Basics: Security: MCC Security, Shorewall,

[kristi]

This is ready for critique (typos, spelling, facts...) - by PM please. If you have a "special" one that you think others should look at, write it up and post it as a tip. If you have questions about other firewalls, virus checking, etc, please post to Security forum - they won't get read here. If you have some info that you think should be added to this, keep it simple and PM me with it. THANKS!!! Kristi

 

 

=====================================================================

Terminology:

MCC => go to Menu, System, Configuration, Configure your computer.. This IS MCC! (MandrivaLinux Control Center)

 

MCC software install => in MCC : click Software Management and click top LEFT icon to "install software". Type what you want and click search, then click INSTALL

 

MCC software UNinstall => in MCC : click Software Management and click top RIGHT icon to "UNinstall software". Type what you want and click search, then click REMOVE

====================================================================

 

 

--------------------------------------------------------

MCC Security

MANUAL: file:///usr/share/doc/mandrake/en/Drakxtools-Guide/Drakxtools-Guide.html/mcc-security.html

 

Click Security. -->Make sure you see 3 icons. If you only see 1, click Options (at top) and click Expert.<--

 

1 )) System Security Level and Periodic Security Audit (click the icon)

IMPORTANT: the help buttons in these screens tell you the story - they give you the variable and tell you what the default is.  The default CHANGES when you change the setting of the SECURITY LEVEL (first tab)  IS, FOR THAT SETTING OF THE SECURITY LEVEL.

A )) Choose the SECURITY LEVEL (Mandriva install default is "High". For a standard desktop, I use edit: using High 5-29-05.

B )) If you have just changed the SECURITY LEVEL, you must click OK to set the defaults. This puts you back to MCC Security.

C )) To check what the new defaults are, click the System Security Level and Periodic Security Audit icon again. choose a tab, and click "help".

As explained above, simply have the manual open in a browser, set the security level you think you want, click OK to go out, click the icon to go back in, and go through it tab by tab.  At each tab, checking the HELP button to see what you have actually selected.  If you don't like that default, you can choose the action you want for that individual item.

D )) (Credits: "yoho" and "awilliamson" were the source of info for this part!!!! I could not have done it without them.)(the typos and mistakes are my own!) On the Basic Options tab where you select the SECURITY LEVEL, you can also choose to send emails notifying yourself of security alerts. This explaination assumes a checkmark in Security Alert, and "root" (no quotes) in Security Administrator. The effect of this is that security places "emails" in folder /var/spool/mail/kristi when alerts occur. The folder name is "kristi" in this example because user kristi was in MCC setting this up. Just substitute your own username when you are setting this up.(the system creates this particular file!)

-> This article uses "kmail" to access these "emails". Apparently evolution is easy for that, too.

-> In MCC, System, Users, edit the group name "mail" and add "kristi" (e.g. your username)(no quotes)

-> Edit /etc/aliases - the code near the bottom should look like

# CHANGE THIS LINE to an account of a HUMAN
root:  kristi

# Note to the user: You must create the alias above!

substituting your own username of course.

-> install "anacron"

-> If, when you start kmail, you get the error message

kmail could not create folder '$HOME/.kde/share/apps/kmail/mail'.  Please make sure you can view and modify the content of the folder '/home/kristi'.

(I did) your kmail folders are probably corrupted by previous installs. Since I had not been actively using kmail, yoho had me run

mv $HOME/.kde/share/config/kmailrc $HOME/.kde/share/config/kmailrc.bak

to rename the kmail folders to "bak". Then when I ran kmail it will created a new set of folders.

--> ELSE ask for help in MUB Security forum or Mandriva Club security forum.

-> Starting kmail (no error), go to Settings, Configure Kmail, Network, receiving tab, Add, local mailbox, and it offers me /var/spool/mail/kristi (your username will be there) click on it and OK back out to kmail's main screen. Click on "check mail in". I'm running on HIGH and discovered that my user folder was wide open! Good catch! You will want to check this occasionally to find out what is happening.

-> Thank you profusely "yoho" and "awilliamson"!!! :D

 

--------------------------------------------------

 

2 )) Fine Tune Permissions

-> Install anacron (no matter what).

-> Leave it alone unless you really know what you are doing!!

 

-------------------------------------------------

 

3 )) SET UP PERSONAL FIREWALL from MCC (this means Shorewall)

A firewall, any firewall, sets the iptables.  iptables are a pain for a noob to set.  However, you must respect that when you have set them (via a firewall, or manually) and are changing to a different firewall, you must unset (dissable, stop, whatever) them.  Otherwise you will have lots of connection and vulnerability problems.

The manual gives a fine idea of how to set this (Shorewall) up to control your internet traffic. To do so, you must be knowledgeable in the ins and outs of your system - at least along the communication lines. It would be simple to set it up to control my system as I have described in the section below on guarddog

I have several immediate problems, however.

A )) port 113 stays open no matter what.

 

 

=========================================================================

 

NON-MCC firewall security (guarddog, firestarter, DIY)

1 Assure MCC security (at least shorewall) is OFF:

--> go to MCC, Security, firewall, make sure x "Everything (no firewall)" is checked and you have clicked OK at the bottom right.

 

 

GUARDDOG FIREWALL SECTION: < < < < < < < < < < < < < < < < < < < < < < < < < < < <

A firewall, any firewall, sets the iptables.  iptables are a pain for a noob to set.  However, you must respect that when you have set them (via a firewall, or manually) and are changing to a different firewall, you must unset (dissable, stop, whatever) them.  Otherwise you will have lots of connection and vulnerability problems.

