[buug] Linux Security for stand-alone PC's

Zeke Krahlin ezekielk at netzero.net
Sun Feb 20 22:21:59 PST 2000


One of the excellent members from FreeISPCubs message board, has
contributed the following security tips for non-networked Linux
boxes. I will be securing my system tonight, based on his advice.

Anyone who'd care to peruse this document: did he miss anything?
spot something wrong? any additional tips not mentioned here in?
TIA

---begin document:

LINUX SECURITY 101

Forum:     the FreeNetCubs BBS & Chat Forum
Subject:  Linux security 101
From:      (P_NIS)
To:        (ALL)
DateTime: 1/9/00 1:15:02 AM

OK for all new recent Linux converts out there, here are a few
simple security tricks you can use to make your surfing safe and
anonymous.

These tips are mainly applicable to modem DUN connects, but some
may be useful for LAN's as well.  The config files I will mention
are those for the RedHat distribution and may be slightly
different for other distributions, YMMV.

OK, here we go....

1.  Disable the ability to telnet and ftp to your machine.  To do
this, open the file /etc/inetd.conf, and simply insert a hash
mark '#' in front of each line to uncomment that line.  To
disable telnetting and ftp'ing to your machine, make sure to
insert # in front of the lines that beging with 'ftp' and
'telnet'.  You should uncomment each of the other lines as well,
unless you know for sure that you need to have those services
running.  For a plain old dial-up connection that you don't need
to network to other computers, UNCOMMENT EVERYTHING.  Keep in
mind that you will disable telnetting and ftp'ing TO your
machine, but you will still be able to telnet and ftp to OTHER
machines.

2.  Disable the ability of other machines to 'ping' your
machine.  This maneuver is useful for combatting mass pings that
identify machines that are online.  For example, if I knew that
ISP X's client numbers began with a 129.23.xx.xx, I could do a
mass ping of that subnet to find out the exact addresses of
machines that are online, and thus establish my cracking
targets.  Turning off your ability to get pinged effectively
makes you invisible on the internet.

As root, run this command:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Note that you will still be able to ping OTHER machines, it's
just that nobody will be able to ping you.

To restore your ability to get ping'd, run this command:

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

(Notice the 1 becomes a 0.)

3.  Disable unnecessary services that are started at boot time. 
The way to do this depends on your distribution, but for RedHat
just run (as root) linuxconf (type 'linuxconf' as root at the
command prompt), then look at Control > Control Panel > Control
Service Activity.  As a stand-alone dial-up networked client, you
can safely TURN OFF the following services:

apmd (advanced power management; useful only for laptops to tell
you how much battery is remaining)

atd (I don't know what it's for but has something to do with
scheduled tasks)

httpd (starts the Apache webserver; DEFINITELY turn this one off
unless you are running a web server off your machine)

linuxconf (turn this one off so nobody will be able to change
your configuration remotely; you can still run linuxconf as root
locally)

mars-nwe (something for LANS only)

named  (only needed if you are running a DNS server from your
machine)

netfs  (DEFINITELY turn this one off, something for network file
systems)

nfs  (DEFINITELY turn this one off, this is for network file
systems (No farking Security) which is a huge Linux security
hole.)

pcmcia (you don't need this unless you have a pcmcia card in a
laptop)

portmap (only needed if you are using nfs)

routed (for network routing; not needed for dial-up connections)

rstatd (I don't know what this is for but it ain't needed for
DUN)

ruserd (who knows what this is for but not needed for DUN)

rwhod (not needed for DUN)

sendmail (not needed for DUN; only necessary if you run email on
a LAN)

smb (SAMBA, i.e. port 139, only needed if you are doing
file-sharing or networking with Windoze machines)

snmpd (something, something, but not needed for DUN)

ypbind (again only for LAN's but not needed for DUN's)

Basically, if you have services running and YOU DON'T KNOW WHAT
THEY ARE FOR, it's better you just turn them off rather than
leave a potential gaping security hole open.

