Re: Securing Fedora Core 4

From: Nick Crawford (nick_at_null.net)
Date: 09/26/05

  • Next message: Shay Wilson: "RE: Securing Fedora Core 4"
    Date: Mon, 26 Sep 2005 07:34:31 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    For nitty gritty secure OS/Application configuration, I'd suggest
    taking a look at the NSA's Security Configuration Guides,
    (http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1), and DISA STIGS
    (http://csrc.nist.gov/pcig/cig.html). There are of course other
    guides available which I would suggest reading as well. I would also
    suggest reading the ones for other OS', such as Solaris, Linux shares
    a lot with the other Unicies and it will give you an over all feel for
    the direction the guides are taking.

    - -Nick

    Michael Hallager wrote:

    > Hello.
    >
    > I suggest that rather then going in 'boots and all' that you take
    > some time to study and carefully consider the following:
    >
    > 1. What are the threats? (Threats aren't just network, they could
    > be physical as well) 2. What are the appropriate methodolgies for
    > hardening against these threats? 3. And importantly - what is
    > SECURITY? SECURITY is more a mindset and manner of operation then
    > it is installaing a whole lot of software (which it appears
    > doubtful to me that you understand the scope and opperation of the
    > software that you list)
    >
    > Having a perception of security, if devoid of reality (which you
    > can only properly evaluate after careful consideration of points 1,
    > 2 and 3 and a lot of experience) could be more dangerous then just
    > leaving your system alone.
    >
    > Kind regards,
    >
    > Michael Hallager
    >
    >> I am trying develop a method to secure my servers. I'll list the
    >> steps I am going to take. Can you please review and make any
    >> additional suggestions. Thank you.
    >>
    >> Install & configure Tripwire
    >> http://sourceforge.net/projects/tripwire/ Install & configure
    >> Snort http://www.snort.org/ Install & configure Bastille
    >> http://www.bastille-linux.org/ Install & configure LIDS
    >> http://www.lids.org/ Install & configure modsecurity
    >> http://www.modsecurity.org/ Install & configure chkrootkit
    >> http://www.chkrootkit.org/ install dansguardian
    >> http://www.dansguardian.org install squid
    >> http://www.squid-cache.org/ Install & configure DCC
    >> http://www.dcc-servers.net Install & configure Pyzor
    >> http://pyzor.sourceforge.net Install & configure Razor
    >> http://razor.sourceforge.net install & configure Clamav
    >> http://www.clamav.net Install & configure MailScanner
    >> http://www.sng.ecs.soton.ac.uk/mailscanner/ Install & configure
    >> Ntop http://www.ntop.org/ Install & configure Spamassassin
    >> http://spamassassin.apache.org/ install root access email command
    >> create a seprate /tmp partition and mount noexec, nosuid
    >>
    >> Configure Apache configure for php safe mode configure /internal
    >> web directory w/ access from private network only configure
    >> /external web directory w/ password authentication
    >>
    >> Configure SSH respond on alternate port only allow me to logon
    >>
    >> Configure Fireall: only allow access to ssh from my domains
    >
    >

    - --
    Nicholas Crawford <nick(at)null(dot)net> / neoaeon@EFnet IRC
    4096/1024 Diffie-Hellman/DSS PGP key ID: 0x5DEB8672 fingerprint:
        7CD5 22D2 AD89 C419 749B 6AF1 8825 174F 5DEB 8672
    Keys via key server or http://www.angelfire.com/linux/neoaeon/pgp/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFDN9zCiCUXT13rhnIRA7VoAJ4ufc5u3NyiqPHTscBs3xAVCA6K3gCgha0k
    aKeuAJmI+wGjMA0r/CRYj3o=
    =36kD
    -----END PGP SIGNATURE-----


  • Next message: Shay Wilson: "RE: Securing Fedora Core 4"

    Relevant Pages

    • Re: What server hardening are you doing these days?
      ... Software Restriction Policy ... Grab that Windows 2003 Security guide I think they talk about this in there. ... All the file ACLs in the world can't help an unpatched ... >> While I agree the NSA guides are more secure. ...
      (Focus-Microsoft)
    • Re: Security for Windows 2000 Server
      ... As i said i m cosidering "Microsoft Solutions for Security" for securing my ... I could understand all of them but except "Inheritable/Can Propagate" ... > given in the guides depends on the makeup of the network as far as downlevel ...
      (microsoft.public.win2000.security)
    • Re: Security for Windows 2000 Server
      ... I did consider "Securing Windows 2000 Server" ... > given in the guides depends on the makeup of the network as far as downlevel ... > Microsoft as the other security guides do not go into much detail on malware ...
      (microsoft.public.win2000.security)
    • RE: Priviledge escalation attack
      ... basic server hardening before deploying NT/2K.) ... Microsoft publishes checklists, ... some guides written by some truly paranoid folks: ... Included on this page are also Security Editor templates which enforce their ...
      (Focus-Microsoft)