There are my raids of websites out there that describe how to implement security on your own. There are many "written for near-expert" tutorials that cover a comprehensive overview of all things security. And, there are various programs and utilities that can do single functions. But hey, you're new to Linux. Learning to type "ls" instead of "dir" was a tough transition for you, and you're probably not used to doing much work in text interfaces either. It's time you got a break.
Many Linux guru's may shun what I'm about to say, but if you can't do all of the security through obscure shell commands, you shouldn't have to spend 40 hours a week for a year trying it before you get good security settings. There is definitely something to say about how much you will learn through trying, but that's no reason to leave your system open to attack until you do.
Enter Bastille Linux. First, understand that Bastille Linux is NOT a distribution of Linux. You can't download it, and install it to get Linux. It's a program for Linux. Bastille Linux is a simple program from www.bastille-linux.org that takes you step by step, and allows you to configure nearly every security feature on your system. Bastille currently supports Red Hat, Debian, Mandrake, and HP-UX systems (with SuSE and TurboLinux promised in the future).
Now, you're a new user, so installing Bastille may be a challenge. You're going to have to do it through command line. Don't worry, it's easy. Make sure you are in KDE, Gnome, or your favorite X Windows manager. Then, simply download the package from the Bastille website (including any other packages you may require), and open a shell window. Log in as root (check your help documentation if you don't know how... the common command is "su"), and type the commands instructed on the website.
After installation, while you are still logged in as root, type "bastille" in the command line. If that doesn't work, you may have to type the full path. This is usually "/usr/sbin/bastille". When done correctly, a new window will appear on your desktop for Bastille.
What the Windows Learning CD's that you see on TV are for learning Windows, Bastille is for Linux Security. it will take you step by step through every setting that it will set. At each step it will ask you what you prefer to be done or not done, as well as explaining what exactly it all means for those who don't understand the question. These explanations are extremely detailed, and if you want more information the descriptions provide plenty of details to look up on the web. Bastille covers the following topics:
- File Permissions
- BootSecurity
- SecureInetd
- DisableUserTools
- ConfigureMiscPAM
- Logging
- MiscDaemons
- Sendmail
- Printing
- TMPDIR
- Firewall
- PSAD
The great thing about Bastille is that it's powerful enough for advanced users to re-use again and again to modify changes, but detailed enough to teach the security principles behind its actions to newbies.
Unless you have installed Bastille immediately after a fresh installation of Linux, you will notice that your system behaves much differently if you have previously had no security installed. You will find that when logged in as a normal user, you are no longer able to tamper with system files, execute certain system level programs, and if you have enabled it, you will receive e-mail reports about possible attacks on your system. Don't worry, these are good things. Any system file changes or system level programs should only be executed if you've logged in as root (which you should never be logged into except for these purposes).
Once you go through Bastille and enabled the proper settings, you can rest a little easier with your system's security. If you have previously not configured any significant security on your system, the change is dramatic. If you are sharing the system, you are more significantly more secure from other users on your system (from damage system, or each other's files). If you run any public services (file sharing, web server, ftp server, remote logins) you will have more control over who is connecting and what they are doing. Even if this is a private system that you use only for e-mail and web browsing, you are secure in knowing that unnecessary services/ports aren't running/open, and that if you are portscanned or attacked (as is common if you ever chat online), your system will react like a cheetah to protect itself. Bastille is piece of mind.
But, as will all things, there is no 100% perfect solution. You should still keep your system up-to-date, which includes Bastille updates when they are released. And, just because you have applied these security settings does not mean there are not ways to increase and customize security on your own. There are some things that even Bastille cannot protect you from, that you will have to do yourself. Once you are familiar with the settings Bastille has modified for you, you should check out a more comprehensive instructional on Linux Security. I recommend The Center for Internet Security website, which includes very detailed and comprehensive tutorials for completely securing Linux systems, as well as other popular systems, such as Windows and Solaris.
For the beginner and intermediate user, Bastille can become an extremely valuable tool. All it takes is for the user to break out of their updates = security ways and take a first and very simple step.
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|