your system. WARNING: Hardening a system is a compromise between security and usability. Some of the things I do would adversely affect the usability of your system and may very well break things. Please have one of the following on hand just in case you lock yourself out of your system: Tom's Rootboot - http://www.toms.net/rb/ The "Live" CD that comes with the official version of Slackware. And of course, make sure you have a bootdisk. You do have a bootdisk, right? If you don't have one, run /sbin/makebootdisk. You should also make a backup of any anything that you feel is important, would be hard to replace, or that you simply cannot do without. If you are either new to linux or don't know what you are doing, you could very easily get carried away with hardening a system and end up with a system that is unusable. You have been warned. Note: - Line numbers correspond to the rc.scripts in Slackware 8.0. - The settings assume only one user is on the system, "dentonj". - Associated man pages are listed. - I will comment this document as I get to it. -- Resources -- http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html http://www.linuxdoc.org/LDP/gawlso/Securing-Optimizing-Linux-RH-Edition-1_3.pdf http://dsl.org/cookbook/ http://bastille-linux.sourcforge.net http://www.suse.de/~marc/ http://sastk.sourceforge.net http://www.google.com http://orbit-resource.sourceforge.net/faq.html -- Keep Current -- ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages ftp://ftp.slackware.com/pub/slackware/slackware-current/ChangeLog.txt http://www.slackware.com/lists/ http://www.securityfocus.com/cgi-bin/vulns.pl http://packetstorm.decepticons.org/last50.shtml -- Disable Daemons/Close Ports -- /etc/rc.d/rc.S: Lines 171-175: comment out isapnp.conf Lines 193-195: comment out rc.pcmcia /etc/rc.d/rc.M: Lines 50-53: comment out lpd Line 67: comment out atd Lines 117-122: comment out apmd Lines 141-143: comment out rc.ibcs2 #Lines 146-148: comment out rc.httpd Lines 155-157: comment out samba /etc/rc.d/rc.4: Line 23 add: -udpPort 0 /etc/rc.d/rc.inet2: Line 22: IPV4_FORWARD=0 Lines 48-51: comment out rpc.portmapper Lines 83-88: comment out inetd Lines 108-110: comment out rc.nfsd Lines 114-117: comment out lpd /etc/rc.d/: chmod -R go-rwx /etc/rc.d chmod 600 /usr/lib/news/bin/rc.news /etc/inetd.conf: grep -v "^#" /etc/inetd.conf Comment the results man inetd /etc/orbitrc: ORBIIOPUSock=1 ORBIIOPIPv4=0 ORBIIOPIPv6=0 /usr/X11R6/bin/startx: serverargs="-nolisten tcp" man Xserver -- Limit Access -- /etc/lilo.conf restricted password=somepassword /sbin/lilo -v man lilo.conf /etc/login.access: +:root dentonj:localhost -:ALL EXCEPT root dentonj:ALL man login.access /etc/login.defs: Line 38: LOG_OK_LOGINS yes Line 86: uncomment SULOG_FILE Line 98: uncomment ISSUE_FILE Line 206: UMASK 077 Line 217: PASS_MAX_DAYS 30 Line 217: PASS_MIN_LEN 8 Line 250: LOGIN_RETRIES 3 Line 285: comment out CHFN_RESTRICT Line 319: DEFAULT_HOME no man login.defs /etc/suauth: ALL:ALL EXCEPT dentonj: DENY man suauth /etc/porttime: tty1,tty2,tty3,tty4,tty5,tty6:root,dentonj:Al0000-2400 *:*: man porttime /etc/limits: dentonj L1K077C0 man limits /etc/shells: Delete the following: /bin/csh /bin/ksh /bin/zsh Add the following: /bin/sh /bin/false man shells /etc/passwd & /etc/shadow: Delete the following: adm uucp operator Add /bin/false as the shell to the following: bin daemon ftp games lp mail mysql news http nobody Note: Don't run these if you like to make the passwd and shadow file immutabled (chattr +i ...). It gets ugly. /usr/bin/passwd -x 30 -w 7 root /usr/bin/passwd -x 30 -w 7 dentonj man 1 passwd man 5 passwd man 5 shadow /etc/group: Delete the following: adm lp uucp /usr/sbin/pwck /usr/sbin/grpck man group man grpck man pwck The above may create a long list of programs that no longer belong to any group. find / -nouser -o -nogroup -ls > nouser chown root.root /etc/sudoers: ALL ALL=/usr/local/sbin/logit ALL ALL=/usr/bin/tail man sudo man sudoers man visudo /etc/ftpusers: Add the following: bin daemon adm lp sync shutdown halt mail operator games mysql gdm nobody man man ftpusers /etc/host.conf: nospoof on spoofalert on man host.conf /etc/hosts.allow: ALL:ALL:DENY man hosts_access /etc/hosts.deny: ALL:ALL@ALL EXCEPT localhost, PARANOID /usr/sbin/tcpdchk man hosts_access /etc/hosts.lpd: touch /etc/hosts.lpd /etc/hosts.equiv: Make sure file is empty man hosts.equiv /etc/mail/aliases: Comment ALL except MAILER_DAEMON and postmaster /usr/bin/newaliases man aliases man newaliases /etc/X11/xdm/Xaccess: Make sure all lines are commented man xdm /etc/opt/gnome/gdm/gdm.conf: [security] AllowRemoteRoot=false [xdmcp] Enabled=false Port=0 -- Logging -- /etc/rc.d/rc.M: Line 45: /usr/sbin/syslogd -m 0 Line 48: /usr/sbin/klogd -c 3 -p man syslogd man klogd /etc/rc.d/rc.inet2: Line 74: /usr/sbin/syslogd -m 0 Line 78: /usr/sbin/klogd -c 3 -p man syslogd man klogd /etc/syslog.conf: #.info;*.notice;mail.none;authpriv.none /var/log/messages *.debug /var/log/debug authpriv.*;auth.* /var/log/secure mail.* /var/log/mail cron.* /var/log/cron *.emerg * *.warn /var/log/syslog *.err /var/log/syslog *.* /dev/tty12 touch /var/log/mail touch /var/log/faillog man syslog.conf man 5 faillog man 8 faillog /etc/rc.d/rc.S: Line 168: comment out overwritting motd /etc/motd, /etc/issue.net, and /boot/boot_message.txt: **************************************************************** Unauthorized access prohibited; all access and activities not explicitly authorized by the administrator are unauthorized. All activities are monitored and logged. There is no privacy on this system. Unauthorized access and activities or any criminal activity will be reported to appropriate authorities. **************************************************************** /sbin/lilo -v man issue man motd -- Filesystem -- /etc/rc.d/rc.inet2: Lines 58,60: comment out mounting NFS Lines 65,67: comment out mounting smbfs /etc/exports: Make sure it's empty. man exports /etc/fstab: /dev/hdb1 swap swap defaults 0 0 /dev/hdb5 / ext3 defaults 1 1 /dev/hdb6 /var ext3 rw,nosuid,nodev 0 2 /dev/hdb7 /tmp ext3 rw,nosuid,nodev,noexec 0 2 /dev/hdb8 /usr ext3 defaults 0 2 /dev/hdb9 /home ext3 rw,nosuid,nodev 0 0 /dev/hda1 /mnt/windows vfat rw,nosuid,nodev,noexec,noauto 0 0 /dev/hda2 /mnt/slack ext2 rw,noauto 0 0 /dev/fd0 /mnt/floppy auto rw,nodev,noauto 0 0 mkdir /mnt/windows mkdir /mnt/slack mkdir /mnt/floppy man fstab man nfs Change how often fsck is run during boot: for i in hdb5 hdb6 hdb7 hdb8 hdb9; do tune2fs -c 0 /dev/$i tune2fs -i 1m /dev/$i done man tune2fs -- File Permissions -- Obscurity: chattr +i /etc/exports chattr +i /etc/hosts.equiv chattr +i /etc/hosts.lpd chattr +i /etc/inetd.conf chattr +i /etc/lilo.conf chattr +i /etc/login.access chattr +i /etc/login.defs chattr +i /etc/porttime chattr +i /etc/protocols chattr +i /etc/securetty chattr +i /etc/services chattr +i /etc/suauth man chattr Remove unneeded files: rm /etc/csh.cshrc /etc/csh.login man tcsh chmod a long list of files: chmod 750 /bin/mt-st chmod 600 /etc/ftpusers chmod 600 /etc/hosts.allow chmod 600 /etc/hosts.deny chmod 600 /etc/inetd.conf chmod 600 /etc/inittab chmod 600 /etc/lilo.conf chmod 600 /etc/login.defs chmod 600 /etc/securetty chmod 600 /etc/suauth chmod 440 /etc/sudoers chmod 600 /etc/syslog.conf chmod 750 /sbin/badblocks chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dumpe2fs chmod 750 /sbin/explodepkg chmod 750 /sbin/fdisk chmod 750 /sbin/fsck chmod 750 /sbin/fsck.ext2 chmod 750 /sbin/fsck.minix chmod 750 /sbin/ftl_check chmod 750 /sbin/ftl_format chmod 750 /sbin/halt chmod 750 /sbin/hwclock chmod 750 /sbin/ifconfig chmod 750 /sbin/ifport chmod 750 /sbin/ifuser chmod 750 /sbin/init chmod 750 /sbin/insmod chmod 750 /sbin/installpkg chmod 750 /sbin/isapnp chmod 750 /sbin/killall5 chmod 750 /sbin/lilo chmod 750 /sbin/makepkg chmod 750 /sbin/mke2fs chmod 750 /sbin/mkfs chmod 750 /sbin/mkfs.minix chmod 750 /sbin/mkdosfs chmod 750 /sbin/mkraid chmod 750 /sbin/mkswap chmod 750 /sbin/modinfo chmod 750 /sbin/netconfig.color chmod 750 /sbin/netconfig.tty chmod 750 /sbin/pkgtool chmod 750 /sbin/pnpdump chmod 750 /sbin/removepkg chmod 750 /sbin/rpc.portmap chmod 750 /sbin/quotaon chmod 750 /sbin/rdev chmod 750 /sbin/runlevel chmod 750 /sbin/setserial chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/upgradepkg chmod 750 /sbin/uugetty chmod 750 /usr/bin/eject chmod 4750 /usr/bin/gpasswd chmod 750 /usr/bin/lpq chmod 750 /usr/bin/lprm chmod 4750 /usr/bin/lpr chmod 750 /usr/bin/minicom chmod 700 /usr/bin/nohup chmod 700 /usr/bin/script chmod 500 /usr/lib/news/bin/inndstart chmod 500 /usr/lib/news/bin/startinnfeed chmod 750 /usr/lib/setup/cpkgtool chmod 750 /usr/lib/setup/hdsetup chmod 750 /usr/sbin/atd chmod 750 /usr/sbin/atrun chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/ctrlaltdel chmod 750 /usr/sbin/dhcpd chmod 750 /usr/sbin/dhcrelay chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/groupadd chmod 750 /usr/sbin/groupdel chmod 750 /usr/sbin/groupmod chmod 750 /usr/sbin/grpck chmod 750 /usr/sbin/grpconv chmod 750 /usr/sbin/grpunconv chmod 750 /usr/sbin/hdparm chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.comsat chmod 755 /usr/sbin/in.fingerd chmod 755 /usr/sbin/in.identd chmod 750 /usr/sbin/in.talkd chmod 000 /usr/sbin/in.rexecd chmod 000 /usr/sbin/in.rlogind chmod 000 /usr/sbin/in.rshd chmod 750 /usr/sbin/in.telnetd chmod 000 /usr/sbin/in.tftpd chmod 750 /usr/sbin/in.timed chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop3d chmod 750 /usr/sbin/klogd chmod 2750 /usr/sbin/lpc chmod 740 /usr/sbin/lpd chmod 750 /usr/sbin/lpf chmod 550 /usr/sbin/makemap chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/ntpdate chmod 750 /usr/sbin/ntpq chmod 750 /usr/sbin/ntptime chmod 750 /usr/sbin/ntptrace chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pwck chmod 750 /usr/sbin/pwconv chmod 750 /usr/sbin/pwunconv chmod 550 /usr/sbin/quotastats chmod 750 /usr/sbin/rpc.bootparamd chmod 750 /usr/sbin/rpc.mountd chmod 750 /usr/sbin/rpc.nfsd chmod 750 /usr/sbin/rpc.rusersd chmod 750 /usr/sbin/rpc.rwalld chmod 750 /usr/sbin/rpc.yppasswdd chmod 750 /usr/sbin/rpc.ypxfrd chmod 750 /usr/sbin/rpcinfo chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smbd chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/tcpd chmod 750 /usr/sbin/tcpdchk chmod 750 /usr/sbin/tcpdmatch chmod 750 /usr/sbin/tcpdump chmod 750 /usr/sbin/timeconfig chmod 750 /usr/sbin/useradd chmod 750 /usr/sbin/userdel chmod 750 /usr/sbin/usermod chmod 750 /usr/sbin/vipw man chmod To make things easier, you can download a file that contains the above list and run the short awk command below: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/sastk/SAStk/src/fileperm awk -F: '{ print "chmod "$1" "$4 system ("/bin/chmod "$1" "$4) print "chown "$2"."$3" "$4 system ("/bin/chown "$2"."