[mdlug] Best Linux Security? Anyone use tripwire?

Dave Arbogast mdlug3 at arb.net
Sun Jan 20 23:08:13 EST 2008 


Carl T. Miller wrote:

>Robert Lippert wrote:
>  
>
>>Whats the best security system?
>>Note...I use Red Hat.
>>    
>>
>
>The best security is a sharp, attentive administrator.  Tripwire
>is good for letting you know after the fact that files have changed.
>It's more important that you don't run services you don't need, that
>you maintain security patches, that you train your users well, have
>a good firewall, and carefully review the configuration of services
>and applications that you run.  My point being that tripwire and
>similar programs are only a small part of overall security.
>
>I have used tripwire in the past and found that it was more work
>to configure and maintain than I cared for, especially since it
>did nothing proactive to protect the server.  If you do want to
>monitor changes, you might want to look for changes in processes
>that are running as well as network connections that are made in
>addition to changes in files.
>
>I'm not sure which monitoring programs Red Hat recommends.  You
>might want to look in the Red Hat system administration guide
>to see what they support.
>
>c
>
>  
>
Carl has a great start. Everything he says is dead on....  but it is a 
start. If you want to be secure, it needs to be a layered approach.

How much is the box and its data worth if it is compromised ? When you 
put all your eggs in one basket, you WILL get hacked, in time. Other 
layers to look at would be other device before your RH box as a 
firewall. Be some Krisco box you got off ebay or a Linux box of another 
distro acting as your FW - like IPCOP or similar. The point is the tools 
/ skills to hack RH are not _exactly_ the same as to hack IPCOP / SuSE 
ipchains firewall / cisco / checkpoint, etc.... The layers will impede 
the perpetrator and likely alert you before the device you are 
protecting is compromised. This box also needs to be hardened. All 
unnecessary apps / services need to be removed. The passwords need to be 
strong and changed at a reasonable interval - 30 days hurts security 
more than allowing 365 days... 90 days is a good compromise. If you need 
network access to a terminal, ssh should be the only way in. Period. ALL 
non-encrypted protols should be wacked  - FTP, NFS, Telnet, POP3, IMAP, 
X-windows, etc. Some of these have an encrypted option, but you need to 
enforce it and configure it. SSH also needs to be hardened - NO root 
log-in over ssh. Require user auth before su to root.

I could go on and on, but you get the idea.

-dave (CISSP)

More information about the mdlug mailing list