> Linux forces you to mark files as executable, so you can't accidentally run a file called myfile.txt.exe, thinking it was just a text file.
> By having more than one common web browser and email client, Linux has strength through diversity: Virus writers cannot target one platform and hit 90% of the users.
Despite saying all that, Linux is susceptible to being a carrier for viruses. If you run a mail server, your Linux box can send virus-infected mails on to Windows boxes. The Linux- based server would be fine, but the Windows client would be taken down by the virus.
In this situation, you should consider a virus scanner for your machine. You have several to choose from, both free and commercial. The most popular free suite is Clam AV (http://www.clamav.net/), but Central Command, BitDefender, F-Secure, Kaspersky, McAfee, and others all compete to provide commercial solutions — look around for the best deal before you commit.
Configuring Your Firewall
Always use a hardware-based or software-based firewall on computers connected to the Internet. Fedora includes a graphical firewall configuration client named system-config-securitylevel, along with a console-based firewall client named lokkit. Use these tools to implement selective or restrictive policies regarding access to your computer or LAN.
Start the lokkit command from a console or terminal window. You must run this command as root; otherwise, you will see an error message like this:
$ /usr/sbin/lokkit
ERROR - You must be root to run lokkit.
Use the su command to run lokkit like this:
$ su -c '/usr/sbin/lokkit'
After you press Enter, you see a dialog as shown in Figure 30.1. Press the Tab key to navigate to enable or disable firewalling. You can also customize your firewall settings to allow specific protocols access through a port and to designate an ethernet interface for firewalling if multiple NICs are installed. Note that you can also use a graphical interface version of lokkit by running the gnome-lokkit client during an X session.
FIGURE 30.1 Fedora's lokkit command quickly generates firewall rules in memory for Linux.
Using system-config-securitylevel is a fast and easy way to implement a simple packet- filtering ruleset with filtering rules used to accept or reject TCP and UDP packets flowing through your host's ethernet or designated device, such as eth0 or ppp0. The rules are created on the fly and implemented immediately in memory with iptables.
Start system-config-securitylevel from the Administration menu's Firewall menu item. You are prompted for the root password and the client's window then appears. Figure 30.2 shows firewalling enabled for the eth0 ethernet device, allowing incoming secure shell and HTTP requests.
FIGURE 30.2 Fedora's system-config-securitylevel client can also be used to quickly generate and implement standard or simple custom firewall rules for Linux.
You can use Fedora to create a custom firewall, perhaps supporting IP masquerading (also known as NAT) by using either ipchains or iptables. You'll find two sample scripts under the /usr/share/doc/rp-pppoe/configs directory; these are used when a digital subscriber line (DSL) is used for Internet connection.
Forming a Disaster Recovery Plan
No one likes planning for the worst, which is why two-thirds of the population do not have a will. It is a scary thing to have your systems hacked: One or more criminals have broken through your carefully laid blocks and caused untold damage to the machine. Your boss, if you have one, will want a full report of what happened and why, and your users will want their email when they sit down at their desks in the morning. What to do?
If you ever do get hacked, nothing will take the stress away entirely. However, if you take the time to prepare a proper response in advance, you should at least avoid premature aging. Here are some tips to get you started:
> Do not just pull the network cable out — This alerts the hacker that he has been detected, which rules out any opportunities for security experts to monitor for that hacker returning and actually catch him.
> Inform only the people that need to know — Your boss and other IT people are at the top of the list; other employees are not. Keep in mind that it could be one of the employees behind the attack, and this tips them off.
> If the machine is not required and you do not want to trace the attack, you can safely remove it from the network — However, do not switch it off because some backdoors are enabled only when the system is rebooted.
> Make a copy of all the log files on the system and store them somewhere else — These might have been tampered with, but they might contain nuggets of information.
> Check the /etc/passwd file and look for users you do not recognize — Change all the passwords on the system, and remove bad users.
> Check the output of ps aux for unusual programs running —Also check to see whether any cron jobs are set to run.
> Look in /var/www and see whether any web pages are there that should not be. If you see any you don't recognize, check them closely and move them into a quarantined area if need be.
> Check the contents of the .bash_history files in the home directories of your users — Are there any recent commands for the root user?
> If you have worked with external security companies previously, call them in for a fresh audit — Hand over all the logs you have, and explain the situation. They will be able to extract all the information from the logs that is possible.
> Start collating backup tapes from previous weeks and months — Your system might have been hacked long before you noticed, so you might need to roll back the system more than once to find out when the attack actually succeeded.
> Download and install Rootkit Hunter from http://www.rootkit.nl/projects/rootkit_hunter.html — This searches for (and removes) the types of files that bad guys leave behind for their return.
Keep your disaster recovery plan somewhere safe; saving it as a file on the machine in question is a very bad move!
Keeping Up-to-Date on Linux Security Issues
A multitude of websites relate to security. One in particular hosts an excellent mailing list. The site is called Security Focus, and the mailing list is called BugTraq. BugTraq is well-known for its unbiased discussion of security flaws. Be warned: It receives a relatively large amount of traffic (20-100+ messages daily). The archive is online at
