[NTLUG:Discuss] Weird Messages

[A.L.]

> boot again.  I've updated every piece of software installed to the
> latest stable version, I've shut down most all services, the only
> non-essential daemon running is sendmail.  I can telnet, and ftp as a
> user, but nothing anonymous.  I'm running PortSentry which gives me a
> false sense of security cause it only blocks the scanners, it's not
> helping me now that they know where I'm at.
> 
> I need help with Bastille... what options work well?  I need input as
> to other utilities that are know to help, like monitoring the file
> system for any changes, How can I set up servers to only allow certain
> services like http to be widely accessible, but shut everything else
> down to just a couple IPs that can access them?  and anything else
> really....
> 
> I fancy myself a fairly decent Unix admin, 13 year HP-UX admin by
> profession and 6 year Linux admin by religion.  So you'd be hard
> pressed to talk over my head.
> 
> Even though I ask for input for my own benefit, I think an extended
> thread on this subject would benefit the group as a whole.

	Well, to start with, unless Bastille has gotten night and day
better since last time I gave it a shot, it doesn't work very well at all
(and based on your description, it still doesn't).  In my experience,
there is no good substitute for knowing your box inside and out, and
securing it by hand.

	Since you mention Bastille, I assume you're talking about RedHat's
brand of Linux here.  Here's a little bit of insight into how I setup a
RedHat box for use on the public Internet (although the entire thing would
be a book which I don't have time to write).  Also, keep in mind, there's
more than one way to harden a box; these just happen to be some of my own
choices when faced with the job of locking down security on a RedHat Linux
machine.

	Step number one.  Go to www.immunix.org, and at the least grab
yourself a copy of the StackGuard compiler.  I personally start with
ImmunixOS 6.2 (which is really RedHat 6.2 with the whole thing compiled
with StackGuard), but you can still get a reasonably hard box by just
using the stackguard compiler in steps below.

	Step two.  Every last daemon that shipped with RedHat that speaks
to the IP stack that you intend to use.  Rip it out.  Replace it with
something different if possible.  Complile the replacements yourself.  
Use Qmail for any mail services, compile your own Apache with as few
options as you can get away with (and read their security notes on how to
setup your httpd.conf properly), use xinetd with restrictions instead of
inetd, use syslog-ng instead of the sysklogd package, etc, etc, etc.  If
you've got questions about a specific type of application you need a
replacement for, drop me an e-mail, and I'll tell you what's a good one
for the service in question.  Long story short, make your box as little
like the default RedHat as possible as far as it's footprint on the net.  
This provides not only the better security (hopefully) of the applications
you replace the default ones with, but will also provide you a layer of
"security through obscurity", which while generally considered rather
useless, will still keep the script kiddies running the latest factory
stock RedHat exploits out of your box.

	Step number 3.  Do NOT use Telnet and FTP under any circumstances.  
Use OpenSSH for remote logins and user based file transfers (ie: users on
your box that need to upload/download things).  For anonymous file
transfers, use the Webserver, it will accomplish exactly the same feat as
anonymous FTP (allow un-authenticated users to download files), and will
save you a world of security risks when the next ftpd hack of the month
comes along.

	If you can, setup a dedicated loghost somewhere.  I mean a box
that doesn't do anything but recieve syslog messages from the rest of the
hosts on the network.  A little $50 P75 blowout special from First
Saturday with a big hard drive (around $200 these days) will suffice for
this, so no great financial outlay should be needed.  When you get done
setting this box up, you should be able to run "lsof -i" and see exactly 2
things; the syslog-ng daemon listening for connections on port 514, and if
you need remote access, sshd on port 22.  (speaking of which, the "lsof"
command is immesuarably handy to find out what programs are doing what on
your box).  Then set up every box you have to send it's log messages to
the loghost in total.

	Now, setup something like psionic's Logcheck program to run on the
loghost.  If you can plug the loghost in to your gateway router (or
anywhere else along the line where it can "see" all the traffic on your
network going to<->from the outside net), you might also want to run a
copy of snort on it.  Keep in mind that having accurate remote logs, and a
good IDS running won't keep anyone out.  It'll just (hopefully) let you
know how they got in in case of a compromise.

	Ok, so now I've rambled a lot, and I haven't explained the
reasoning behind everything, and I've left some stuff out, but it's the
best I can do at the moment, and I've got to get to work.  Hopefully
you'll find this of some use.  Cheers!

	--A.L.Lambert