$3" "$4) }' < fileperm man chmod man chown man gawk More chmod: chmod -R o-rwx /var/log chmod -R go-rwx /home/dentonj chmod -R go-rwx /root man chmod Find SUID/SGID files and directories: find / -type f \( -perm -4000 -o -perm -2000 \) -ls > suid_files.out find / -type d \( -perm -4000 -o -perm -2000 \) -ls > suid_dir.out chmod ug-s # To remove the SUID/SGID bit man chmod man find Find world and group writable files and directories: find / -type f \( -perm -2 -o -perm -20 \) -ls > write_files.out find / -type d \( -perm -2 -o -perm -20 \) -ls > write_dir.out man find -- rc.local -- /etc/rc.d/rc.local: # Network hardening echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i done for i in /proc/sys/nit/ipv4/conf/*/rp_filter; do echo 1 > $i done for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done # Network optimizing echo "32768-64000" > /proc/sys/net/ipv4/ip_local_port_range echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Obscrurity echo 255 > /proc/sys/net/ipv4/ip_default_ttl # System optimizing echo "100 1200 128 512 500 5000 500 1884 1" \ > /proc/sys/vm/bdflush echo "80 10 60" > /proc/sys/vm/buffermem echo 6144 > /proc/sys/fs/file-max echo 24576 > /proc/sys/fs/inode-max # Start various security programs #/usr/psionic/portsentry/portsentry -atcp #/usr/psionic/portsentry/portsentry -sudp /usr/sbin/icmpinfo -vv -s -l /usr/local/sbin/accton /var/accout/pacct /usr/local/sbin/iplog /etc/rc.d/rc.firewall start if [ -x /usr/sbin/logoutd ]; then /usr/sbin/logoutd fi # Various system settings /usr/bin/setleds -D +num # This is harddrive specific /usr/sbin/hdparm -c3 -A1 -m16 -d1 /dev/hdb man hdparm man logoutd man setleds -- Cron -- /var/spool/cron/crontabs/root: # Sync clocks 0 0 * * * /usr/sbin/ntpdate clock.via.net; hwclock --systohc # Security programs 0 0 * * * /usr/local/etc/logcheck.sh #1 1 * * * /usr/local/sbin/tripwire -m c | mail -s \ "Tripwire report for $HOSTNAME" root@localhost 2> /dev/null 0 4 * * * /usr/local/sbin/sxid 0 23 * * * cd /usr/local/sbin/; ./chkrootkit | mail -s \ "Chkrootkit report from $HOSTNAME" root@localhost 0 22 * * * /usr/local/sbin/aide --config=/etc/aide.conf | mail -s \ "AIDE report from $HOSTNAME" root@localhost 0 0 * * * /usr/local/seccheck/security-control daily& 0 1 * * 1 /usr/local/seccheck/security-control weekly& 0 4 1 * * /usr/local/seccheck/security-control monthly& # System cleanup 0 3 * * * /usr/bin/find -type f -name core \ -exec /bin/rm -rf {} \; 2> /dev/null 0 3 * * * /usr/bin/find /tmp -atime +7 \ -exec /bin/rm -rf {} \; 2> /dev/null 0 3 * * * /usr/bin/find /var/temp -atime +7 \ -exec /bin/rm -f {} \; 2> /dev/null 0 3 * * * /usr/bin/find /var/spool/lpd \( -name "cf*" -o -name "df*" \) \ -type f -atime +2 -exec /bin/rm -f {} \; 2> /dev/null # Paranoid checks 0 3 * * * /bin/chmod -R go-rwx /home/dentonj 0 3 * * * /bin/chmod -R go-rwx /root 0 3 * * * /bin/rm -f /home/*/dead.letter 0 3 * * * /usr/bin/find / -name .rhosts -o -name .forward -ls \ -exec /usr/bin/cat {} \; | mail -s \ ".rhosts or .forward files on $HOSTNAME" root@localhost 2> /dev/nul man crond man crontab -- Bash -- /etc/profile: Lines 26-28: comment out section adding "." to PATH Lines 57-58: comment out and add: elif [ `id -u` = "0" ]; then PS1="\[\033[1;31m\[\t [\j]:\w\$\[\033[0m\] " else PS1="\[\033[1;32m\[\t [\j]:\w\$\[\033[0m\] " Line 70: umask 077 # Limit history for root and the user that can su to root if [ `id -u` = "0" -o `echo $USER` = "dentonj" ]; then HISTSIZE=20 HISTFILESIZE=20 export HISTSIZE HISTFILESIZE fi # Logout if a root terminal is left unused for too long if [ `id -u` = "0" ]; then TMOUT=1200 export TMOUT fi # Misc settings: shopt -s cdspell shopt -s cmdhist shopt -s dotglob shopt -s extglob setterm -bfreq 0 typeset -r HISTFILE typeset -r HISTFILESIZE typeset -r HISTSIZE typeset -r HISTNAME typeset -r USER typeset -r LOGNAME # Aliases: # shred doesn't delete recursively, use "/bin/rm -rf ..." alias rm="shred -uz" man bash /root/.bash_logout: clear && rm /root/.bash_history man bash -- Misc -- /etc/rc.d/rc.M: Line 18: /bin/setterm -blank 0 man setterm /etc/modules.conf: alias net-pf-9 off man modules.conf /etc/issue: Welcome to \s (\l) \t - \U man issue /etc/inittab: Line 35: comment out ctrlaltdel man init man inittab /etc/inputrc: set show-all-if-ambiguous on set visible-stats on set mark-modified-lines on man bash faillog: faillog -u dentonj -m 5 man faillog Make a backup of commonly trojaned commands: Note: Only do this after a fresh install. Making copies of already trojaned commands will just ruin your day. Otherwise, copy the commands from the "Live CD" that comes with the official version of Slackware. cd /root mkdir bin Copy the following to /root/bin: agetty egrep in.fingerd killall ps tcpd basename env in.identd login pstree top biff explodepkg in.pop3d ls removepkg traceroute chfn find in.rlogind lsattr rpcinfo upgradepkg chsh getty in.rshd mail sendmail write crontab gnu-pop3d in.telnetd makepkg ssh date gpm in.timed named sshd dirname grep inetd netstat su du hdparm installpkg passwd syslogd echo ifconfig kill pidof tar cd /root/bin md5sum * >> md5sum cd /root tar zcvf bin.tar.gz ./bin cp bin.tar.gz /dev/fd0 -- Program Hardening -- /etc/mail/sendmail.cf: Lines 220-221: comment out DaemonPortOptions Add: O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA Line 178: O Helpfile= Line 227: O PrivacyOptions=goaway Line 356: O SmtpGreetingMessage=HI You look lost. Please return to your little corner of the internet. rm /etc/mail/helpfile man sendmail /etc/ssh/ssh_config: Host * ForwardAgent no ForwardX11 no RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication yes FallBackToRsh no UseRsh no BatchMode no CheckHostIP yes StrictHostKeyChecking no IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_rsa Port 22 Protocol 2 Cipher blowfish Compression yes CompressionLevel 6 KeepAlive no EscapeChar ~ man ssh /etc/ssh/sshd_conf: Port 22 Protocol 2 ListenAddress 192.168.1.1 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin no StrictModes yes PasswordAuthentication yes PermitEmptyPasswords no #RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts yes AllowUsers dentonj X11Forwarding no X11DisplayOffset 10 AllowTcpForwarding yes PrintMotd yes PrintLastLog no KeepAlive no #UseLogin no Banner /etc/issue.net ReverseMappingCheck yes Subsystem sftp /usr/libexec/sftp-server man sftp man sftp-server man sshd -- Security Programs/Scripts -- Install the following programs: Accton AIDE Chkrootkit Iplog Kernel patches: (only apply one) Openwall Patch GRSecurity lcap libsafe LogSentry lsof Nessus nmap Openwall kernel patch PortSentry rc.firewall Snort sXid Accton: http://packages.debian.org/unstable/admin/acct.html acct-6.3.5-29 mkdir /var/account touch /var/account/pacct touch /var/account/savacct touch /var/acocunt/useracct AIDE: http://www.cs.tut.fi/~rammer/aide.html /etc/aide.conf: database=file:///etc/aide.db database_out=file:///etc/aide.db.new /boot R /dev R /etc R /bin R /opt R /sbin R /usr R /var R /var/spool/cron R !/var/account !/var/log !/var/run !