Re: Securing a Debian server
On Tue, 8 Jul 2003, SF deb wrote:
> How do they CHECK the servers? Could you not do it yourself? with nmap or
> www.pcflank.com will scan your server.
pcflank is nice .. but ...
like all scanners... it will tell you that:
- you have port 25 open on your mail server,
- you have port 22 open on your ssh login server
- you have port 80 open on your web server
- you have port 53 open on your dns server
- you have port 6000 opne on your X11 workstation
... now what ?? ...
more online port scanners
- you probably need to "turn everything off" ...
- you probably need to apply all known patches ...
- use linux-2.4.21 at least
- use latest glibc-compatible binaries, gcc(?)
- use latest kde
- use latest sendmail/exim/...
- use latest apache/..
- use latest bind/djbdns/...
- use latest foo-bar-apps
- about 500MB+ of patches :-) in rh-9.x land ..
- you probably need to start from ground zero with a written security
document for all to follow
- no telnet ....... use ssh instead
- no ftp .......... use scp instead
- no dhcp ......... use static ip#
- no wireless ..... use encrypted wireless
- no pop3/imap..... use secure pop3/secure imap
- no user login except on "home server"
- no daisy chain ssh connections A->B->C->A
- no clients mounting servers
- use different loginID for ssh vs email addy bs pop3 vs vpn accts
- .. blah .. blah ..
- lots more rules to annoy lots more people
- lots of (bare-metal-tested) backups ... on different servers ...
- you probably need to hire a professional pen-testor if you are paranoid
about your data leaking out to the outside or more likely to leak
within the company
- 80% - 90% of "security violations" are coming from
inside the company
- you can spend 5minutes to check your server or a week to check
the security of your server .. and you still will NOT be done ..
lots of fun