Follow

is anyone on here interested in linux security and wants to share noob experiences/tips with hardening and stuff?

@linuxenko yeah i know, atm im learning about hardening linux servers, specially debian as its my fav distro and im looking into kali for pentesting. most exactly playing around with apparmor and looking into grsecurity

@linuxenko I have no preferences yet, what are u using for sandboxing? that's great, maybe we can exchange some tips. it's indeed such a vast topic, I'm kind of playing around atm to get an idea of what is important and what to look further into.

@thomsane I don't use anything special for it, in general it is very basic, such as privileges and different kind of process settings that linux has from the box.

@thomsane Actually nothing special, as I said the general process isolation, very basic security stuff such as heap randomization and so on, sometimes kinda lxc, but I don't like the virtual environments.

@linuxenko ok...its not even basic enough for me^^ i knew there is something like memory corruption exploits. did u use something like pax or exec shield for it?

@thomsane Are you talking about "meltdownx/spectre" like stuff ? It happens sometimes, so, everyone should be prepared to be vulnerable for an hour or two when it happens.

@linuxenko not in special, but from what i understand these are memory corruption exploits. im way too noobish, but heap randomization makes it hard to jump to particular position in the memory from what i understand. i really need to do more coding...

@thomsane it is kinda hardware vulnerability, there is nothing extraordinary with memory and software part for last 20 years, maybe more, but I can say for that period of time.

@thomsane Linux security should matter to us all. What is your use case/threat vector and what have you already done?

@lyra im running a dedicated debian server mainly for learning, its running some services, sometimes gameserver. threat vector? dont really know what you mean. sry, im a newbie :)

@thomsane threat vector is "who/what is attacking you" and sets your security vs ease of use boundaries. When the government is attacking you then the amount of security you need is much greater than if you're just worried about a random script kiddie.

@lyra ah ok, atm there is no actual threat besides random bruteforce on ssh and ppl trying to use my postfix for spam. i started out with a minimal debian to have only installed what i need, fail2ban, having home on its own partition, a basic alert for shell logins, using clamav, chkrootkit, rtkthunter and lynis. im looking into apparmor right now.

@thomsane assuming its an all Unix/Linux environment clamav is a waste of resources in most cases.

@lyra ah ok, yes its only a single debian box atm. would you recommend setting up apparmor? and should i learn ipfilter? i remember pfsense is a thing.

@thomsane pfsense is an OS based on freebsd that's a fantastic firewall/router (using one right now actually) but not really relevant here. Ipfilter is I'm pretty sure freebsd alt to openbsds of. Linux has nftables (iptables replacement) and bpf (supposedly pf for Linux?) So I would look at those. Apparmor or SELinux are good things to know about. I've never used apparmor but regardless the general concepts are things you'll likely want or need to know eventually.

@lyra ah ok^^ sry get things mixed up, im getting a lot of input atm. i read selinux is insanely hard to config correct and ppl tend to create vulnerabilities with it by not really knowing what to do. thx i will follow thes ppl :)

@thomsane there's a talk from a redhat dev on YouTube from a few years ago on how easy modern selinux is compared to what it used to be.

@lyra but apart from actual threat vectors, i want to learn to lock up a box as good as possible, im interested in working as a sysadmin some time or even get further into security matters. web app security is on my list too, since im webdesigner atm. but i wanna get away from advertising.

@thomsane Start following the security community (Brian kreb, project zero, blackhat, defcon, etc.) It'll get you in the mindset that these people have when attacking.

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko