Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing Fedora Core 4

from [Martijn Feleus] Network Security [Permanent Link]
Subject: Re: Securing Fedora Core 4
Date: Fri, 23 Sep 2005 10:09:03 +0200 
Hi,

Don't forget TCP wrappers (think of it as a 'defense-in-depth' backup for
iptables). Disable as many services as you can get away with (but I'm sure
you already do that, of course :)

Also, tune the network stack a bit, something like this:
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=4096

(and, if you use ipv6, the equivalents of course)


create a seprate /tmp partition and mount noexec, nosuid


Also consider a separate /var partition (/var/tmp is just as dangerous as
/tmp). I usually use /boot, /, /var, /tmp and /usr. Consider which
partitions can be mounted with the nodev, nosuid and noexec options (/tmp is
one that should have all three; only / needs dev available AFAIK). If you
use /boot, you need not have it mounted at all. You might get away with
mounting /usr read-only.

Go over the files in /etc/security and see if anything might be beneficial
for you (limits.conf might be worth checking out to set some limits on user
apache, for instance).

You might want to enable logging to a remote host as well. Check for
suid/sgid binaries and change their permission if possible.


install squid                 http://www.squid-cache.org/


Squid has had quite a history of security flaws. Do you really need it?


   Configure SSH
respond on alternate port
only allow me to logon


Make sure both /etc/ssh/sshd_config and /etc/ssh/ssh_config specify
'Protocol 2' (the latter one should have it listed beneath the 'Host *'
entry).

System accounting (sysstat package) can be useful to detect unusual
activity (in case it doesn't show up in the logs or ps if you're
compromised). Unusually high disk or cpu activity will show up there and
can be preserved (useful if the activity is only sporadic).

cheers,
Martijn
--
------------------------------------------------------------------------
 \|/ ______ \|/   Martijn Feleus     - mailto:feleus@math.leidenuniv.nl
 "*'/ , .  \'*"   Mathematical Institute, Leiden University
 /_|        |_\   Phone: 31-71-5277114 or 0610528226
   | \____/ |     PGP key ID: 16DB92EA
    \____U_/      Overflow error in /dev/null...
------------------------------------------------------------------------

Attachment: pgpgcEPQLc4Vo.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Securing Fedora Core 4, Syn Ack
Next by Date:  RE: Securing Fedora Core 4, Will Yonker
Previous by Thread:  Re: Securing Fedora Core 4, Glynn Clements
Next by Thread:  Re: Securing Fedora Core 4, Cocobu
Indexes:  [Date] [Thread] [Top] [All Lists]