ASSURE you do not have an old guarddog lying around:

1 )) if an old or questionable guarddog is running, you must start guarddog configuration, go to advanced tab and put a check in "dissable firewall" and click OK, OK, OK otherwise it's still in the iptables.

2 )) Go to MCC software uninstall, and search for guarddog. If it is there, checkmark it and click remove. Then and only then:

------------

Do not get it from MCC software install.

see https://mandrivausers.org/index.php?showtopic=24979

see https://mandrivausers.org/index.php?showtopic=24089

------------

Download guarddog ONLY from the author.

Author http://www.simonzone.com/software/guarddog/

Module

<a href='http://www.simonzone.com/software/mdkrpm/g...0-2mdk.i586.rpm' target='_blank'>http://www.simonzone.com/software/mdkrpm/g...0-2mdk.i586.rpm</a>

Save it in one of your user folders (i do not mean a "/usr" folder which is a system folder.. )

Click on it to install the rpm.

Go to menu, System, Configuration and click guarddog.

 

the rpm is supposed to create a guarddog icon in there - if it didn't, then, right click on desktop, choose create new, file,  link to application - in the application tab, command type "kdesu guarddog" (no quotes), click the advanced tab and advanced options button, check run as different user "root", OK, OK out and click on the desktop icon

OR

To put it in the Menu: right click on Menu, choose Menu Editor, click on Home, click on "add application". You will get a little window "Add New Entry":  type guarddog in the first line, and "kdesu guarddog" (no quotes)  in the second line. Click OK.  Click Save.

 

Since it runs in root, it will ask you for your root password.

 

If this is the first time you have done this on this Mandriva install, you will get a warning message saying firewall.rc is missing. Click OK.

 

You will now see the guarddog configuration screen.

 

If you were to click APPLY or OK, --EVERYTHING-- would be blocked. This is because the guarddog default is NOTHING GOES. - nothing is checked. (remember that a check mark ALLOWS, an X rejects, and a blank box simply DROPS the attempted intrusion.

 

[what follows are my settings, just to give you an idea (basic non-server desktop)]

 

ADVANCED tab:

* check "show advanced protocol help"

* check "Enable DHCP on interfaces:" (eth0)

* click new protocol and create "CUPS631 UDP 631"

* click new protocol and create "Azureus UDP 6881 6889"

 

LOGGING tab

*leave checked both log blocked and rejected packets

* uncheck "log aborted TCP connections"

* change rate to 3, burst to 6, and warning rate to 4 (leave "rate limit logging" checked

* UNcheck all 3: "log IP options", "log TCP sequence numbers", "log TCP options"

* change logging priority from "warning" to "error"

(you will now find your log output in /var/log/kernel/errors ] BUT IT's NOT RUNNING YET.:D

 

 

 

So lets allow some stuff:

PROTOCOL tab

in the protocol tab there are about 10 groups (chat, etc) click on a "+" and you get a bunch of boxes. initially all will be blank

BLANK = BLOCKED-DROPPED

CHECKED = ALLOWED through

X = BLOCKED REJECTED (means that the probing computer is told)(not good)

*Open "Data serve" check NTP and Time-TimeProtocol

*Open "File transfer" if you use bittorrent or Azureus, check "bittorrent peer" and Bittorrent tracker"

also check "FTP", "HTTPS", and "HTTP"

*Open "Mail" check "NNTP", "POP3", and "SMTP"

*Open "Network" check "DNS"

*Open "User defined" check both CUPS631 and Azureus

 

Now............................... CLICK APPLY it will give you warning messages. believe them.click Continue

It will say:

Using iptables.
Resetting firewall rules.
Loading kernel modules.
Setting kernel parameters.
Configuring firewall rules.
Finished.

 

This is telling you that it is changing the -IPTABLES-- - which are the tables that actually do the blocking of the IP - the Internet Protocol stuff.

 

Your firewall is now engaged - it's blocking what you left blank and allowing ONLY what you checked.

Test it: Go to GRC https://www.grc.com/x/ne.dll?bh0bkyd2 click proceed, click continue (sometimes twice), then click common ports. You should get a passed rating. If not, start asking questions, usually in the security forum (I'll catch hell for that one!!!)

 

--------------------------------------------------------------------------------------------------------------

[daniewicz]

Do not get it from MCC software install.

 

This may not be necessary as guarddog is not included in the 10.2 CD's. But now I am curious. If I did have a guarddog rpm on a Mandrake installation CD, what would be wrong with it?

[kristi]

It is missing the code to put two links that are necessary for guarddog to be re-engaged on a subsequent boot.

See https://mandrivausers.org/index.php?showtopic=24089

See https://mandrivausers.org/index.php?showtopic=24979

 

I'll put a link to these in the orig post above

Thanks.

Kristi

EDIT - this has been fixed in the original post above

[aioshin]

B )) when one checks tthe box and puts a username or email addy WHERE does this info get sent to - I've yet to see any notification. Anyone knowledgeable on this?

 

might be that an MTA should also be running on that linuxbox, like postfix... some disable it as a service, if you do, you wont be able to receive notification from your box to any of your email addy you put on that box

Edited May 27, 2005 by aioshin

[kristi]

Can you tell me where to find this info?

[aioshin]

.. though I did'nt use shorewall or guardog but that' s how I understand it, your system won't send you an email notification if that system does not have an MTA running on it

Edited May 27, 2005 by aioshin

[kristi]

Got it! - see post at top!

Kristi

[kristi1]

small correction, I run at HIGH all the time now (Mandriva default at install time).

Kristi

[arctic]

Once you have your systems security-setting configuration finished, you can check your systems security performance here: http://www.pcflank.com/test.htm

 

It will show you if your system is unsafe / improperly configured or more secure than Fort Knox. :)