TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:5793] security (some pre-coffee thoughts)...
Sounds great. First and foremost though:
* Verbalize a security policy for your network and put it in writing.
* Be very selective of what packages are installed on all systems.
Never install "Everything" if you're gonna plug it into the Internet.
* comment out all undesired services in /etc/inetd.conf
* run xinetd or binetd for more secure control than tcp_wrappers.
* get every trace of linuxconf off the system.
* get rid of that decrepid sendmail 8.8.7 that RedHat ships with.
Fortunately, 6.0 got an upgrade on that one but nuke that too and run
qmail if you must be a mail server.
* If xdm is running, disable XDMCP broadcast in xdm/Xaccess
* Take a long look at physical machine security.
(disable floppy boot, get LILO upgrade, no dual-boot, lock BIOS with pw,
etc).
* Run security analysis tools, nessus, satan, cops, sniffit, etc.
* Do not run NFS if you can help it. If you must, look into SNFS.
* Learn about encryption and authentication.
* Take a look into IPSEC, skip.
* Replace all "r" commands with ssh.
* Change passwords often.
* Lock your screen when you're away if using a public terminal (also, run
xdm; xlock killed from a startx X session takes you to a shell prompt).
* If you must pop your mail, use ssh port forwarding to retrieve it.
* Use switches instead of hubs (if you can afford it). ALL hubs allow for
sniffing of every packet on the lan, regardless of what machine the
rogue sniffer is on.
* Run full-duplex switched and fast ethernet (I can't stress that one
enough although funds sometimes make this difficult).
* Run this: `find / -mount -not -type d -perm +6000 -exec ls -ld {} \;`
and un-suid anything that shouldn't be setuid 0.
* wrap off potentially dangerous suid programs (xlock, color_xterm, xterm,
etc)
* Kill the xfs that RH6.0 ships with and get the fonts directly from X.
* Learn what ports are suspect for suspicious activity (12345, 31337-UDP,
etc).
* Try practice break-ins on yourself. Invite "trusted" others to do the
same.
* Create and maintain a disaster recovery scenario.
* Keep on and offsite tape backups of your data (see above).
* Maintain a "zero-tolerance" policy for intruders, spammers and abusers
of the system.
Last, but definitely not least...
* TRUST NO ONE!
Peter Lukas
PS:
Any of the following materials will be useful:
* Actually Useful Internet Security Techniques
Larry J. Huges, New Riders Publishing; 10/95 ISBN 1562055089
* Anarchy Online
Charles Platt, Harper Prism; 4/97 ISBN 0061009903
* The Cuckoo's Egg; Tracking a Spy Through the Maze of Computer Espionage
Clifford Stoll, Pocket Books; 7/95 ISBN: 0671726889
* Cyberlaw: The Law of the Internet
Jonathan Rosenoer, Springer Verlag; 11/96 ISBN 0201633574
* Firewalls and Internet Security: Repelling the Wily Hacker
William R. Cheswick, S. Bellovin. Addison-Wesley, 6/94 ISBN 0201633574
* Halting the Hacker, A practical Guide to Computer Security
Donald L Pipkin, Prentice Hall Computer Books; 1/97 ISBN 013243718X
* Information Warfare: Chaos on the Electronic Superhigway
Winn Schwartau, Thunder's Mouth Press; 10/96 ISBN 1560251328
* Security in Computing
Charles P. Pfleeger, Prentice Hall; 9/96 ISBN 0133374866
Peter Lukas
On Tue, 4 May 1999, Tim Wilson wrote:
> Good morning everyone,
>
> I've been thinking about security on my server lately. I've realized that
> I really need to get up to speed on security issues before my system gets
> cracked. I've been reading some docs on the subject, but I thought the
> entire list might benefit from this question. (Incidentally, I suppose
> this would be a good topic for the FAQ-O-matic, but I was having trouble
> figuring out how to use it. It didn't seem to want to accept my password.)
>
> Let's assume that you've got a newly installed Linux system on a
> brand-spankin'-new server. RedHat for example. Let's say that this machine
> will be a file server on a LAN with a mixture of Win9x/NT and Linux
> client. You will also be running a web server, ftp server, and would like
> to allow remote access from home for administration purposes. Once the
> system is installed, what steps should you take to secure the system?
>
> Let's contribute a list of steps, put them into some order, and place it
> on the TCLUG website or in the FAQ-O-matic. Here are some initial
> suggestions (incomplete, and in no particular order).
>
> 1. Install SSH on the server. Go to
> ftp://ftp.replay.com/pub/crypto/crypto/SSH/ to download SSH.
>
> 2. Make sure you install TCP Wrappers to make some rules for allowing and
> disallowing access to services.
>
> 3. Read the Security-HOWTO at the Linux Documentation Project website
> (http://metalab.unc.edu/mdw/linux.html)
>
> 4. Read the Linux Administrators Security Guide at
> http://www.seifried.org/lasg/
>
> Well that's a small start. Would others of you be interested in adding
> your $0.02?
>
> -Tim
>
> --
> Timothy D. Wilson "A little song, a little dance,
> University of MN, chem. dept. a little seltzer down your
> wilson@chem.umn.edu pants." -Chuckles the Clown
> Phone: (612) 625-9828 as eulogized by Ted Baxter
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com
>
>
- References:
- security
- From: Tim Wilson <wilson@chemsun.chem.umn.edu>