[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing a Debian server

On Tue, 8 Jul 2003, SF deb wrote:

> How do they CHECK the servers?  Could you not do it yourself?  with nmap or
> www.pcflank.com will  scan your server.

pcflank is nice .. but ...

like all scanners... it will tell you that:
	- you have port 25 open on your mail server, 
	- you have port 22 open on your ssh login server
	- you have port 80 open on your web server
	- you have port 53 open on your dns server
	- you have port 6000 opne on your X11 workstation 
	... now what ?? ...

more online port scanners

- you probably need to "turn everything off" ...

- you probably need to apply all known patches ...
	- use linux-2.4.21 at least
	- use latest glibc-compatible binaries, gcc(?)
	- use latest kde
	- use latest sendmail/exim/...
	- use latest apache/..
	- use latest bind/djbdns/...
	- use latest foo-bar-apps
	- about 500MB+ of patches :-) in rh-9.x land ..

- you probably need to start from ground zero with a written security
  document for all to follow
	- no telnet ....... use ssh instead
	- no ftp .......... use scp instead
	- no dhcp ......... use static ip#
	- no wireless ..... use encrypted wireless 
	- no pop3/imap..... use secure pop3/secure imap
	- no user login except on  "home server"
	- no daisy chain ssh connections A->B->C->A
	- no clients mounting servers
	- use different loginID for ssh vs email addy bs pop3 vs vpn accts
	- .. blah .. blah ..
	- lots more rules to annoy lots more people

	- lots of (bare-metal-tested) backups ... on different servers ...

- you probably need to hire a professional pen-testor if you are paranoid
  about your data leaking out to the outside or more likely to leak
  within the company
	- 80% - 90% of "security violations" are coming from
	inside the company

- you can spend 5minutes to check your server or a week to check
  the security of your server .. and you still will NOT be done ..

lots of fun

Reply to: