Security / Advise needed - lsat ?

aCOSwt · Posted: Wed Mar 23, 2011 1:40 pm Post subject: Security / Advise needed - lsat ?

Hello,

Being said that I am neither clever nor paranoid in terms of computer security.

I force myself to very basic procedures that are rather heavy and that I would like to know if they are pertinent or just a pure waste of time.
In particular :

- After first install, I ran lsat to compute its md5 checksum
- Before any backup / emerge, I recompute the checksum and compare it with the last one.
- After any emerge, I recompute the checksum.

I have been systematically doing this for more than one year now under my gentoo (without anay alert) and really wonder what security gurus think.
(Previously I was using tcpdump to investigate firewalls logs but found this... hmmm... horrible ! :evil:

)

mikegpitt · Advocate Joined: 22 May 2004 Posts: 3224

I guess one problem with this approach (besides being time consuming) is that it doesn't protect against a system intrusion, but only tells you if one happened... and if one happens you will only know it did happen, not what happened.

A better approach would be to run tools like snort and chkrootkit to monitor what is happening on the machine... although if the attack is sophisticated and targeted at you (unlikely) they could modify your logs. Most attacks, however, are automated and unsophisticated.

My best advice is to make sure you don't have a bunch of remote ports open on your machine, or firewall them off with shorewall. Don't run ssh on a default port, and/or make sure your user accounts have strong passwords... or better yet make remote services only available via openvpn (if possible in your situation). ...and as long as you aren't downloading and executing scripts from the web browser, you should be quite safe.

mr.sande · Posted: Wed Mar 23, 2011 9:24 pm Post subject:

If you want to check other system hardening / audit tools I recommend lynis and yasat (which is a "fork" of lynis). yasat can give a lot of information about your configuration, almost too much at times, but I find a valuable tool for system hardening and config checking.

aCOSwt · Posted: Wed Mar 23, 2011 10:00 pm Post subject:

mikegpitt · Advocate Joined: 22 May 2004 Posts: 3224

Ok, lot's of points to cover

Running md5sums on your backups is a decent idea, and will ensure their integrity, if not from tampering but also damage.

Snort is an IDS, so it doesn't prevent but it will monitor any odd behavior. You might get a bunch of false positives, so it will require tweaking. There might be snort modules that react to certain warnings, but I'm not 100% sure.

Shorewall is just a front end for iptables, so no worries there. I just happen to like it.

It should be pretty easy to see if you are using port 22 for ssh... just ssh to your machine and if you don't select a different port number then it's using 22. A lot of automated attacks try to brute force ssh logins on port 22 so it's a good idea to firewall it off or move the port. Of course if you are usually behind your home router and it doesn't leave any ports open to the outside world then you should be ok there.

If you are usually behind a home router then you might want to run nmap on your external ip address to see what ports might be open.

As for strong passwords, I would suggest a minimum of 8 chars, mixing uppercase, lowercase, and numbers... you can use symbols if you are extra paranoid. This would only be really necessary if you have remote logins allowed (such as with ssh).

As for the "scripts" I was referring to... I meant if you download executables (or a bash script) and run it without regard for what it does. That is a bad idea :wink:

...but most gentoo users would be savvy enough to not do that!

BTW - one other thing you might want to look into is tripwire. Tripwire will monitor your filesystem for changes and lock things down if something occurs.

aCOSwt · Posted: Thu Mar 24, 2011 11:44 am Post subject: