193Chapter 6Securing Linux .Get security updates regularly. All (Web site design)
193Chapter 6Securing Linux .Get security updates regularly. All major Linux distributions offer tools andsoftware repositories for getting fixes for security vulnerabilities to you asthey are discovered and patched. Getting those critical patches is often assimple as running a single command that downloads and installs the patches. Several Web sites provide excellent vulnerability, outbreak, and mitigation infor- mation including www.isc.sans.org(general Internet attack information), www. sarc.com(virus outbreak information), www.cert.org(software security infor- mation), and www.securityfocus.com(general security Web site). .Disable network services you do not need. Any service that isn t activelybeing used is just a liability. Shut it down and rest easier knowing that there sone less route of entry into your systems. Understanding Attack TechniquesAttacks on computing systems take on different forms, depending on the goal andresources of the attacker. Some attackers want to be disruptive, while others want toinfiltrate your machines and utilize your resources for their own nefarious purposes. Still others are targeting your data for financial gain or blackmail. Some commonattacks that are described in this section include Denial of Service, DistributedDenial of Service, and intrusion attacks. Denial of Service (DoS) attacks are the easiest to perpetrate. The primary purposeof these attacks is to disrupt the activities of a remote site by overloading it withirrelevant data. DoS attacks can be as simple as sending thousands of page requestsper second to a Web site. These types of attacks are fairly easy to resolve: after youget a handle on where the attack is coming from, a simple phone call to the perpe- trator s ISP gets the problem solved. Advanced DoS attacks are called Distributed Denial of Service (DDoS) attacks. Theyare much harder to execute and nearly impossible to stop. The attacker takes controlof hundreds or even thousands of weakly secured Internet-connected computers andthen directs them in unison to send a stream of irrelevant data to a single Internethost. The result is that the power of one attacker is magnified thousands of times. Instead of an attack coming from one direction, as in the usual DoS, it comes fromthousands of directions at once. The best defense against a DDoS attack is to con- tact your own ISP to see if it can filter traffic at its border routers. Many people use the excuse I have nothing on my machine anyone would want toavoid considering security. The problem with this argument is that attackers have alot of reasons to use your machine. The attacker can turn your machine into an agentfor later use in a DDoS attack. More than once, authorities have shown up at thedoor of a dumbfounded computer user asking questions about threats originatingfrom the user s computer. By ignoring security, owners have opened themselves upto a great deal of liability. Tip12_