All entries for September 2006
September 22, 2006
This is continuing in my paranoid theme (and the theme of not spell checking), this should hopefully be good advice for anyone who wants to is concerned about security, and especially for those who are overly concerned…
First things first, don’t run as root for day to day operations, try not to login as root in the graphical interface at all – do it through the terminal, it’s far easier to control and not to get caught out by.
Alright, now we have the problem of rootkits. This is something which can be put down in your system to allow control over any number of things and is easily one of the top security threats you can face. Firstly you will want to make sure that your root password is strong, ie. make it take a few thousand years to brute force. Have a password which is ideally over 8 characters long, and has non standard characters in it – like !”£$%^ etc. and numbers and letters. This should halt most random attempts, but there are always other ways to get infected. A classic is installing something which is untrustworthy – because of this I only install open source software from the official (and livna) repos. (I know it seems a bit extreme, but at least it’s safe).
So lets assume that you have done that but want to check every now and again to get a little tick or “OK” sign to make you feel happy, you could do;
yum install rkhunter
This is a program to check for rootkits and gives you a nice green “OK” if it is. There shouldn’t be any red “WARNING” ones, but you might get one yellow (I do and after looking deeper I think it’s ok). Once it is installed to run it log in as root and type;
Chkrootkit is another which can be installed and always seems ok to me, although it can take a little bit of effort to find out what each warning means (for example it highlights your internet connection in the same way it would a rootkit. Chkrootkit is run just with the command;
Right, so that is done, but rkhunter will no doubt show up with one or two red warnings relating to ssh allowing remote root login. I would say only allow remote root login if you really know what your doing and really are sure you need to.
I wish that they would disable it as a default but, hey ho, they don’t.
Open up a terminal, log in as root, then type;
You’re now looking for a section which will look like this;
There will not be that dots before it (damn blog formatting) and the “PermitRootLogin yes” might have a hash before it, I don’t remember, but you want it to look like this;
(again ignore the dots at the start of the lines) This will stop people loging in remotely and hammering your system.
Right, that’s all I have time for now, later I’ll go through firewall settings (firestarter is great). Untill then some really useful website which you can look at are;
http://forums.fedoraforum.org/ (that’s a forum which if you register you can ask specific questions and get help… also I use it, so if you get really lucky… you might get someone competant to answer you questions)
http://www.fedorafaq.org/ (that has some good advice about getting stuff working and what have you – although I think they tend to play with selinux a lot when I’m not sure that it’s needed)
and as always if you post on here I might be able to help you, and failing that, you can always search in Google for your answer, I’m sure someone else will have had your problem, maybe on a forum and they often have answers… though sometimes don’t :S
September 21, 2006
I’ve just read a post on my blog which was asking for more information about clamav in fedora, what might be good whilst installing it etc. so I thought I might as well try and lay down some advice.
This is a continuation of a post I made in April about setting up repositories in fedora, where I made a general comment about clam but I really was going to update it, but you know how things are… they often move slowly
Firstly I was asked about clamav, so that’s what I’ll turn to now,
The clam modules which I have installed (and will recomend) are;
you should be able to install these with the usual yum commands of;
yum install (name of package from above^)
it should sort out the dependencies for you on these – There is a way to install more than one package at once but strangely I’ve never used it, I think it is just one package name after another with spaces but no other divide… but I’m not sure. Still, doing it one by one won’t hurt.
Now one more thing, you will need to go to the file /etc/freshclam.conf and edit it. You’ll need to be root to do this so just don’t log out after you installed the stuff from above. To get to the file type in the terminal;
This opens up the text editor (the default one for GNOME on Fedora, if you would rather you can use vi just with the command “vi /etc/freshclam.conf”) you need to go down to the lines which say:
.# Uncomment the following line and replace XY with your country
.# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
.# Default: There is no default, which results in an error when running freshclam
(Ignore the dots before it – thats just what it takes to stop the formatting from kicking in and making it numbering)
Commented refers to a hash symbol being infront of it, this means that that line is not read by the computer when the document is read (sorry if that sounds patronising but I like to avoid too much technical language). All you need to do here is go to the website which is in the list and look for your country code and then change the last line so it looks something like;
Without a # and the XY changed to UK (obviously the country code for the UK)
Right, now that should have clam up and running. To use it go to the terminal, login as root (with “su -” like above) and type;
freshclam (this will update your clam database – everything should work ok)
Then you can run a scan by typing in the terminal;
this will scan your home directory, if you are root it’ll do all the hidden files and everything in there. This is good but maybe not exactly what you’d want, you will want to add options (typing “man clamscan” will give you a whole host of options to customise how you scan). What I would run to do a full system scan is;
clamscan / -r—quiet
(that’s; clamscan “space” slash “space” “hyphen r” “space” “two hyphens quiet”... I had to do that because the blog system likes to use really random language and hyphens make the text strikethrough)
The clamscan is the program, the ”/” is the start of your file tree (or at least it is by default and if you know how to change that then you’ll not need this – if it’s even possible), the “-r” means recursive, which means it scans through sub-folders until there is no where left to go
The “—quiet” means it will only tell you about viruses or errors – so it looks blank unless there is a problem… one that I have is it not being able to access ”/proc” but I don’t worry about it ; )
-if you leave off the—quiet then it’ll show you each file in turn and then say “ok” after, this is ok (you know how far it is along) but the final report won’t give you specifics if you do have an infected file… so you would need to scan again with—quiet to find out where it is
Right, that might have been a bit long winded but at least it was comprehensive!
- Tomorrow I’ll try and write about how to scan for rootkits (using rkhunter and chkrootkit) and how to shut off root access to ssh (which should be closed by default but strangely isn’t… :S). I’ll also stick down some really good websites for learning and the best forum in the world (because it’s the one I go on). But for now, night night