Home > Ask the Enterprise Linux Experts > Questions & Answers > The best Linux hardening tools
Ask The Enterprise Linux Expert: Questions & Answers
EMAIL THIS

The best Linux hardening tools

Anton Chuvakin EXPERT RESPONSE FROM: Anton Chuvakin

Pose a Question
Other Enterprise Linux Categories
Meet all Enterprise Linux Experts
Become an Expert for this site
>
QUESTION POSED ON: 21 July 2004
From your experiences with Linux, what are the best Linux security tools?

>

I had to build a very paranoid Linux system for an experiment using hackers and various scenarios in which they attack through unknown channels. With Linux, I could use a number of tools, which let me harden my Linux system to really high degrees. I modified the kernel and changed some of the in-depth system options to prevent certain types of attacks. I found that, if you want to go that far, you can go to the kernel level and harden. Modifying the system kernel is very effective because you can disable unused functionality at the very heart of the OS, making it unavailable to be abused by attackers.

I found that Linux is very securable. It gives you lots of different pedals you can pull and buttons you can press to make it more secure.

As for tools for Linux, number one would be a host-hardening tool, such as Bastille Linux. Bastille, written by Jay Beale, is of the best scripts ever. You install a Linux distribution, and then you install Bastille. Then, Bastille recommends which software settings you should change to make the system more secure.

For example, Bastille would identify an FTP server and ask if you need this FTP service tie-in. If not, Bastille can turn it off for you. You run Bastille so that you supply security settings properly. As a result, you arrive with a much better secured Linux system.

Nessus is a vulnerability scanner that runs on different Unix flavors and Linux. It is a very good idea to use Nessus to scan your systems' blocks on a fresh newly-built Linux system.

Scanning production machines is a different story. In that case, you might need permissions or a separate scan window, or you only scan during certain times. There are lots of issues, and nmap can address some of them. It is another tool that is not limited to Linux. I am not that convinced that everyone knows about nmap, but they should.

Say, you don't want to go for a full vulnerability scan, but you want to scan a new production system for, say, open ports or management for a special secure shelf. You scan with nmap, and it tells you that port 6000 -- which is Xwindows -- hasn't been disabled. Then, you can simply disable it. With nmap, you can avoid some common holes in Linux.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Linux Migration Advice: Unix-to-Linux, Windows-to-Linux
HomeNewsTopicsITKnowledge ExchangeTipsBlogsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts