Re: securing server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
P PRABHU wrote:
> HI
>
> Steps :
>
> 1 ) Dont run Xwindows and better install MINIMAL/SERVER edition of OS
> 2 ) Remove all unwanted packages. U can very well reduce the number of packages to 300max
> 3 ) Remove all unwanted user/group accounts
> 4 ) Update the packages
> 5 ) Do security tunings in Sysctl.conf
> 6 ) Do security tunings in ssh like stop Xforwarding, No Root Login etc
> 7 ) Put Warning in MOTD , issue and issue.nt
> 8 ) Make sure u need anonymous ftp or not
> 9 ) Signature off the Apache
> 10 ) Put login alert script in ,bashrc and .bash_logout to mail u if someone logsin/out
> 11 ) Run tripwire daily
> 12 ) Keep the machine behind firewall,ids/ips
> 13 ) Do security tunings in security.conf
> 14 ) Run apache-ssl instaed of apache
> 15 ) Run apache etc in chroot
> 16 ) Check whether u need Directory listing in Apache if not block it.
> 17 ) Run Clamav kind of freeAV for scanning.
> 18 )
> To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter \*.*/
>
> Finally
>
> 1 ) Run free Vulnerability scanners like Retina etc and find any vulnerability is there in final machine
> 2 )take all inventory like packages installed etc and do a weekly check is there any change in packages.
>
> Libras
>
> ----- Original Message ----
> From: Jean-Paul Lacquement <zelos414@gmail.com>
> To: debian-security@lists.debian.org
> Sent: Wednesday, May 7, 2008 2:39:02 PM
> Subject: securing server
>
> Hi,
>
> I plan to secure my Debian stable (or testing if you say it's better) server.
>
>
> I already did the followings:
> - installed chkrootkit
> - installed fail2ban (for ssh and proftpd)
> - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
>
>
> The followings daemon are installed :
> - proftpd
> - apache2
> - ssh
>
> Would you please list me which packages to install and which rules to apply ?
>
> Many thanks,
> Jean-Paul
>
>
Expanding on that, go to town with metasploit, nessus and nmap.
See if _YOU_ can get in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIKRo4LeTfO4yBSAcRAjCGAKDITgERoE9+kJ/lKQ/FF20wzz46qwCdHrMV
wZyGTF8TFmC1vZA2/2V4Mgk=
=ouEN
-----END PGP SIGNATURE-----
Reply to: