Because of publication delays, a book cannot present the most up-to-date information on specific exploits ( methods of compromising a computer), security bugs, and so on. This chapter therefore focuses on general security procedures and a few tools that are useful in fighting intrusion attempts. There are times when you need the most up-to-date information, though, such as when you're investigating a successful break-in or suspicious activity that makes you think your system might be under attack. Fortunately, there are several resources that are available to help you track developments in the security arena or locate information on specific exploits, bugs , and so on.
Security Web Sites
As with many computer- related topics, Web sites can be a very useful resource in tracking security issues. Web sites can be updated quickly with the latest information, but you must check them yourself on a regular basis if they're to do any good. Some security Web sites you might want to check on a regular basis include the following:
Your distribution's Web site ” All major Linux distributions have Web sites, and most include security or errata pages. As noted earlier, in the section "How to Monitor for Updated Software," these Web sites usually host information on bug fixes for specific packages included with your distribution, as well as links to updated versions of these packages built for your distribution.
The CERT/CC Web site ” The Computer Emergency Response Team Coordination Center (CERT/CC) is one of the leading organizations for tracking security-related bugs. Their Web site is at http://www.cert.org, and is well worth checking on a regular basis.
The CIAC Web site ” The United States Department of Energy operates an organization known as the Computer Incident Advisory Capability (CIAC), which maintains a Web page at http://www.ciac.org/ciac/. This site is similar to the CERT/CC site in general scope.
The Linux Weekly News Security Section ” The Linux Weekly News (http://lwn.net) is a Web-based Linux "newspaper." It includes a security section with information on exploits, including some distribution-specific comments. (Click the Security link in the column on the left of the main page; the exact URL changes from day to day.)
The SecurityFocus Web site ” A site maintained at http://www.securityfocus.com is something of a news outlet for security-related information. It focuses less on incident reports and includes more in the way of tutorials and "digested" news than the CERT/CC and CIAC sites.
These sites can all provide useful information on popular exploits, new bugs, new viruses and worms, security-related updates to major servers, and how to protect your system from various dangers. It's well worth checking at least one or two of these sites on a regular basis ”say, once a day, or at least once a week.
Security Mailing Lists and Newsgroups
One of the problems with security Web sites is that they require constant monitoring. Fortunately, there are other types of resources that are more active in getting information to you. In particular, mailing lists are a means of communication that allow mail from individuals to reach an entire group of readers as quickly as the e-mail system can operate . Many security mailing lists don't allow posting from members ; they exist solely to distribute information from the list maintainer. If you check your mail regularly, you can subscribe to a mailing list and learn of a new threat very soon after it is reported to that list.
| || |
You can set up a Procmail filter (discussed in Chapter 19, Push Mail Protocol: SMTP) to watch for mailing list postings and run a special program to get your attention when a new alert arrives over the list. For instance, you might write a script that causes Procmail to play a sound file or pop up a special alert dialog box.
An information distribution medium that's similar to mailing lists in some ways is a security newsgroup. Like mailing lists, newsgroups are a way for a group of individuals to share information in text-based messages. Newsgroups require more active monitoring, though, so to get the most benefit from a newsgroup you must read it on a regular basis, or perhaps set up a special "robot" script to scan newsgroup postings for important keywords.
Some of the mailing lists and newsgroups that are particularly relevant to Linux security include the following:
The CERT/CC mailing list ” The CERT/CC runs a mailing list to which they publish their security advisories. To subscribe, send an e-mail message to email@example.com and include subscribe cert-advisory in the text of the message.
The CIAC mailing list ” Like CERT/CC, CIAC maintains a mailing list of its bulletins . You can subscribe by sending a message to majordomo@ tholia.llnl.gov and including the text subscribe ciac-bulletin in the body of the message.
The Bugtraq mailing list ” The Bugtraq mailing list is a discussion list, rather than a notification list. It can be a good way to obtain advice or learn about security issues from others in an interactive environment. You can subscribe by sending mail to firstname.lastname@example.org . The mail should include subscribe bugtraq in its text.
The comp.security newsgroups ” There are several newsgroups in the comp.security newsgroup hierarchy, including comp.security.unix and several related to specific products or product types, such as comp.security.firewalls .
The comp.os.linux.security newsgroup ” This newsgroup specializes in discussion of Linux security issues.
| || |
Most Linux security issues are really UNIX security issues, because most Linux servers run on other UNIX-like OSs, and sometimes even non-UNIX OSs, like Microsoft Windows. Therefore, most "Linux" security discussions are broader than Linux.