It’s been a while since I’ve been up close & personal with a nokia firewall , but recently I’ve needed to play.

The first thing I noticed was that the console cable has changed, now let’s not focus too much on the design floor where by you can’t actually get your fingers in properly to release the cable, but at least they got rid of the db9 type, serial thing that kept breaking.

The good news is, looking at the cable colours you can see that the cables are roll over cables – exactly the same as cisco use – great ! One less thing to carry around in the laptop bag

Been looking for something like this for a while…..

Nagios Checker | Firefox Add-ons | Mozilla Corporation
The statusbar indicator of the events from the network monitoring system Nagios. Information is parsed from Nagios web interface. In the extension settings dialog simply fill the start page URL of your Nagios web interface, eg. http://www.yourfirm.com/nagios/ and let the button to locate status script url.

“Oh the anticipation will send me mad!”

Posting has been a bit slow, November really was a poor month ! The reason will become clear if you peak over to my new business site … yep that’s right, I have a local linickx !

I’ve been busy writing guides on some basic Internet stuff, and the really techie bits will end up here, hence my post about linux security.. it’s been a while since I’ve had to do some operation maintenance, but all the old favourites are back, in fact my nagios knowledge has improved so I’ll try and share that too !

I think this new venture adds the perfect balance to my site, both professional input from my cisco networking experiences, and now security & linux for online servers & services… All I need now is a PS3 and I can party all the way home !

November was a slow posting month, the reason being that I’m working on a rather time consuming project, one of the areas I’ve had to focus on again is Linux Security.

Security goes on and on forever, you can do as much or as little as you deem necessary, too much will consume resources*, too little opens you up to attack; this article talks about some steps I take, be advised tho’ this will generate a load of e-mails, and if you’re not going to read them why bother implementing them.

The first point of security is “need to know” – only install what you need, applications , people , operating systems all have floors so the less you install the lower your risk. I get that command line for n00bs is a problem so you might want to install gnome or kde to get started but that’s not to say they need to be installed on your production servers. I try to make an effort that everything is tested offline (in a vmware machine since £££ are tight) and when I’m happy upload or copy what I need.

Another golden rule is patch patch patch, it’s a good idea to subscribe to application mailing lists, where possible I try to use YUM (I’m a redhat/fedora/centos/whitebox man) and then I have the following script in /etc/cron.daily to tell me what needs patching.

#!/bin/bash
yum list updates

Now the basics are covered you need to “lock down” your box, so this I’d recommend bastille-linux, it’s a script that tightens up existing installs, it’ll also covers firewall (iptable) settings for you has well.

Moving on you now need some kind of intrusion detection, lets be honest no-one knows everything about linux so how to we know if it’s been hacked? To start with I like to use tripwire. Tripwire goes through your files on the hard drive and creates a database, if they change a report shows you what and when.

Getting paranoid. Rootkits are the linux virus, so I like to install a detection method, well actually two chkrootkit and root kit hunter hopefully one will find something.

Even more paranoid. Get your box to e-mail if someone logs in as root. Edit /root/.bash_profile and add the following to the end…

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Now I actually don’t use root, the password is set using this generator and I force all users to use sudo , this allows me to make a couple of important changes to ssh (/etc/ssh/sshd_config),

AllowUsers someadmin
PasswordAuthentication no

Notice password authentication can’t be used… google has some great documents on the alternatives.

And finnaly tune your app, if it’s a mail (pop/imap) install ssl encryption, if it’s a webserver things like mod_Security and suphp

Hopefully this helps someone get started…. here are some useful references:

• Centos Perfect Setup (install)
• How to Secure Centos with Bastille
• Tips for securing your server
• Tripwire on a Fedora box (works for any Redhat type linux)
• sudo
• Mod Security
• Ultra High Security Password Generator
• Putty SSH

*To much doesn’t stop you working, that’s just poor security management