how to harden a Linux box

**david250** · 10-29-2008, 01:59 PM

Recently, my Linux box was hacked.
Now I have Ubuntu 8.04 on a single-user
computer with OSSEC intrusion detection.

In the Debian Users elist, I was advised
by someone to "harden the system".

I don't need an HTTPS server, mail server,
web server. I administer my own computer,
and I'm the only user.

Thanks,

David Bernier

**dragonaire** · 10-29-2008, 03:48 PM

What do you want to achieve in hardening? Do you just want to permanently turn off those services?

**david250** · 10-29-2008, 09:18 PM

Originally Posted by dragonaire

What do you want to achieve in hardening? Do you just want to permanently turn off those services?

Yes, i.e. the daemons I don't need. I ran the
'netstat' command and the output is very long.

Here are the first few lines:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 1 0 192.168.0.104:38878 a24-200-251-11.depl:www CLOSE_WAIT
tcp 1 0 192.168.0.104:54211 66.198.156.161:www CLOSE_WAIT
tcp 1 0 192.168.0.104:52505 66.198.156.155:www CLOSE_WAIT
tcp 1 0 192.168.0.104:52506 66.198.156.155:www CLOSE_WAIT
tcp 1 0 192.168.0.104:39123 a24-200-251-26.depl:www CLOSE_WAIT
tcp 1 0 192.168.0.104:49996 66.198.156.147:www CLOSE_WAIT
tcp 1 0 192.168.0.104:39017 ns-vip5.hitbox.com:www CLOSE_WAIT
tcp 1 0 192.168.0.104:57125 s3.amazonaws.com:www CLOSE_WAIT
tcp 1 0 192.168.0.104:57126 s3.amazonaws.com:www CLOSE_WAIT
tcp 1 0 192.168.0.104:55537 66.198.156.162:www CLOSE_WAIT
tcp 1 0 192.168.0.104:39208 66.198.156.145:www CLOSE_WAIT
tcp 1 0 192.168.0.104:45503 211.136.108.242:www CLOSE_WAIT
tcp 1 0 192.168.0.104:48321 yx-in-f127.google.c:www CLOSE_WAIT
tcp 1 0 192.168.0.104:55536 66.198.156.162:www CLOSE_WAIT
tcp 0 0 192.168.0.104:52858 69.59.161.242.pi.ze:www ESTABLISHED
tcp 1 0 192.168.0.104:57963 216.246.87.59:www CLOSE_WAIT
tcp 1 0 192.168.0.104:45502 211.136.108.242:www CLOSE_WAIT

Perhaps someone can interpret those results.

Thanks,

David

**dragonaire** · 10-29-2008, 10:17 PM

On Ubuntu you'll need to run the sysv-rc-conf command to determine what is running at boot time. Once you shut down the unnecessary daemons both at boot time using sysv-rc-conf and those running immediately using the scripts in /etc/init.d then you should be OK.

The link has more information on simple hardening and determining what processes are listening on what ports.

Your output seems to be related to your system making connections out to the net on TCP port 80 (WWW). This is normal. A quick way to determine what network ports your stysem is listening on would be to grep the netstat output for the 0.0.0.0 address like this:

Code: