Re: hardening checkpoints
tomasz abramowicz wrote:
> kevin bailey wrote:
>> hi,
>>
>> was recently rootkitted on a debian machine because i'd left an obscure
>> service running.
>
> which one?
>
i though it was webmin - but now i'm not so sure - i thought there was a
vulnerability in webmin in 2005 which was not in the debian security list -
but now i can't find it.
>> 2. firewall
>> not i'm not sure about the need for a firewall - i may need to access the
>> server over ssh from anywhere. also, to run FTP doesn't the server need
>> to be able to open up a varying number of ports.
>
> hmm. you could look into port knocking for your ssh problem.
> ftp server can be configured to use only 21tcp and 20tcp (ftp,ftp-data)
> (requires configuring clients active/passive mode)
>
will check this out definitely - it means that i can implement a firewall
which only has certain ports open.
>> BTW - FTP *has* to be available - many of the users only know how to use
>> FTP.
> hmm, a wide range of clients on all systems is begining to implement
> scp/sftp, its worth *forcing* on users, in some sceanario's its not as
> scary as it might seem.
>
>> currently - i see no compelling need to set up a firewall - especially
>> since if i get it wrong i could lose access to the machine.
>
> no right attitude.
> your compelling need is established by:
> 1. you just got rootkited onto a port which couldve been closed.
> 2. your going to be hooked up to internet.
>
>> so, use something like nmap to test for open ports on a remote machine.
>> make sure only required services are running.
>
> absolutely. with and without the firewall running, scan everything.
>
>> run snort to check for attacks.
>
> this can get really annoying=not useful, especially when you decide
> snort should also send you alerts via email or sms.
> i would suggest you leave this to very last.
> and if you do set it up, make sure to check out the 'acid' interface..
>
has been noted - i'll check it out.
> hth,
> t.
>
>
Reply to: