Hello
I am looking for some current and accurate info to assist me in setting up appropriate security settings for my RH7.2 system.
My set up is a single user who access the Internet/email via dial-up. I don't run any servers, nor any other connections, etc. The material I have found thus far is geared toward more complex arrangements, networks, and other distros. I was thinking of using the firewall-config option, but it looks pretty complicated since I'm not sure what rules I should apply. I have configured my /etc/hosts.deny file to read "ALL:ALL", but beyond that I'm really not too sure how much I would need (I'm just a basic home/work user - no government secrets) and/or how to set that up and then test it if possible.
I was thinking of using the ShieldsUp program on Steve Gibson's website http://www.grc.com to test the leaks but wanted to poll some thoughts.

Thanks.

ipchains -- allows for customization of packet definitions and permissions.

ipchains howto: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

ethereal -- best darn packet analyzing tool there is.

ethereal: http://software.linux.com/projects/ethereal/?topic=361,364,350,353,363

portsentry -- simple tcp/udp/icmp packet filtering utility.

portsentry: http://tbcnet.linux.tucows.com/conhtml/preview/51652.html


I know that RH 7.1 came with ipchains/iptables built in. Portsentry was on the RPM disk under /Applications/Internet/portsentry. Take some time to learn about defining just who/what can get to your seystem.

Unfortunately firewalling is one of those things that if your not going to do it all the way, don't bother. Doing it all the way involves some really indepth reading and knowledge of protocals and networking. If you're just a casual home user, using dialup and not staying connected for long periods of time I wouldn't worry about it too much. Just make sure you back up all of your important data. Take a wack at the built in firewall config app too. couldn't hurt :D

should you want to learn about firewalling linux boxes, here is the latest edition of a great book that I've used in the past. It has step by step instructions and iptable's scripts for firewalling your linux box.

http://www.openna.com/products/books/securing-optimizing-linux/abstract-3rd-edition.htm

good luck!

I believe Redhat 7.0 and on contians an automatic firewall configuration utility. It can configure a basic set-up for you based on preferences. As you are not running as a server or anything you can just tell it to restrict access to all ports and that is better than nothing. Advanced configuration through it is also very possible. I forget the command to launch it off the top of my head but it is in the shortcuts in GNOME and KDE if you run X.

Hope this helps,
Crashdummy

OK gang
Thanks a load for the references. Guess what I'll be doing for the next three weeks? Reading!!
Singlespeed, I take your point about not worrying too much as I am a single user connecting to the Net periodically. Certainly, I don't see much point in letting my paranoia get out of hand, but would like the reassurance of knowing that I've plugged as many holes as I know about. In Windows one didn't need to take such a personal supervision of security what with NAV and ZoneAlarm. Being pretty new to Linux, and not all that familiar with things, I just really wanted to learn my way around this strange and beautiful machine so I don't get anyone trying my machine on for luck/sport/casual entertainment.
I will try and track down that book you referenced. Thanks.
Thanks for all the reference kmar, and I'll try and track those down too.
Crashdummy, I found the configuration options in X (under Gnome and KDE), but it asks for certain rules, etc., which at this point I don't have a clue about.
Cheers folk.
;:cool:

Originally posted by Ahimsa
In Windows one didn't need to take such a personal supervision of security what with NAV and ZoneAlarm.
;:cool:

That's the beauty of it. In Windows every thing is mainly stock, unconfigurable options. Those options that can be configured usually do so underneath every thing, telling a user nothing. These also tend to have an issue of some soft with Windows .dll files or some other unforseen incompatibility.

Linux, however, shows you all the parts, tools, and what is possible, making things so much more interesting to sit and learn how to make it all work instead of clikcing a pretty widget and getting... *bling* *bling* "I'm a firewall!"

The basic firewall for Linux is so easy it's hard to trust because you're used to all the googaws that go with Windows. When you look under the hood and check the scripts, It makes Norton look like a piece of crap.

Allen614, Well that was something that concerned me. I used the brief GUI firewall configurator (lokkit) and it was done in less than a minute (or so). I was left wondering whether that was all there was to it, or did I make a faux pas somewhere.
Also, as I asked earlier, what about the security testing apps on www.grc.com (eg. ShieldsUp and LeakTest). Are they worth testing one's Linux firewall on?
cheers for your feedback

singlespeed:
About your comment on backing data up. I'm aware that at least two folders should be backed up - i.e. /etc and /home/<user> .
Are there any others that should be backed up, and also what would be the best way of doing so. I've read that creating tarballs is probably the most efficient and reliable. If so, then I'll do some research into how to write a cron script to automate the process, so if you have any advice or DO-NOT-DO warnings, my ears are wide open.

If you'd like to "look under the hood". I use Mandrake 8.1 and /var/log/security and /etc/bastille/ have all I want to know. Yours should be basically the same.

Originally posted by Allen614
If you'd like to "look under the hood". I use Mandrake 8.1 and /var/log/security and /etc/bastille/ have all I want to know. Yours should be basically the same.

