|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Basic Post-Install Config?
|
Marc,
I have an iptables firewall I wrote that I slap on every box I configure.
Anyone who wants it, I'll pass it to individually. Yeah I do that even with a
firewall between me and the internet... because my rules rate limit as well,
and you have to protect from peers on the network too.
I do that usually after 'chkconfig --level 0123456 ____ off' everything but what
I want. That even includes stuff like irqbalance that I don't care about. And
I do that after getting my own complete kernel. I hardly ever use the default
ones unless I'm in a hurry. I do all of that after a 'yum update'. Sorry I
wrote this backwards. ha
In addition to the firewall, you can usually configure services to only accept
traffic from certain machines or ranges. Turn off X forwarding and protcol 1
in ssh, and only allow specified users to login via ssh, etcetera.
If you make users for services (i.e. apache or www to run httpd), give them no
shell, and put an x in place of the * for their passwd in /etc/passwd.
Oh I also keep as few modules running too. You can think of this in terms of
security, but it's more of a general post-install practice. Edit modules.conf
/modprobe.conf and # out things like usb lines. You'll probably never hook up
a usb device to your server.
Get tripwire installed too. Is that still included in FC? If it's not, I'm
pretty sure it's a pain to get going, but it's worth it. Mail the results of
that daily to a real person. In fact, change aliases or newaliases to mail
everything to root to a human.
Can't think of anything else.
JOE
Quoting jazzman@exdomain.org:
> This is probably a common question but always a relevant one.
>
> Is there any "definitive" set of steps one should ALWAYS follow to tighten
> up security on a linux box after a fresh install?
>
> Now obviously that's going to depend on what you want to do with the box,
> etc, so I'll give a little background.
>
> A friend of mine is running a machine (as am I, actually) that is a linux
> box that will host mail(smtp and imap), web, and ssh servers. Mysql will
> also be running for the CMS we use, that really only needs to be
> accessible from behind the firewall/router. Our comm lines (his is cable,
> mine is dsl) go right from the modem to a hardware router/firewall which
> then NATs our servers out to the world with a few ports forwarded (80, 25,
> 22, and the imap port... 143 i think?). All other ports are dropped at the
> router.
>
> So what is the best set of steps to tighten up a box? I've done a lot of
> searching online for the best methods and it seems no two people agree,
> which just causes a lot of confusion, so I'm hoping to at least stimulate
> a discussion of what are the absolutely agreed up "you should always do
> these" steps and maybe even a bunch of "not everyone does this, but I do"
> steps.
>
> Thanks in advance
> Marc
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|