Important things about Linux Security:

 

  1. Never use unencrpted passwords for anything, especially under telnet or FTP. If you have to remember one thing: NEVER SU over a telnet session

  2. If you must share files across the internet use SFTP

  3. Don't use any RPC services. They have masive security holes.

 

Some good things:

 

  1. Don't even let someone know you exist if you don't have to (ie., don't answer ICMPs, especially broadcasts, don't run a finger or NIS server for external consumption, etc.)

  2. Don't run any software unless you really need it.

  3. Make sure that your software and OS is current. While most exploits are fixed as soon as they are discovered (at least in the UNIX community), unless you have installed the relevant fixes you are still vulnerable.

  4. Restrict access to specific IP addresses or ranges of addresses whenever possible. Many services have the capability to restrict service to a set of static IP addresses (see, for example, /etc/hosts.lpd, /etc/lpd.perms, /etc/hosts.allow, /etc/hosts.deny, /etc/smb.conf, /etc/nwserv.conf, /etc/httpd/httpd.conf).

  5. It is also possible to implement all of those restrictions via firewall commands. The down side to that is a little more overhead, the up side is that all of your restrictions are implemented in one place which is iptables

  6. Keep web, e-mail, file service on separate servers (with unrelated root passwords). That way if one is breached, the rest will still be safe.

  7. Never use root when you don't have to. Log in as an ordinary user, su to root when necessary, and then exit as soon as possible. You'll get a little more practice typing in the root password, but you won't accidentally cause as much harm if you do something wrong.

  8. Backup frequently, using multiple generations and offsite storage. This can be done via Hard Drives, Tapes, and via the Cloud. I recommend backing up once every 2 or three days, with weekly backups and monthly backups as a insurance policy.

  9. Instead of using startx, use startx -- -nolisten tcp ( X automatically listens on tcp port 6000, but it is configured to not accept any connections, but knowing of the existence of a PC, ie., through a port scan, is the first step in hacking into it).

  10. Know how to use /etc/services to identify port numbers. Particular ports of interest are:

 

22 - Secure Shell (SSH)

25 - Simple Mail Transfer Protocol (SMTP)

53 - Domain Name Server (DNS)

80 - HyperText Transfer Protocol (HTTP)

123 - Network Time Protocol (NTP)

137 - NetBios Name Service (NBNS)

138 - NetBios Datagram Service

139 - NetBios Session Service (NBSS)

143 - Internet Message Access Protocol (IMAP)

161 - Simple Network Management Protocol (SNMP)

194 - Internet Relay Chat Protocol (IRC)

220 - Internet Message Access Protocol v3 (IMAP3)

389 - Lightweight Directory Access Protocol (LDAP)

443 - HTTP over Secure Socket Layer (SSL) (HTTPS)

445 - Microsoft DS

515 - Print Spooling (LPD)

636 - LDAP over SSL (LDAPS)

6000-6063 - X Windows

 

Here are all the remaining ports of interest as well along with the TCP and UDP type in brackets. Some of them may be repeats, so I apologize in advance.

 

20 – FTPdata [TCP]

21 – FTP [TCP]

22 – SSH [TCP]

23 – Telnet [TCP]

25 – SMTP [TCP]

53 – DNS [TCP and UDP]

67 – DHCP [UDP]

80 – HTTP [TCP]

110 – POP3 [TCP]

111 – Portmapper [TCP and UDP]

113 – auth/ident [TCP]

143 – IMAP [TCP]

389 – LDAP [TCP]

443 - HTTP over SSL

119 -NNTP [TCP]

69 – TFTP [UDP]

 

 

11. Read the Mandiant report on APT1. Which you can view here: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. While it’s a full detailed report on the Chinese’s Militaries Cyber Warfare Unit Unit 61398. But it gives a lot more information of the ways people and organizations can breach your servers. And it can be done via the most simplist of vectors. Mainly human.

 

Because most common danger comes not from technology but from human fallibility and error. This is what cyber security experts call "social engineering" or "spear-phishing", the most successful ruse used by hackers attempts to entice users into reading and acting on e-mails with links to malware.

 

Several things can be done to fight these methods:

 

12. Educate your users never to click on links in e-mails. Browsers which display URLs in the status bar can be useful in showing your users that the link they want to click is not the URL displayed in the e-mail.

 

13. Train your users not to open attachments in e-mails; if they must transfer files, they can transfer files using secure FTP or shared file space.

 

14. Configure mail clients to not execute scripts or run plugins.

 

15. Configure firewall output on all ports that are not specifically necessary for users to do their jobs.

 

As a matter of fact:The Best way to prevent and combat social engineering is:

1. To stick to your instincts: If something is suspecious, it probally is.

2. Create a SOP(Standard Operating Procedure) along with training your users on how to deal with the common methods of social engineering

How to tell if your server has been compromised:

 

  1. Keep an md5sum for every critical file on your system, and check them periodically.

  2. Often a simple check like ls -l /bin will show that some binaries have been modified since you installed your system.

  3. If an ls -al of / or one of the top level directories shows a hidden directory, it may be part of a rootkit which the hacker has installed on your system to facilitate his work.

  4. Usually a hacker will remove traces of his intrusion from your log files, and will install versions of binaries such as ls, ps and netstat which will hide his tracks.

     

What to do if your sever has been breached or compromised:

 

The entire system has to be reinstalled, it’s the only way to be sure. You may be able to find and fix a couple of things that have been touched, but there are whole host of things which may not be found for a long time, if at all. Many times, the programs which come out of a rootkit make it impossible to clean up without reformatting.

 

So the things to do are:

 

  1. Unplug the system from all network connections;

  2. Save all of your data (and verify that the saved data has not been compromised);

  3. Re-install the system from scratch;

  4. Learn from what happened to implement measures to prevent this from happening again (see above).

 

If you kept regualar backups or images of your OS, this should not be a problem. Do step one and skip to step 3.

 

Privacy is difficult on today's Internet. Everyone must make decisions about how private they want to be; you can't have a large Facebook, Google, or LinkedIn presence and expect any privacy. But there are a few things you can do that will help:

 

  1. Do not accept third-party cookies in your browser.

  2. Clear your cookies frequently, preferably every day or every week.

    Erase cache files every time you quit your browser