/var/spool chattr +i /etc/aide.conf chattr +i /etc/aide.db Chkrootkit: http://www.chkrootkit.org Install the following to /usr/local/sbin/: chklastlog chkproc chkrootkit chkutmp ifpromisc Iplog: http://ojnk.sourceforge.net touch /var/log/iplog mkdir /var/run/iplog /etc/iplog.conf: user nobody group nobody pid-file /var/run/iplog/iplog.pid logfile /var/log/iplog facility log_daemon priority log_info set log_ip true set log_dest true set ignore_dns true interface eth0 set frag true set smurf true set bogus true set fin_scan true set syn_scan true set udp_scan true set portscan true set xmas_scan true set null_scan true set traceroute true set fool_nmap true set syn_flood true set ping_flood true set verbose true ignore tcp dport 80 Kernel: Disable Loadable Kernel Module support. Patch with one of the following patches. Openwall Patch: Currently for 2.0.x and 2.2.x kernels A beta version is available for 2.4.x kernels http://www.openwall.com/linux/ Patch kernel and compile with all of the patche's options enabled GRSecurity Patch: For 2.4.x kernels I have not been impressed with this patch, so use it at your own discretion. http://www.grsecurity.net LCAP: Supposedly this will work without having to install LIDS. http://pw1.netcom.com/~spoon/lcap bzip2 -cd lcap-0.0.6.tar.bz2 | tar xvf - cd lcap-0.0.6 gcc -o lcap lcap.c cp lcap /usr/local/sbin cp lcap.8 /usr/local/man/man8 LibSafe: http://www.avayalabs.com/project/libsafe/index.html /etc/ld.so.preload: /lib/libsafe.so.2 /etc/libsafe.exclude /usr/local/sbin/logit: Straight from TrinityOS. Add the following: tail -f /var/log/messages& tail -f /var/log/access_log& tail -f /var/log/cron& tail -f /var/log/iplog& tail -f /var/log/loginlog& tail -f /var/log/mail& tail -f /var/log/proftpd.log& tail -f /var/log/secure& tail -f /var/log/sulog& tail -f /var/log/syslog& tail -f /var/log/apache/access_log& tail -f /var/log/apache/error_log& LogSentry: http://www.psionic.com/products/logsentry.html lsof: http://freashmeat.net/projects/lsof Nessus: http://www.nessus.org NMAP: http://www.insecure.org/nmap/index.html PortSentry: I noticed that PortSentry didn't always log FIN or NULL scans, so I now use Iplog. http://www.psionic.com/products/portsentry.html rc.firewall: This is one of the ipchains packet filter scripts that I've put together. Don't ask me about iptables. If you want a statefull packet filter, you should really be running OBSD. http://www.c2i2.com/~dentonj/rc.firewall.example Seccheck_slack: Install Snort: http://www.snort.org sXid: ftp://marcus.seva.net/pub/sxid/ The following is a script that I add to the beginning of /etc/profile. While the script is a nice idea, it's very easy for someone to avoid . I've never had any of my systems cracked since I've started using it, so I have no idea if this script will actually stop anyone. It would most likely catch someone in the act, after they exploited a security hole, but before the system has been r00ted. A r00ted system wouldn't even bother reading /etc/profile. -- Begin script added to /etc/profile -- # Kick and ban users that are UID 0 but are NOT root! if [ `id -u` = "0" -a `echo $USER` != "root" ]; then # Lock the user out passwd -l $USER # Save some info date >> /root/SHIT netstat -apent >> /root/SHIT ps auxww >> /root/SHIT w >> /root/SHIT w | mail -s "$USER has gained ROOT access" root@localhost # Let EVERYONE know wall << EOF *********************************************************** $USER has gained ROOT access!!! *********************************************************** EOF for i in `ls /dev/pts/`; do echo -e "\n$USER has gained ROOT access!!\n" >> /dev/pts/$i done # Log it logger -is -f /var/log/messages "$USER has gained ROOT access!!" # Let the luzer know echo -e "\a\n\n You are _NOT_ root!!\\n\n\a" # Kill the user and his processes skill -9 -u $USER ifconfig eth0 down # This should be redundant logout exit fi # Attempt to catch those that su alias su="su -" -- End script added to /etc/profile --