On Tue, 26 Aug 2003, der.hans wrote:


> > I know that the subject of computer security spawns careers and books
> > and research -- if the only advice is something hardcore like "hire a
> > security expert to monitor your system 24/7 and do periodic audits" then
> > it's not going to happen.  I'm just looking for practical advice as to
> > what a single Linux workstation hooked to the internet (via cox) ought
> > to do.  (Yes I do have Apache running on 8080) (please don't hack me! --
> > that's not a very effective defense)
> >
>
> To find out which services you have running try the following command:
>
> netstat -an | grep LISTEN | less

And if you can't figure out what's spawning them, try:
lsof | grep LISTEN

Some default distro configs leave all kinds of toys running from inetd or
xinetd. You'll find the man pages or appropriate contents of
/usr/share/doc invaluable for details on these utilities.

Something to keep in mind when you're working on securing your
boxes/network:

The safecracking industry operates under the premise that every safe can
be cracked, given time and proper tools. Safes are generally rated this
way. One safe might be rated at 30 minutes with a cutting torch, another
could be 4 hours with a milling machine. Taking into account creative
attacks the creators haven't thought of, modern security systems are
designed against two factors: how long it could conceivably take an
attacker to penetrate your defenses, and how quickly you can detect the
attack and scramble a response.

It's not just a matter of hardening your machines, but also keeping an eye
on them. That's where IDS and firewalls come into play. What you decide to
deploy ultimately rests on how important your data is, to you, and how
easily you can replace it if it's destroyed.

Firewalls are a 90/10/0 kinda tool. Most firewalls stop 90% of attackers,
can't stop 10% of skilled attackers, and matter for 0% if they aren't
monitored. For a single linux machine on a cable modem, der hans'
suggestion above is an excellent start to streamlining your machine. If
you start adding local machines to your network, like a Windows box that
talks to the Linux box via SMB, you really should start thinking about
some form of firewall to protect both/all of them.

- billn