4.  Use a proxy.  A good one is junkbuster, which has been
mentioned several times before on this board.  Check it out at
http://www.junkbuster.com or http://www.waldherr.org
Yes, there's even a Windoze version available.  Aside from
filtering out those farking adds on webpages and leading to
quicker page loads, junkbuster allows you to 1) forward your URL
requests through a separate proxy, thus concealing your true IP
address, 2) change the reported operating system and reported web
browser you are surfing from, 3) disable or manipulate referring
so that websites don't get private information such as what site
you just visited prior to visiting their's.  You can also choose
the site that gets reported on the 'referred from:' line, i.e.
Referred From: www.farkoff.org; and 4) disable or selectively
enable cookies.

Well that's all for now.  After implementing these measures, test
them by going to http://crypto.yashy.com/nmap.php3 to see which
ports are still open (make sure to turn off your proxy or your
proxy gets scanned), or Shields-Up at http://www.grc.com.

As you can see, there are TONS of security holes in a typical
Linux distribution as it comes out of the retail box.  I guess
those distributors assumed that you as a buyer were going to
install Linux on a 'trusted' network.  Thus it's YOUR
responsibility to plug all them holes up!

But wait, we're not finished yet!  Let me tell you about
'Netscape Tricks'....

=============================================================
LINUX NETSCAPE SECURITY TRICKS

Forum:     the FreeNetCubs BBS & Chat Forum
Subject:  Netscape 'security tricks'
From:      (P_NIS)
To:        (ALL)
DateTime: 1/9/00 1:46:03 AM

The thing that makes Netscape a much more favorable browser over
Internet Exploiter/Exploder is the ability to 'secure' your
browsing, aside from the fact that it doesn't crash as much as
IE.  These 'Netscape tricks' have been garnered from others as
well as my own experience, and mainly apply to the 4.6 - 4.7
versions in Linux, but can easily be adapted to the Windoze
versions as well.

1.  Make cookies vanish into thin air.  First go to your netscape
home directory, i.e. /home/yourname/.netscape.  Do an 'ls' and
you will see a file named 'cookies'.  Delete it.  Next, create a
symbolic link called 'cookies' that is linked to /dev/null.  Run
this command at a prompt:

ln -s /dev/null cookies

Now, Netscape will ACCEPT ALL COOKIES, but they ALL GET WRITTEN
INTO OBLIVION (/dev/null).  The sites that planted cookies into
your machine will never know the difference!

(For all you Windoze users out there, the same trick can be done
by deleting cookies.txt and creating a DIRECTORY called
cookies.txt)

2.  Make your Netscape cache invisible.  Believe it or not, sites
that you visit have the capability to read your browser's cache
and gather information about all the sites you have visited.  To
disable this, quit Netscape, then go to your
/home/yourname/.netscape directory again.  Now delete the 'cache'
directory (rm -rf cache).  Next make a text file called 'cache'
in your .netscape directory.  Alternatively, you can create a
symbolic link from cache to /dev/null:

ln -s /dev/null cache

3.  Disable the 'global history' option.  Any veteran Netscape
users will know what I mean...at the URL prompt, type the
following:

about:global history

....and what you will see will make you wet your pants.  Yep,
there it is, a complete listing of EVERY site you have visited
since installing Netscape.  For all the world to see.  For all
the sites you visit to see.  This information is stored in the
file /home/yourname/.netscape/history.db

So, to get rid of it permanently, first delete the file, then
create a symbolic link to oblivion:

ln -s /dev/null history.db

4.  And finally, most importantly, use a proxy, i.e. junkbuster
(http://www.junkbuster.com).

My apologies to all you Internet Exploder users out there who
cannot apply these techniques and whose security will forever be
at the mercy of malicious websites and Active X.

Care to make the switch?

---end of document

---
FreeISPCubs BBS & Chat
http://www5.50megs.com/fnc
---
Toll-free voice/fax mailbox (USA only):
1-888-830-5746 (ext. 8275)
ICQ#: 8485235

__________________________________________
NetZero - Defenders of the Free World
Get your FREE Internet Access and Email at
http://www.netzero.net/download/index.html




More information about the buug mailing list