Security And Linux
Prelude
Security is a process, not a thing that has a final solution. How do you secure your system, and how do you detect if someone is trying to compromise your system?
This is an on-going document that is in it's early stages of development.
Intrusion Detection
There are many software packages to help with this (like snort), but here I just show a few simple ways to help you to determine if your system has been compromised...
Most importantly, check your logs: vi /var/log/messages
and vi /var/log/secure
, then you can use these commands to look deeper;
lastlog : show logins
faillog : failed login attempts
last : show login record, last
, or last | head
(for latest)
netstat : view active internet connections, netstat -tan
, netstat -alput
fuser : identify processes using files or sockets, fuser -v -n tcp 631
lsof : check for open files, lsof
or lsof | grep username | less
, lsof -i :631
(list the open file using port 631)
nmap : network mapper/scanner, nmap -sS 127.0.0.1
(scan for open ports)
tcpdump : dump traffic on a network, tcpdump -i eth0 -p tcp -n
(ctrl-c to stop; shows what every port is connecting to)
If you have found an IP Address mentioned that you wish to investigate, go here to track them down. If you find the ISP from which it came from, you could contact them to complain.
chkrootkit
is a utility that determines if any of your root binary files have been compromised.
Download chkrootkit
from here
# substutute xx below with the version number tar -xzvf chkrootkit-xx.tar.gz cd chkrootkit-xx make sense ./chkrootkit
Security settings
I'll fill out this section with a list of things to make a system more secure, but for now, take a look at these files:
/etc/securetty
and /etc/login.defs
For SSHD, consider changing your port number (in /etc/ssh/sshd_config
) as I document here.
Keeping Your System up-to-date
To avoid vunerabilities found in the software on your system, you should watch for security advisories regularly, and update any software that releases a patch or new version to fix that vunerability. I have documented a couple of methods here and here.
Latest News
A few additional articles on network security: