AA1 Security

hello, a newbie to the forum and linux saying hi...

I am newbie to linux, but not to computing, I figured out how to get into advanced mode within about 20mins of powering the AA1 on this afternoon.

Having figured out how to download Firestarter and install it, and run the software updates, I thought this is easy (ish)

Then I found out that Linpus doesn't support IP Tables

So after looking about for a while, and discovering this nice forum, I read the posts on the same subject, and I see that there are only a couple of open ports (X11 ? on 6000) etc.

Having a significant amount of Windows experience, and running ZoneAlarm, with Comodo AV and HIPS, and SpyBot Resident - I was a little concerned that I might be exposed to some vulnerabilities (I work in IT Security).

Now I know that the way Linux (or even UNIX) is designed means that its not like Windows (full of holes) - but I wondered, should I have at least something Security wise installed.

I primarily went Linux as I was concerned about Internet banking on Windows - I was going to install Mandriva ONE onto a laptop as a read only OS for Internet Banking, but I found the Acer Aspire ONE (so thought I'll have one of those!).

My Linpus device is going to sit behind a Cisco 5505 ASA Firewall, with a limited rulebase - but the personal firewall was more for when I am wirelessly connected.

So, rambling over... my question is, do I need to install any other software to take care of Security on the Linpus Lite distro? Or as it appears I am not vulnerable, and I won't be clicking any dodgy links - then do I need to worry?

thanks for listening

 

Sorry I can't help with Linpus as I switched to Onelinux but I would say that if you are going to be using internet cafes or other public wireless connections you should have some kind of firewall like guarddog or some other.

 

Please give us some details on why you say this. Just what kind of security attack do you envision and how would it be accomplished?

Thanks.

Cheers.

 

Sorry I can't give such detailed as I am not a cracker and so have no idea how it could be done or what could be done. With that said my reasoning follows as lack of knowledge, respect for the abilities of those wanting to crack my system and some plain paranoia over having to clean up the mess and or my personal info.

 

Nothing is bullet proof. That being said, Linux is going to generally be safer than Windows in part by design and in part because more crackers are going to aim for the Windows machines.

So, a firewall of some sort shouldn't hurt. Coming from the BSDs, using OpenBSDs pf program, I find iptables syntax to be obscure--that has a lot to do with what one is used to, as some long time Linux users have told me that for them, it's just the opposite.

I would think that you can install iptables with yum on Linpus, but that's untested. As time goes on, and I no longer have a Linpus machine, I don't feel that qualified to comment on it.
Banking is going to be done through https, (hopefully) and that should be encrypted. Whether that can be easily cracked or not, I honestly don't know, and once it's going out of your machine, I'm not sure how much good a firewall will do you. Personally, I feel you're better off being too paranoid rather than not paranoid enough, but that's just me.

That being said, going back to the original poster, you're probably alright behind your firewall, but you also probably know more about security than I do as you said that it's your specialty. Linpus isn't running too many daemons (services in Windows) by default, so that's a good thing. For example, I don't believe the default installation even has sshd installed. (BTW, one way to stop a lot of port scans and attacks is to simply change the ssh port from 22 to something else. It's security by obscurity, but it's one less thing to worry about.)

 

As far as I can tell, kernel 2.6.23.9lw doesn't even have netfilter compiled in the kernel. Therefore this whole discussion of using iptables won't work. I certainly wouldn't be worried about security on a public wireless system when it comes to online banking, as all that traffic should be going out encrypted. One concern, always with wireless, is making regular pop3 connections, as that goes out plain text, along with your username/password. It is a very simple task to sniff out that stuff and a firewall won't do anything to secure that.

By default all ports are closed on a Linux box until you start a server that requires a specific port be open. At this point you'll want to concern yourself with it. Services like sshd will use a tcpwrapper, so you should define things in hosts.allow and hosts.deny, along with always using a STRONG password that would be more immune from dictionary attacks.

If you're running Windows on the other hand, you have to be concerned. With over 30,000 malwares focused on compromising Windows boxes, it's open season and you should be stacking condoms on top of condoms to try and protect it. Compare the stuff in the wild there to attack Windows boxes and none for Linux boxes, allows Microsoft to spread its FUD that "not enough people use Linux to make it worthwhile for 'hackers' to bother with Linux". Why do I call it FUD? Because the Internet runs on Linux. If hackers want easy to find and available targets, there is no shortage of Linux boxes out there containing some pretty important information. How often do you hear of successful compromises of these boxes? Usually, only if the administrators haven't kept their systems patched and those are few and far between.

We're using a Netbook for goodness sakes - not running open servers. If you're going to be using your AAO as a server, then you need to learn about security. However, Acer's idea of an O/S doesn't really lend itself to either the security required to use them as servers simply because this isn't what a mobile device like this is typically used for.

Linux's prime idea about securing the OS is to separate the kernelspace from the userspace, hence the need to be root to get at anything outside of your userspace. Windows on the other hand, doesn't have any such restrictions, at least not until Vista came around and is trying to implement such policies. With Windows any application could write anything it wanted to the Windows registry. Since most of the applications for Windows is closed source, there is no way to know just what a particular application is doing. That's why it is so simple for a piece of malware to run rampant over the kernelspace of a Windows box. Try, as a user, installing an application in Linux outside your userspace and you'll see that you cannot do it. To install a virus or trojan on a Linux box you'd have to purposely make the effort to do so. The fact that all open source applications are peer reviewed continuously because the source code is there to see, the likelihood of installing malicious code is greatly reduced.

The suggestion I'd make if you've got something like sshd running on your box at all times, is to secure it with hosts.* and maybe even stop the service entirely when you're out and about using public APs. Turn it on again when you're on your own LAN behind your NAT router and hardwired to that LAN if there's a possibility that others can connect to your wireless network.

Cheers.

 

From your suggestion I started researching sshd and what I found is way over my head. I am using Onelinux but since it is a dead version I am considering alternatives. The point is as far as sshd goes is the protection it provides transparent? Does it require CLI? How easy is it to start and stop? Any assistance would be appreciated.

 

With OneLinux which is Ubuntu based, you'd start and stop sshd by:

sudo /etc/init.d/sshd start OR stop OR restart

As to hosts.allow and hosts.deny, you'll find them in /etc and using a text editor you'd set them up appropriate to what you want to do.

An example of hosts.allow (allowing ONLY 192.168.1.xxx to be able to ssh into that server) of course replace xxx as appropriate to your situation ...

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
portmap: 192.168.1.xxx
lockd: 192.168.1.xxx
rquotad: 192.168.1.xxx
mountd: 192.168.1.xxx
statd: 192.168.1.xxx
sshd: 192.168.1.xxx

An example of hosts.deny ...

#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

portmap: ALL
sshd: ALL

NOTE: these examples may require some tweaking on your system, as I'm simply quoting what I use on a different Linux distro/server than a Ubuntu one. Works for me. Note I also have nfsd running on that box. A quick google should tell you all you need to know.

Cheers.

 

Thanks Rbil.

 

If I'm not mistaken, I don't think Linpus even includes ssh server or client in the installation. You'll have to do it with yum.

sudo yum -y install openssh openssh-clients

(I believe this to be the case, it may have changed since I used Linpus. Easy enough to check, if there's no sshd in /etc/init.d/, then it's probably not installed.)

 

The client is installed oob, but the server is not.

Cheers.

 

The bit in bold above is the information I was looking for.

The thread was hijacked somewhat, and I bought the netbook as I am sick of Windows vulnerabilities etc.

I don't intend using the machine for anything other than browsing, watching films and maybe the odd document - it will sit behind an appliance firewall anyway. Its an end computing device, not a server etc.

cheers