[plug] Security

[Christian]

Damion Hill wrote:

> What other signs for attack should I be protecting against and how do I
> be more secure in future?

What you've done sounds like a good start.  Getting rid of all the
services you don't need will protect you against the majority of
network-based attacks.  Don't forget that there are a lot of services
running standalone (ie, not from inetd) so you need to disable those
which you don't need also.

Running something like:
netstat -a | grep LISTEN | grep -v unix
will give you a list of the services listening to various ports on your
machine.  If you want to then find out which process is listening to
that port you can use:

fuser -n tcp 79
Where "tcp" is the protocol and "79" is the port number or name (79 =
finger, as an example).  This will report the process ID of the process
listening to that port and you can use ps to find it and then remove
it.  Just go through your startup scripts and disable any network
services you don't need.

As for any services you do need, edit your /etc/hosts.allow and
hosts.deny files (read hosts_acces(5)) to set up appropriate access
control lists.  Also, keep the software up to date - consider joining
the security mailing list for your distribution to be mailed with
updated versions of various packages.

There are lots of other things that can and should be done but
minimising the number of network services that you run is a good start. 
I'm sure others will also add more relevant advice to what I've included
here.

> I don't think the attacks have been successful. The secure log showed
> the connection attempts but no login sessions were granted so I think
> it's OK for now.

Don't forget, if they had been successful (ie, root compromise) then you
wouldn't have any guaranteed way of knowing.

Regards,

Christian.

-- 
1st graffitiist: QUESTION AUTHORITY!
2nd graffitiist: Why?