RE: Securing Fedora Core 4

From: Charles Heselton (charles.heselton_at_gmail.com)
Date: 09/23/05

  • Next message: AragonX: "Re: Securing Fedora Core 4"
    To: "'AragonX'" <aragonx@dcsnow.com>, <focus-linux@securityfocus.com>
    Date: Thu, 22 Sep 2005 21:35:44 -0700
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > -----Original Message-----
    > From: AragonX [mailto:aragonx@dcsnow.com]
    > Sent: Wednesday, September 21, 2005 6:29 AM
    > To: focus-linux@securityfocus.com
    > Subject: Securing Fedora Core 4
    >
    > I am trying develop a method to secure my servers. I'll list
    > the steps I
    > am going to take. Can you please review and make any additional
    > suggestions. Thank you.
    >
    > Install & configure Tripwire
    > http://sourceforge.net/projects/tripwire/
    > Install & configure Snort http://www.snort.org/
    > Install & configure Bastille http://www.bastille-linux.org/
    > Install & configure LIDS http://www.lids.org/
    > Install & configure modsecurity http://www.modsecurity.org/
    > Install & configure chkrootkit http://www.chkrootkit.org/
    > install dansguardian http://www.dansguardian.org
    > install squid http://www.squid-cache.org/
    > Install & configure DCC http://www.dcc-servers.net
    > Install & configure Pyzor http://pyzor.sourceforge.net
    > Install & configure Razor http://razor.sourceforge.net
    > install & configure Clamav http://www.clamav.net
    > Install & configure MailScanner
    > http://www.sng.ecs.soton.ac.uk/mailscanner/
    > Install & configure Ntop http://www.ntop.org/
    > Install & configure Spamassassin http://spamassassin.apache.org/
    > install root access email command
    > create a seprate /tmp partition and mount noexec, nosuid
    >
    > Configure Apache
    > configure for php safe mode
    > configure /internal web directory w/ access from private network
    > only configure /external web directory w/ password authentication
    >
    > Configure SSH
    > respond on alternate port
    > only allow me to logon
    >
    > Configure Fireall:
    > only allow access to ssh from my domains
    >

    Looks pretty good. I'm not totally familiar with all of the
    tools/products you listed there, but it seems like you have some
    redundancies, which could cause configuration and management
    headache.

    That being said, I would change the order around a bit, but that
    probably as much personal taste as anything. YMMV I would suggest
    something like the following:

    1. Disable all of your unnecessary services ((x)inetd, telnet, ftpd,
    etc.).
    2. SSH should already be installed (you said FC4 right?), configure
    it with your public keys/trusted hosts, whetever you like.
    3. Set up tcp_wrappers. (This is redundant of the firewall, but is
    nice to have, and easy to configure/maintain.)
    4. Set up your firewall. I like firestarter (should come with FC4).
     Other people like shorewall. Ultimately, it's the same outcome.
    5. Install/configure Bastille (this sort of overlaps some things,
    but can also affect installation of others, so it might be a good
    idea to do it early. SELinux might be better here, but I think
    SELinux depends on some of the kernel hooks and such. The two have
    really meshed over time, and I haven't folowed it that closely.
    6. Install/configure (I/c) chkrootkit.
    7. If you have another mail host for external mail (adminitrative
    messages and such), configure sendmail to only send mail internally
    (local system). You can configure spam assassin if you want, but
    unless you're actually transferring bulk mail, you don't really need
    it, nor the other 3 spam filters you listed.
    8. configure apache and modsecurity.
    9. Now configure tripwire (or aide).

    It's tough to try to generalize this into a concise format. If you
    have a large enough environment to warrant specific purpose hosts,
    you should do that. It will allow you to be much more specific about
    your security measures, and will provide much less headache in
    regards to management.

    HTH.

    - --
    - - Charlie
     
    5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
     
     In memoriam: http://www.militarycity.com/valor/1029976.html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQzOGIHv40fZIKe3PEQJlJgCfRRe1Fvt5HlbSz1Zcn/Cg1IL+a4QAoPZa
    vWxmyCT70+5GwVLGnbTWpuMo
    =CHgP
    -----END PGP SIGNATURE-----


  • Next message: AragonX: "Re: Securing Fedora Core 4"

    Relevant Pages

    • ;(
      ... the problem I got was while playing with a completely fresh install of ... Since this is a test machine, I added a hosts entry to have the newly ... Local Intranet Zone in IE, wich is a good idea anyway, but it still would not ... work - always got prompted for credentials. ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: PRNGD is not seeded
      ... The ssh is some version: ... Prngd was installed via custom ... I'm wondering if I should install OSS646, ... rsync does not require ssh. ...
      (comp.unix.sco.misc)
    • New wss site Blank page on Fresh Win2008 x64 - SQL2008 - WSS3 setu
      ... the problem I got was while playing with a completely fresh install of ... Since this is a test machine, I added a hosts entry to have the newly ... work - always got prompted for credentials. ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: Blocking Yahoo Messenger With Firewall??
      ... Why are you insulting me? ... I have enumerated the conditions associated with SSH use for this ... >> data stream, as I stated above. ... or if you try to install extra software. ...
      (alt.computer.security)
    • Re: PRNGD is not seeded
      ... The ssh is some version: ... Prngd was installed via custom ... I'm wondering if I should install OSS646, ... rsync does not require ssh. ...
      (comp.unix.sco.misc)