RE: Securing Fedora Core 4
From: Shay Wilson (Bryan_Wilson_at_legis.state.ak.us)
Date: 09/26/05
- Previous message: Nick Crawford: "Re: Securing Fedora Core 4"
- Maybe in reply to: AragonX: "Securing Fedora Core 4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 09:55:13 -0800 To: <focus-linux@securityfocus.com>
be careful with rp_filter=1 because it tends to silently drop packets
causing you to spend a good deal of time scratching your head wondering
where they've gone. A host with multiple routes can have problems with
that (It is very good for most machines, but any gateway with redundant
paths should be careful using it)
-----Original Message-----
From: Martijn Feleus [mailto:feleus@math.leidenuniv.nl]
Sent: Friday, September 23, 2005 12:09 AM
To: focus-linux@securityfocus.com
Subject: Re: Securing Fedora Core 4
Hi,
Don't forget TCP wrappers (think of it as a 'defense-in-depth' backup
for iptables). Disable as many services as you can get away with (but
I'm sure you already do that, of course :)
Also, tune the network stack a bit, something like this:
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=4096
(and, if you use ipv6, the equivalents of course)
> create a seprate /tmp partition and mount noexec, nosuid
Also consider a separate /var partition (/var/tmp is just as dangerous
as /tmp). I usually use /boot, /, /var, /tmp and /usr. Consider which
partitions can be mounted with the nodev, nosuid and noexec options
(/tmp is one that should have all three; only / needs dev available
AFAIK). If you use /boot, you need not have it mounted at all. You might
get away with mounting /usr read-only.
Go over the files in /etc/security and see if anything might be
beneficial for you (limits.conf might be worth checking out to set some
limits on user apache, for instance).
You might want to enable logging to a remote host as well. Check for
suid/sgid binaries and change their permission if possible.
> install squid http://www.squid-cache.org/
Squid has had quite a history of security flaws. Do you really need it?
> Configure SSH
> respond on alternate port
> only allow me to logon
Make sure both /etc/ssh/sshd_config and /etc/ssh/ssh_config specify
'Protocol 2' (the latter one should have it listed beneath the 'Host *'
entry).
System accounting (sysstat package) can be useful to detect unusual
activity (in case it doesn't show up in the logs or ps if you're
compromised). Unusually high disk or cpu activity will show up there and
can be preserved (useful if the activity is only sporadic).
cheers,
Martijn
--
------------------------------------------------------------------------
\|/ ______ \|/ Martijn Feleus - mailto:feleus@math.leidenuniv.nl
"*'/ , . \'*" Mathematical Institute, Leiden University
/_| |_\ Phone: 31-71-5277114 or 0610528226
| \____/ | PGP key ID: 16DB92EA
\____U_/ Overflow error in /dev/null...
------------------------------------------------------------------------
- Previous message: Nick Crawford: "Re: Securing Fedora Core 4"
- Maybe in reply to: AragonX: "Securing Fedora Core 4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
