I like to keep a router between my OS boxes and the LAN because companies are getting hacked like crazy these days. I was going to try removing the router for simplicity in setting up nomachine, and to allow SNORT to sniff the LAN (what can I say? I’m paranoid.), but then I would be trusting just opensuse 13.1’s native ‘port hardness’ -
Can someone recommend a good DIY for non-experts on what OS settings could be - best practices against a hacked LAN?
As connection is only possible on open ports (listening ports) the first defense (seen from the system, it could be called the last defense) is to have only those ports open you really need.
To see which ports is listened on (as root):
netstat -tulp
Check if you need them. And the process that is listening, is in the list, thus you could decide to stop those daemons (and of course stop them from being started at boot).
As connection is only possible on open ports (listening ports) the first
defense (seen from the system, it could be called the last defense) is
to have only those ports open you really need.
To see which ports is listened on (as root):
Code:
netstat -tulp
Check if you need them. And the process that is listening, is in the
list, thus you could decide to stop those daemons (and of course stop
them from being started at boot).
Hi
And look at non standard ports for things like ssh. However, if on a
local lan, that indicates physical access… lock down the BIOS and
booting etc…
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Wow, thanks! I started messing around with netstat (after typing netstat --help). The KDE app NetworkManager doesn’t seem to have direct access to port configuration, so I assume I need to revert control to YaST > Network Devices > Network Settings, and open/close ports from there? Maybe the YaST > System > /etc/sysfconfig_editor … or maybe YaST > Network Services > xinetd ?
Which would you recommend?
The only one below I’m worried about is java… (but that’s mostly my ignorance showing)
xinetd is nowhere mentioned in your list of listening processes. Thus doing things there is useless in this case. (Make a note to learn something about xinetd when you have some spare time ;)).
When you decide that you would like to stop a daemon, YaST > System > Services Maganer will most probably show it and it can be switched off there.
It could also be that processes are started in a different way.
The most important thing is to find out if you ned things or not. I e.g. decided that I do not need avahi, thus I switched it off (it is on by default).
When you are not running as a printer server, switch cups off, etc.
(But take care, Sometimes switching off a server will switch off also a corresponding client)
BTW I do not see many “strange” ports in your list. But you should know what you serve and why. And may run a weekly script and evaluate if nothing is added without you knowing and then raise an alert. Many system managers run all sorts of scripts to check their systems.
Thanks, Malcom! The only thing this box will do is run SNORT in an instance of VirtualBox and accept connections from noMachine (for remote access). Everything else is big parallel processing number crunching (global climate model running - remote connection so I can monitor it from home - SNORT because, well, the world isn’t safe any more.
When I was running “linux” on my office PC, I never worried about that. I just avoided running any unnecessary services.
It was harder with our department network of solaris machines, because they were setup to do lots of RPC stuff. So I used a firewall for those.
If you are not running unneeded services on opensuse, the firewall protection should be sufficient.
At home, I am behind a router. But I have IPv6 available, and not much router protection for that. Again, I keep to only the needed services.
Many of the breakins that you hear about seem to be due to sql injection attacks on the web server. I’m not running a web server on my home systems, so that should not be a problem.
- SNORT because, well, the world isn’t safe any more.