Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing Fedora Core 4

from [Stephen J. Smoogen] Network Security [Permanent Link]
Subject: Re: Securing Fedora Core 4
Date: Tue, 4 Oct 2005 10:45:27 -0600 
On 9/21/05, AragonX <aragonx@dcsnow.com> wrote:

I am trying develop a method to secure my servers.  I'll list the steps I
am going to take.  Can you please review and make any additional
suggestions.  Thank you.



To reinterate what Michael said.. what are you trying to secure and from whom?

Here are my basic steps for locking down a RHEL/Fedora/Whitebox/etc server.

1) Get the packages I need:
   a) Download the ISO's.
   b) Download and cut an ISO of the updates.
   c) Download from extras, DAG, pick your trusted repository
         chkrootkit
         aide or tripwire.

2) Plan out the installation
   a) What is the purpose of the box
         desktop
         workstation
         server
            email
            http
            dns
            smb
            firewall
   b) Plan out partitions for IO/performance (e.g. seperate disks)
       Standard layout to play with
       /
       /usr
       /tmp
       /var/tmp
       /var
       High IO partition(s) (if needed)
          /var/spool
          /var/named
          /var/www
          /var/samba
          etc.
      Seperating out these partitions on a server allow you to put in
specific acls, mount rules etc depending on what higher level tool you
are using.
      c) Plan out the backup schedule, what the box can the box trust,
and  what are its levels of defense per box.

3) Install the system off the wire. Do all the updates and install
extra packages from ISOs

4) Configure daemons to be used.
      a) Turn off xinetd for all desktops/workstations.
      b) Turn off xinetd for most servers
      c) Configure aide/tripwire for your system.
            a) Write data to read-only object to be compared to.
            b) Nightly run is done and mailed to root.
      d) Configure ssh to
            a) Protocol 2
            b) No port forwarding (unless your risks assessment says its ok)
            c) No root login
      e) Configure email (postfix, sendmail, exim, etc) to
            a) Root email goes to central box
            b) If service can only run in queue mode do so.
            c) mail works for your network environment.
      f) Configure syslog (replace with syslog-ng) to
            a) Log events appropriate for your environment
            b) Log to central server.

5) Configure firewall appropriately
     a) Allow in only what you want.
     b) Allow out only what you want. [Desktops this is hard.]
     c) Forward only what you want. [If it aint a firewall set to deny.]
     d) Log everything else and tune to quiet it down to what is useful.
     I go for only allowing out what you want on a firewall because on
www servers seeing that your box is trying to ftp or ssh to some
untrusted site says.. hmm is someone trying to get a root-kit?

6) Tune the kernel and applications for your environment.

7) Backup the box and make sure your automated backups work.

8) Other steps depending on service/products.

9) Put box on wire.

I do not put snort on the same box as I am trying to protect normally.

--
Stephen J Smoogen.
CSIRT/Linux System Administrator
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: routing_based_on_port/services, Martin Benda
Next by Date:  Re: routing_based_on_port/services, Joachim Schipper
Previous by Thread:  Re: Securing Fedora Core 4, Scott Rippee
Next by Thread:  httpd and port 7200, tigerblue
Indexes:  [Date] [Thread] [Top] [All Lists]