Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Securing Fedora Core 4

from [Shay Wilson] Network Security [Permanent Link]
Subject: RE: Securing Fedora Core 4
Date: Mon, 26 Sep 2005 09:55:13 -0800 
be careful with rp_filter=1 because it tends to silently drop packets
causing you to spend a good deal of time scratching your head wondering
where they've gone. A host with multiple routes can have problems with
that (It is very good for most machines, but any gateway with redundant
paths should be careful using it) 

-----Original Message-----
From: Martijn Feleus [mailto:feleus@math.leidenuniv.nl] 
Sent: Friday, September 23, 2005 12:09 AM
To: focus-linux@securityfocus.com
Subject: Re: Securing Fedora Core 4

Hi,

Don't forget TCP wrappers (think of it as a 'defense-in-depth' backup
for iptables). Disable as many services as you can get away with (but
I'm sure you already do that, of course :)

Also, tune the network stack a bit, something like this:
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=4096

(and, if you use ipv6, the equivalents of course)


create a seprate /tmp partition and mount noexec, nosuid


Also consider a separate /var partition (/var/tmp is just as dangerous
as /tmp). I usually use /boot, /, /var, /tmp and /usr. Consider which
partitions can be mounted with the nodev, nosuid and noexec options
(/tmp is one that should have all three; only / needs dev available
AFAIK). If you use /boot, you need not have it mounted at all. You might
get away with mounting /usr read-only.

Go over the files in /etc/security and see if anything might be
beneficial for you (limits.conf might be worth checking out to set some
limits on user apache, for instance).

You might want to enable logging to a remote host as well. Check for
suid/sgid binaries and change their permission if possible.


install squid                 http://www.squid-cache.org/


Squid has had quite a history of security flaws. Do you really need it?


   Configure SSH
respond on alternate port
only allow me to logon


Make sure both /etc/ssh/sshd_config and /etc/ssh/ssh_config specify
'Protocol 2' (the latter one should have it listed beneath the 'Host *'
entry).

System accounting (sysstat package) can be useful to detect unusual
activity (in case it doesn't show up in the logs or ps if you're
compromised). Unusually high disk or cpu activity will show up there and
can be preserved (useful if the activity is only sporadic).

cheers,
Martijn
--
------------------------------------------------------------------------
 \|/ ______ \|/   Martijn Feleus     - mailto:feleus@math.leidenuniv.nl
 "*'/ , .  \'*"   Mathematical Institute, Leiden University
 /_|        |_\   Phone: 31-71-5277114 or 0610528226
   | \____/ |     PGP key ID: 16DB92EA
    \____U_/      Overflow error in /dev/null...
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Securing Fedora Core 4, Nick Crawford
Next by Date:  Group permissions changed, sf_submit
Previous by Thread:  Re: Securing Fedora Core 4, Andrea Pasquinucci
Next by Thread:  Group permissions changed, sf_submit
Indexes:  [Date] [Thread] [Top] [All Lists]