Re: Securing Fedora Core 4
From: Martijn Feleus (feleus_at_math.leidenuniv.nl)
Date: 09/23/05
- Previous message: Syn Ack: "Re: Securing Fedora Core 4"
- In reply to: AragonX: "Securing Fedora Core 4"
- Next in thread: Will Yonker: "RE: Securing Fedora Core 4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Sep 2005 10:09:03 +0200 To: focus-linux@securityfocus.com
Hi,
Don't forget TCP wrappers (think of it as a 'defense-in-depth' backup for
iptables). Disable as many services as you can get away with (but I'm sure
you already do that, of course :)
Also, tune the network stack a bit, something like this:
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=4096
(and, if you use ipv6, the equivalents of course)
> create a seprate /tmp partition and mount noexec, nosuid
Also consider a separate /var partition (/var/tmp is just as dangerous as
/tmp). I usually use /boot, /, /var, /tmp and /usr. Consider which
partitions can be mounted with the nodev, nosuid and noexec options (/tmp is
one that should have all three; only / needs dev available AFAIK). If you
use /boot, you need not have it mounted at all. You might get away with
mounting /usr read-only.
Go over the files in /etc/security and see if anything might be beneficial
for you (limits.conf might be worth checking out to set some limits on user
apache, for instance).
You might want to enable logging to a remote host as well. Check for
suid/sgid binaries and change their permission if possible.
> install squid http://www.squid-cache.org/
Squid has had quite a history of security flaws. Do you really need it?
> Configure SSH
> respond on alternate port
> only allow me to logon
Make sure both /etc/ssh/sshd_config and /etc/ssh/ssh_config specify
'Protocol 2' (the latter one should have it listed beneath the 'Host *'
entry).
System accounting (sysstat package) can be useful to detect unusual
activity (in case it doesn't show up in the logs or ps if you're
compromised). Unusually high disk or cpu activity will show up there and
can be preserved (useful if the activity is only sporadic).
cheers,
Martijn
--
------------------------------------------------------------------------
\|/ ______ \|/ Martijn Feleus - mailto:feleus@math.leidenuniv.nl
"*'/ , . \'*" Mathematical Institute, Leiden University
/_| |_\ Phone: 31-71-5277114 or 0610528226
| \____/ | PGP key ID: 16DB92EA
\____U_/ Overflow error in /dev/null...
------------------------------------------------------------------------
- application/pgp-signature attachment: stored
- Previous message: Syn Ack: "Re: Securing Fedora Core 4"
- In reply to: AragonX: "Securing Fedora Core 4"
- Next in thread: Will Yonker: "RE: Securing Fedora Core 4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
