Basic security for a solo workstation connected to the Internet

I have asked this one before, but perhaps not the right way, because I
didn't get any replies.

I have had no confirmed break-ins so far. A strange file in my /dev
directory turned out to be put there by Mandrake. I ran a honeypot (The
Tiny Honeypot) for a little while and caught something, but very little,
and no damage.

Snort, Nessus, etc, seem designed for networks. Nessus requires an external
computer to try to break into the target computer. I have a firewall
(Guarddog) and I also have lsat and chkrootkit (although I don't run them
regularly, e.g. as cron jobs). I tried using Tripwire, but found it too
unwieldy, particularly as the supplied RedHat profile was far different
from my Mandrake system. I have an old 6x86 computer I could use as a
gateway, or as one of the CD-ROM only systems, but do I need to?

What is regarded as adequate security precautions for my setup?

TIA,

Doug.
--
ICQ Number 178748389. Registered Linux User No. 277548.
In [any kind of] relationship two people are never at a standstill. They are
either moving closer or further apart.
--Schwartz and Olds: Marriage in Motion.

On Thu, 03 Mar 2005 14:45:52 +1100, Doug Laidlaw wrote:

> I have asked this one before, but perhaps not the right way, because I
> didn't get any replies.
>
> I have had no confirmed break-ins so far. A strange file in my /dev
> directory turned out to be put there by Mandrake. I ran a honeypot (The
> Tiny Honeypot) for a little while and caught something, but very little,
> and no damage.
>
> Snort, Nessus, etc, seem designed for networks. Nessus requires an external
> computer to try to break into the target computer. I have a firewall
> (Guarddog) and I also have lsat and chkrootkit (although I don't run them
> regularly, e.g. as cron jobs). I tried using Tripwire, but found it too
> unwieldy, particularly as the supplied RedHat profile was far different
> from my Mandrake system. I have an old 6x86 computer I could use as a
> gateway, or as one of the CD-ROM only systems, but do I need to?
>
> What is regarded as adequate security precautions for my setup?
>
> TIA,
>
> Doug.

Greetings,

There is no single one-time formula or guaranteed prescription for
security. Defense in layers, defense in depth and continuing vigilance is
the best way to go. This isn't a static environment. People of all types
and with all motives around the world have access to your connection while
you are connected.

What your setup is exactly (you didn't say) has a strong bearing on what
security precautions you should have. If you run no servers (?) then you
have fewer issues with which to be concerned. The other applications that
connect to (listen on) the internet could have vulnerabilities that could
allow intrusions. Are you updated on any such vulnerabilities and are
your applications fully updated? That's a big part of security
preparedness. Are you updated and aware of precautions against Phishing
and other fraud scams? Are you aware and guarded against various ways
that your browser (you didn't say) could be deceiving you when you are
asked to give sensitive information. Are you aware that certain widely
used encryption schemes have been cracked, and what is your level of
concern or paranoia about these issues. What is regarded as adequate
security precautions for your setup is probably most dependent on just
what your setup is and on what you would regard as adequate.

You seem to be knowledgeable. However, people who might have specific
suggestions probably don't see any narrowly defined specific questions to
respond to in your post. I know that I didn't.

Best wishes.

Doug Laidlaw wrote:

>
> Snort, Nessus, etc, seem designed for networks. Nessus requires an
> external
> computer to try to break into the target computer. I have a firewall
> (Guarddog) and I also have lsat and chkrootkit (although I don't run them
> regularly, e.g. as cron jobs). I tried using Tripwire, but found it too
> unwieldy, particularly as the supplied RedHat profile was far different
> from my Mandrake system. I have an old 6x86 computer I could use as a
> gateway, or as one of the CD-ROM only systems, but do I need to?
>
> What is regarded as adequate security precautions for my setup?
>

A host-based IDS will be a lot more approriate to your situation than
network based. Chkrootkit is OK, but tends to look for things that it knows
are bad. If you can't get tripwire to work, try L5, or at least backup the
rpm database regularly (and encrypt it if on the same machine).

HTH

C.

Doug Laidlaw <laidlaws@myaccess.com.au> wrote:
> I have asked this one before, but perhaps not the right way, because I
> didn't get any replies.

We'll try to fix that. ;->

> I have had no confirmed break-ins so far. [...]
>
> Snort, Nessus, etc, seem designed for networks. Nessus requires an external
> computer to try to break into the target computer. I have a firewall
> (Guarddog) and I also have lsat and chkrootkit (although I don't run them
> regularly, e.g. as cron jobs). I tried using Tripwire, but found it too
> unwieldy, particularly as the supplied RedHat profile was far different
> from my Mandrake system. I have an old 6x86 computer I could use as a
> gateway, or as one of the CD-ROM only systems, but do I need to?
>
> What is regarded as adequate security precautions for my setup?

You ask a shrewd and subtle question. It turns out to have a vaguely
disquieting answer. (Aren't you glad you asked? ;-> )

Effectively, the question is: "How do I know that my system hasn't been
compromised by intruders?" The short answer is: "It's difficult. You
probably don't."

Conventional advice to (partially) address your concern is "run a
host-based IDS" (intrusion detection system) -- host-based like
Tripwire, AIDE, Prelude-IDS, Samhain, etc., as opposed to network-based
IDSes and probing tools such as Nessus, snort, nmap, etc.

