Re: Checklist (was Re: OS Hardening)
I think I must contribute with theses that (i think) didn't saw mailed
to the list:
- configure /etc/lilo.conf with password and restricted
- partition and configure /etc/fstab with nodev,nosuid,noexec
- protect spoofing in:
- /etc/hosts.conf adding 'nospoof on'
- addind '1' to /proc/sys/net/ipv4/conf/*/rm_filter
- using PARANOID in wrapers (someone has told yet)
- patching kernel with openwall+lids
- adjust /proc with:
- Enable TCP SYN Cookie protection in /proc/sys/net/ipv4/tcp_syncookies
- Enable always defragging protection in
/proc/sys/net/ipv4/ip_always_defrag
- Enable broadcast echo protection in
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- Enable bad error message protection in
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- Enable IP spoofing protection turn in Source Address Verification on
/proc/sys/net/ipv4/conf/*/rp_filter
- Disable ICMP Redirect Acceptance in
/proc/sys/net/ipv4/conf/*/accept_redirects and
/proc/sys/net/ipv4/conf/*/send_redirects
- Disable Source Routed Packets in
/proc/sys/net/ipv4/conf/*/accept_source_route
- Log Spoofed Packets, Source Routed Packets, Redirect Packets in
/proc/sys/net/ipv4/conf/*/log_martians
I think I saw some of these lines in a default install, but ...
[]'s
--
mailto:guilherme@nortenet.pt || http://www.nortenet.pt/~guilherme
"All bits used in this post are recycled !"
Reply to: