hardening checkpoints

To: debian-security@lists.debian.org
Subject: hardening checkpoints
From: kevin bailey <kbailey@freewayprojects.com>
Date: Thu, 15 Dec 2005 12:27:01 +0000
Message-id: <[🔎] dnrnel$dgg$1$8302bc10@news.demon.co.uk>

hi,

was recently rootkitted on a debian machine because i'd left an obscure
service running.

now i've generally relied on debian issuing security patches but i thought i
should be more proactive RE security.

here's my proposed checklist to carry out for securing a domain server -
i.e. one which mainly deals with serving websites and email for virtual
domains.

could people please supply any enhancements/corrections/deletions or point
to any resources which detail a better hardening checklist for debian.

1. before attaching server to network install and configure tripwire.

and could possibly put key executables on to CD-ROM and leave them in the
server.

2. firewall

not i'm not sure about the need for a firewall - i may need to access the
server over ssh from anywhere.  also, to run FTP doesn't the server need to
be able to open up a varying number of ports.

BTW - FTP *has* to be available - many of the users only know how to use
FTP.

since my experience of firewalls is to protect a home network i basically
turned off access by default - and then only opened up a couple of ports
which were needed.

maybe the new iptables feature of --state ESTABLISHED which uses stateful
packet filtering is the way forward.

currently - i see no compelling need to set up a firewall - especially since
if i get it wrong i could lose access to the machine.

also, surely the most important set is next - which is

3. make sure only required services are accepting incoming requests.

so, use something like nmap to test for open ports on a remote machine. 
make sure only required services are running.

4. enhance authentication

maybe set up ssh access by authorised keys only - but again this has a
problem when i need to log in to the server from a putty session on a PC in
an internet cafe .

certainly check the strength of the existing passwords.

5. ongoing security

sign up to email lists to monitor security issues RE the services used.

get server to run chkrootkit regularly and email results.

run snort to check for attacks.

get script to run and check status of server every day.


any comments gratefully received,

kevin

Reply to:

Follow-Ups:
- Re: hardening checkpoints
  - From: Dale Amon <amon@vnl.com>
- Re: hardening checkpoints
  - From: Will Maier <willmaier@ml1.net>
- Re: hardening checkpoints
  - From: tomasz abramowicz <tomasz@computerway.it>
- Re: hardening checkpoints
  - From: Matt <mresong@dpd-info.com>
- Re: hardening checkpoints
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>
- Re: hardening checkpoints
  - From: Sam Morris <sam@robots.org.uk>
- Re: hardening checkpoints
  - From: "Jeffrey L. Taylor" <jeff@austinblues.dyndns.org>
- Re: hardening checkpoints
  - From: Vittorio R Tracy <vrt@fastmetrics.com>
- Re: hardening checkpoints
  - From: Bernd Eckenfels <ecki@lina.inka.de>
- Re: hardening checkpoints
  - From: Michelle Konzack <linux4michelle@freenet.de>

Prev by Date: Re: [SECURITY] [DSA 922-1] New Linux 2.6.8 packages fix several vulnerabilities
Next by Date: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Previous by thread: Re: [SECURITY] [DSA 922-1] New Linux 2.6.8 packages fix several vulnerabilities
Next by thread: Re: hardening checkpoints
Index(es):
- Date
- Thread