Re: [Sheflug] How To: The Final Chapter

[lesleyb <lesley.binks [at] xxxxxxxxx>]

Alec Melling wrote:
> Hi,
>
> Thanks for all the help in getting my USB drive up and running. It works like 
> a dream, or at least it does what I want.
>
> Onto new frontiers and new problems.
>
> Lesley what is this about port 746. I must admit I have been relying on the 
> firewall in my netgear router for security as I get this installation up and 
> running.  So perhaps the next how to should be:
>


When I set up a system I like to port scan it.  What a port scan does is 
scan ports to see which are open, closed or stealthed.  A mail server 
might have port 25 open an ftp server would have port 21 and a web 
server would have port 80 open.  On a normal domestic machine, it's not 
neccessary to have ports on your machine open to others and you can open 
ports as you need to to retrieve mail, do ftp or web surfing or 
whatever.  You can simply close them or stealth them; one means your 
machine responds with a 'no not here' message and the other means you 
simply don't reply at all.  Your choice as to which is better.

port 746 on the warty release of Ubuntu was left open after the 
installation procedure.

I haven't a clue why they left it open but I did post something on an 
Ubuntu list and got a reply that 'they' needed it for some reason.  I 
felt the reply was not good enough and, combined with the way they hide 
the root account, which still exists in Ubuntu it's just heavily cloaked 
so that you can't immediately gain control of it, I felt that distro 
wasn't for me.

https://www.grc.com/x/ne.dll?bh0bkyd2 supplies a port scanning service.

http://www.securityspace.com/sspace/index.html is more aimed at the 
commercial market but also worth a look.  This part of that site

http://www.securityspace.com/smysecure/catdescr.html?cat=Ubuntu+Local+Security+Checks

might be of interest to you.

I still think you should gain control of your root account and read the 
man pages on visudo, sudo and sudoers. The account you set up to perform 
system administration work has full root powers and should be treated 
the same way a root account is treated - hard to crack passwords, 
minimal use of password etc etc so sudoing all the time to do what you 
need to do as root isn't necessarily the greatest idea it's cooked up to 
be.  sudo was set up to manage differing needs where people needed 
rootly powers to perform specific tasks or subsets of tasks, e.g. 
systems admin, web development but where it was not desirable for them 
to have the root password to be able to perform their duties.

Check your sudoers file by typing

sudo visudo

and look for this style of line

root           ALL = (ALL) ALL
fred           ALL = (ALL) ALL

Here root and fred are users who can execute any command on any host in 
the network they are on.  It's a very powerful permission set.

> How does someone with no real network knowledge learn to secure his 
system???

Read about the topic,  learn what a port scan is.  Learn how to observe 
traffic on your network, block it and allow only the traffic you want. 
Ask questions.  Be aware of security advisories and keep your system 
updated with respect to these.  Learn what a rootkit is and learn how to 
check your system for one.  Google is your friend.  Knowledge empowers. 
 Ignorance does not result in bliss.

I don't know much about netgear routers but it will have a basic 
firewall in it  You might need to run one if you don't want people 
banging away at your ports 80, 22, 25 or 21 (or any other port for that 
matter).

FWIW : My current setup is thus :-

<pre>
[comp 1]--------------------------------
                                       |
                                     [comp4]----ADSL to Internet
                                       |
[comp2] ----------------[switch]--------
                           |
                           |
                       [comp3]

</pre>

My DSL300T seems to have a firewall of sorts on it but I also have a 
firewall on comp4 which redirects traffic to comp 1 where appropriate
and which heavily protects my workstation and laptop [comp2] and [comp3].

I use OpenBSD on comp4 and currently it's on comp3 as well.
I use SuSE on laptop and workstation but have been promising myself a 
change there sometime - possibly to Debian.

I chose this over the more common solution of simply buying a multiport 
ethernet router because I wanted more control over my network and wanted 
to learn more about networking.  I am currently wading my way through DNS.

In my setup [comp1] is on it's own LAN distinct from [comp2] and 
[comp3].  This provides me with the capability of heavily protecting one 
LAN while allowing a certain level of traffic into the other LAN.
I don't know if I could get that capability with a multi-port ethernet 
router.

OpenBSD is known as Unix for the Paranoid because it's prepared with 
security in mind.  That should give you an idea about my mindset over 
networking and a secure system.
A great deal of effort goes into ensuring OpenBSD is safe.
SELinux is out there and is more secure than a typical Linux distro.

HTH

Lesley
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

 GNU the choice of a complete generation.