Tux Training

A hotly debated topic this week has been a decision made with the latest release of Fedora. The 12th release has made it so that local users can install signed packages from the repositories, without root access.

You can read all the nerd-rage here:

Fedora 12 allows any user to install software on a machine without the root password. Drama on the mailing list.

Oddly enough they didn’t see this important enough to include on the release notes.   Some will argue this is not much of an issue, well I would ask you to consider this security breach of the Fedora signing servers a little more than a year ago:

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

With that taken into consideration, this is a pretty big deal.

Simply run:

pklalockdown –lockdown org.freedesktop.packagekit.package-install

This will re-enable the old (better) behavior for installing signed packages with a known key.  Once this is done your Fedora 12 will no longer be on par with Windows98, enjoy.

There’s been a lot of debate by security practitioners about the impact of open source approaches on security. One of the key issues is that open source exposes the source code to examination by everyone, both the attackers and defenders, and reasonable people disagree about the ultimate impact of this situation. (Note – you can get the latest version of this essay by going to the main website for this book, http://www.dwheeler.com/secure-programs.

Continue reading ‘Is Open Source Good for Security?’ »

Security is based on three characteristics: prevention, protection and detection. Grsecurity is a patch for Linux kernel that allows you to increase each of these points.

This howto was performed on a Debian Lenny system. Thus some tools are Debian specific. However, tasks can be performed with other distro specific tools or even with universal tools (make).

Everything will done with root privileges. However, you can perform them with a limited account thanks to sudo and fake-kpkg tools.

Continue reading ‘Hardening The Linux Kernel With Grsecurity on Debian’ »

We can have the most secure box in the world but that doesn’t mean necessarily that we’re safe. There are a lot of interested parties in the world that want your information and the list of who those interested parties are grows by the day. Looking for a job? Well, the companies you’re applying to are running Google searches on your real name, your email address, and any screenname you may have given them, looking you up at LinkedIn, Myspace, Facebook, etc. Making online purchases? Well, both the identity thief and the government would love to track those transactions. Searching for information related to an embarrassing situation in your personal life? Google saves those searches. Like to show off your musical tastes on Last.fm? Congrats, you’re probably broadcasting a good portion of the music you’ve pirated. Logging in to a site to pay a bill? There’s a cracker out there that would love for your password to be transmitted in plain text, rather than encrypted. And lets not forget the fact that AT&T spies on the American populace for the NSA, MPAA, RIAA, and probably any other organization that asked it to. Even if you truly trust a company, you never know what information of yours could be handed over in a lawsuit. Think you’re hidden behind a screen-name? Think again.

I should give a little warning, I do suggest people follow all of these tips, but they are for the paranoid and some will consider it over board.

Related Reading on TuxTraining.com

1. Secure the Hell Out of Your Linux box
2. Secure the Hell Out of Your Windows box
   
3. The Ultimate SSH Security Tutorial
4. How to Install and Setup IPCop as your Linux based router

Continue reading ‘Safety Online’ »

Here are some things you can do to make your apache configuration more secure.

Some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

Continue reading ‘Secure the Apache Web Server’ »

Tripwire is a security tool that checks the integrity of normal system binaries and reports any changes to syslog or by email. Tripwire is a good tool for ensuring that your binaries have not been replaced by Trojan horse programs. Trojan horses are malicious programs inadvertently installed because of identical filenames to distributed (expected) programs, and they can wreak havoc on a breached system.

Continue reading ‘Secure your system with Tripwire’ »

Snort is a Network Intrusion Detection System (NIDS), which can view and analyze packets on a network to determine whether or not a system is being attacked by remote.   Most Linux distributions come with Snort, so it’s simply a matter of installing Snort via urpmi, apt-get, or yum. If you’re like me and run a distro where Snort is not in the repo’s you can grab the source here.  Snort can write its collected information to a variety of different sources for later analysis, be it flat files or a database such as PostgreSQL or MySQL.

As well, Snort can be used as a simple packet logger, sniffer, or a full-blown NIDS.

Continue reading ‘Detect intruders on your network with Snort’ »

If you want to secure your server using AppArmor, you have to create and modify the profiles for all the applications you use. This can easily be done using the YaST AppArmor modules or the command-line tools.

The YaST modules are more or less self-explaining, but more for mouse users.

Therefore I’ll explain the command-line tools a bit. I’ll also explain some AppArmor basics when needed.

Of course these instructions are also valid if you use your computer as a workstation

Continue reading ‘Securing Your Server With AppArmor’ »

Alot of people are freaked out by IPTables and find it hard to understand. However, once you get the grasp of it the basics are easy. This document will serve as a basic how-to on using iptables.

Continue reading ‘Basics of iptables’ »