Re: Checklist (was Re: OS Hardening)
I think I must contribute with theses that (i think) didn't saw mailed
to the list:
- configure /etc/lilo.conf with password and restricted
- partition and configure /etc/fstab with nodev,nosuid,noexec
- protect spoofing in:
- /etc/hosts.conf adding 'nospoof on'
- addind '1' to /proc/sys/net/ipv4/conf/*/rm_filter
- using PARANOID in wrapers (someone has told yet)
- patching kernel with openwall+lids
- adjust /proc with:
- Enable TCP SYN Cookie protection in /proc/sys/net/ipv4/tcp_syncookies
- Enable always defragging protection in
- Enable broadcast echo protection in
- Enable bad error message protection in
- Enable IP spoofing protection turn in Source Address Verification on
- Disable ICMP Redirect Acceptance in
- Disable Source Routed Packets in
- Log Spoofed Packets, Source Routed Packets, Redirect Packets in
I think I saw some of these lines in a default install, but ...
mailto:firstname.lastname@example.org || http://www.nortenet.pt/~guilherme
"All bits used in this post are recycled !"