Coffeehouse Post

Single Post Permalink

View Thread: But...Linux is.....Unhackable O.O
  • User profile image
    John Melville-- MD

    Xaero_Vincent wrote:
    Here are some useful tips a guy on slashdot posted to help protect your Linux severs in addition to the things I've mentioned:

    • Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
    • Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
    • Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
    • When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
    • Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
    • Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
    • Perform MD5 checking on your files and executables, espcially.
    • Regularly check your /etc/passwd and /etc/group files for new or unusual entries.
    • Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.

    umm ... Excuse me -- I really don't want to do all of that.  I really don't want to do all of that every day.  I don't know about you but I spend all day seeing sick people for a living; and I program computers its so I can do that better.  When I sit down at my computer I want to do what I want to do, not defend my pc against the evil internet I cannot live without.

    If linux requires me to do all of the above just to be safe on the internet then linux is broken.