You are so, so right about Tripwire. Generations of sysadmins have come
to the same conclusion you did, so I can reassure you it's not just you.
It has the probably unique theoretical advantage of being able to
self-validate -- to a degree. That is, it has a somewhat-satisfactory
answer to the secondary question astute observers eventually ask: "If
you're not sure your system is compromised, and therefore aren't sure
you can trust what its installed software tells you, then how can you
trust what your _IDS_ tells you?"

In every other respect, Tripwire's competition is miles ahead of it.
I personally arrived at a compromise solution that I described in one of
my _Linux Gazette_ articles:

http://linuxgazette.net/issue98/moen.html

Like several other, related articles, I have that linked from my
personal page (http://linuxmafia.com/~rick/), for convenience.

--
Cheers, Hardware: The part you kick.
Rick Moen Software: The part you boot.
rick@linuxmafia.com

Hi, Doug. A follow-on to my first reply:

Doug Laidlaw <laidlaws@myaccess.com.au> wrote:

> What is regarded as adequate security precautions for my setup?

OK, sometimes I miss what's right in front of me, and the _key_ thing I
missed when I wrote my first reply to you was your subject header:
You're talking about a solo workstation.

So, you (probably) can somewhat discount what I was saying, earlier. I'm
so used to sysadmining multi-user systems, with multiple network services
running fully exposed to public networks, and with remote inbound shell
access, that sometimes it's difficult to break out of that mindset.

_Ordinarily_, the biggest threats to *ix systems are:

o exposed network services, and details thereof
o remote inbound shell (and file-transfer) access

Since you're speaking of a _solo workstation_, at least potentially you
have none of those. So, if practical, make sure you don't.

You're still well advised to learn good administration practices, e.g.,
run things with minimum authority -- and, in particular, don't wield the
root or other privileged accounts any more often than you have to.
Deeply distrust files, instructions, and tips (e.g., "social
engineering" attempts to get _you_ to shoot your own system's security
in the foot) that arrive from locations you have no reason to trust.
Keep your system updated. Eschew software known to be poorly maintained
and buggy. Be prepared to know what processes you're running ("ps
auxw"); know why you're choosing to run each of them and assume
responsibility for what they do in your name.

If you have time and paranoia left over for reading sysadmins' security
analyses and recommendations for more-demanding situations, fine -- but
you needn't hurry.

--
Cheers, Hardware: The part you kick.
Rick Moen Software: The part you boot.
rick@linuxmafia.com

Newsbox wrote:

> On Thu, 03 Mar 2005 14:45:52 +1100, Doug Laidlaw wrote:
>
>> I have asked this one before, but perhaps not the right way, because I
>> didn't get any replies.
>>
>> I have had no confirmed break-ins so far. A strange file in my /dev
>> directory turned out to be put there by Mandrake. I ran a honeypot (The
>> Tiny Honeypot) for a little while and caught something, but very little,
>> and no damage.
>>
>> Snort, Nessus, etc, seem designed for networks. Nessus requires an
>> external
>> computer to try to break into the target computer. I have a firewall
>> (Guarddog) and I also have lsat and chkrootkit (although I don't run them
>> regularly, e.g. as cron jobs). I tried using Tripwire, but found it too
>> unwieldy, particularly as the supplied RedHat profile was far different
>> from my Mandrake system. I have an old 6x86 computer I could use as a
>> gateway, or as one of the CD-ROM only systems, but do I need to?
>>
>> What is regarded as adequate security precautions for my setup?
>>
>> TIA,
>>
>> Doug.
>
> Greetings,
>
> There is no single one-time formula or guaranteed prescription for
> security. Defense in layers, defense in depth and continuing vigilance is
> the best way to go. This isn't a static environment. People of all types
> and with all motives around the world have access to your connection while
> you are connected.
>
> What your setup is exactly (you didn't say) has a strong bearing on what
> security precautions you should have. If you run no servers (?) then you
> have fewer issues with which to be concerned. The other applications that
> connect to (listen on) the internet could have vulnerabilities that could
> allow intrusions. Are you updated on any such vulnerabilities and are
> your applications fully updated? That's a big part of security
> preparedness. Are you updated and aware of precautions against Phishing
> and other fraud scams? Are you aware and guarded against various ways
> that your browser (you didn't say) could be deceiving you when you are
> asked to give sensitive information. Are you aware that certain widely
> used encryption schemes have been cracked, and what is your level of
> concern or paranoia about these issues. What is regarded as adequate
> security precautions for your setup is probably most dependent on just
> what your setup is and on what you would regard as adequate.
>
> You seem to be knowledgeable. However, people who might have specific
> suggestions probably don't see any narrowly defined specific questions to
> respond to in your post. I know that I didn't.
>
> Best wishes.

My browser is Mozilla (I didn't like the feel of Firefox)
I use postfix and Kmail to download mail, but mostly postfix. I fet Kmail
to download anything that Postfix hasn't at the time.
I use Gtk-gnutella and Azureus (Bit-torrent) for p2p
I run setiathome and boinc, but these seem to connect via HTTP,
I don't have a Web server (I use Apache only locally.)
I have Guarddog enabling only the protocols I need (including DNS, etc.)

Doug.
--
ICQ Number 178748389. Registered Linux User No. 277548.
A man's feet should be planted in his country, but his eyes should survey
the world.
- George Santayana.