Hmmm ... this is the kind of stuff that I wanted to learn about (damn I have a list that could last me several lifetimes!! :D ), so if you wouldn't mind throwing me a couple of heads-up tips: what am I looking for, and how would I know that these are the settings that I should have in place.

another option would be to apply bastille, a distro-hardening utility
checkout:
http://www.bastille-linux.org/

there are a lot of good things about this
also, linuxsecurity.com has a lot of advisories and even some tutorials...

sm4vg
Thanks for the Bastille reference. I downloaded it and installed it, finally figured out how to get it started and promptly locked my user account out of all dial up privileges!!! :rolleyes:
On the site I can't recall any documentation besides the faq - which didn't help me much. Do you have any links to good docs?
I am both root and user on a dial up workstation. As root, I set up the dial up account and as user set up my email account. But, as I said, with the interactive setup, I locked out my user dialup privileges. I am using the RH PPP dialer and Kmail. Any suggestions what settings I should have not set to avoid this outcome? I'm using RH 7.2, fwiw.

Thanks

The script should be in /etc/bastille but you'd probably have better luck with the GUI interface. I haven't used RedHat so I don't know which one but a configuration GUI shouldn't be too hard to find.

Hmmmm ... that was what I was curious about. You see, I went through the GUI and made the changes accotrding to the recommeded default, in some instances, and as I figured my setup required on other options. But nowhere did I remember setting anything that referred to 'do not allow users to dial out to get email'. :confused: :)
Therein lies the rub, 'cos I was able to undo the actions, but I don't know how to correct the (obvious!!) mistake, 'cos I can't figure out where I made the mistake, nor can I find any helpful docs on the subject.

Ahimsa,

Firewall rules are simple. for a given protocal (like tcp) on a given port (like 25 for smtp) in a given direction (into your computer from the outside or out of your computer from the inside) allow all, or allow only from IP address x.x.x.x or only from domain foo.com. The problem is, even though the rules are simple, firewalling isn't because of the number of ports and protocals involved. The best way is to deny everything and then turn on only those rules you need. How do you know which rules you need?? That's the question and thats why you need to learn about the TCP/IP protocals. Off the top of my head...

SMTP: port 25
POP3: port 110
HTTP: port 80 (usually)
telnet: port 23
ftp: port 21 (usually)

Of cours all of these are subject to change but in most settings they are the same.

Usually there are two rules for each port and protocal, one for in and one for out. In your situation it's probably safe to let everything out (although this isn't the case for servers or systems on dedicated links to the internet).

The book I suggested does a really good job of explaining all of this and gives you great IPTABLES example scripts that allow you to see how thing should be set up correctly. Also once you have a basic understanding of the rules, reading through the scripts shows you how they're applied in real life.

I would HIGHLY suggest starting your education with that book.

good luck!

singlespeed/Jeff
I note the reference with thanks, although when I checked it the first time two things concerned me: 1. money :( and 2. the audience is described as "technical" - how technical is technical?
Certainly the TOC looks pretty comprehensive and it has a decent number of pages to treat the topics in depth, so it looks like it would be worth the investment if it is not too technical.
Thanks also for the info about the ports. I've saved your post and will look at it in more detail in conjunction with a HOWTO I've just discovered.
Just a last query, if you don't mind, what would you recommedn as a decent primer on what I am to be looking out for when monitoring my /var/log/messages, and what other logs would be wise to monitor?
Once again, thanks for all your help:).

Hmm. Well when I bought the book I knew what firewalling was and why I needed it but had NO idea how to do it and only basic TCP/IP protocal knowledge. The book is a very good starting point. It is techinical but so is the subject matter. What helps big time is that the author has put the scripts in the book for you so that you can actually see in practice what they talk about in theory. This goes a long way to helping the newbie understand. The book is worth every penny and you'll learn so much more than just firewalling.

I would recomend this book as the starting point. From there you'll find other topics that you'll need to do further reading on but I find that's the same with anything in the IT world.

As for understanding the log files, again, understand what a firewall is and how it works and suddenly the logs will start to make sense. At least that's how it worked for me. Other than that, just read your log files every day to get used to what is "normal" that way when there is something weird you'll know it's out of place right away.

In addition, certain attacks have known behaviors and leave known "footprints" in you log files. When you see a wierd entry, do a google search on it to see if it's a know attack signature. Some of the most common come from viruses and trojans that infect mail servers. You'll no doubt see them knocking at your front door sooner or later.

Learning about IT security and firewalling is kind of like looking at your lawn. From where you stand now it just looks like a nice quite friendly green patch of grass. Now take a magnifying glass and take a close look at that lawn and you'll start to see all that is going on under the blades of grass. All the bugs and dirt and worms crawling around.

Learning IT security is like looking at the grass with a magnifying glass. It can be scary but it can also be very facinating.

good luck (again) ;)

singlespeed
Well, I will certainly take heed of your recommendation for the book (you wouldn't be on their payroll, would you??:D), and will endeavour to track it down (that can be a little difficult in South Africa), because it does sound like a mine of info, and I don't mind technical as long as it doesn't require an MSc in comp science right off the bat.
I appreciated your analogy about the lawn and the magnifying glass. That made a lot of good sense. I started going through my /var/log/messages and /messages1 yesterday, and was able to pick up some system error messages, but a lot of the stuff is gooble-di-gook right now, but I presume with sufficient exposure and familiarity that I should begin to notice repetitious patterns.
I have noted your recommendation about doing the Google search if there is anything that seems amiss.
Thanks a lot Jeff :)

Not a problem. :D

Just FYI, I believe if you order the book online from the OpenNA site, as soon as you confirm your order you get an email with a code that will let you download a .pdf version of the book. That was how it was with the version I bought. So I had the info right away and then the actual book arived about a week later. I am in the US though.

Enjoy! :)

ps. No, I'm not on the payroll!!! LOL :p