Re: a good start to do hardening

From: Bruce Cook (sysadmin@usertools.net)
Date: 12/29/01

Next message: Enoch Root: "Re: 2 keyboards not allowed"

Previous message: LinuxDream: "Windows"
In reply to: nickd@nospam.demon.co.uk: "Re: a good start to do hardening"
Next in thread: nickd@nospam.demon.co.uk: "Re: a good start to do hardening"
Reply: nickd@nospam.demon.co.uk: "Re: a good start to do hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Bruce Cook <sysadmin@usertools.net>
Date: Sat, 29 Dec 2001 03:22:45 GMT

On Fri, 28 Dec 2001 12:35:54 GMT, nickd@nospam.demon.co.uk wrote:
> Marcus <talos@algonet.se> wrote:
> > Thomas wrote:
>
> >> Can anyone tell me a good way to start to do hardening on my Linux
> >> machine.
>
> > To simplify what countless of books, whitepapers and personal experience
> > on security says
> >
> > 6 Simple steps to make you system somewhat ultrasecure:
> >
> > 1) echo "" > /etc/inetd.conf; killall -HUP inetd
> > 2) for f in `find / -perm +4000` ; do chmod u-s $f ; done
> > 3) for f in `find / -perm +2000` ; do chmod g-s $f ; done
> > 4) Download the Openwall kernel patch: http://www.openwall.com/linux/
> > 5) Recompile kernel with no loadable module support, and kernel patch
> > 6) chroot all non-inetd services
> >
> > That should do it :)
> >
> > Note that line (2) and (3) might break some things... You should
> > customize them, especially (2) :)
>
> Oh yeah, and (1) is lovely too :)

I actually agree with (1) - inetd (especialyy on RH systems) has a bunch of
services that are simply never used, and a just waiting for some future exploit.

My first step is to run a script that renames everying in init.d to xxx-DISABLED
to prevent it from starting (except ssh,syslog & networking), modifys sshd_config to
allow only public key login, no root login, and copies in my .ssh directory.

I then enable only the services I want (almost never includes NIS and RPC
stuff that's on by default)

>
> Try:
>
> http://www.enteract.com/~lspitz/linux.html
>
> http://www.rootprompt.org/article.php3?article=903
>
> http://www.linuxdoc.org/HOWTO/Security-HOWTO.html
>
> --
> "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
> comes to doing anything technical, such as setting a clock."

Next message: Enoch Root: "Re: 2 keyboards not allowed"
Previous message: LinuxDream: "Windows"
In reply to: nickd@nospam.demon.co.uk: "Re: a good start to do hardening"
Next in thread: nickd@nospam.demon.co.uk: "Re: a good start to do hardening"
Reply: nickd@nospam.demon.co.uk: "Re: a good start to do hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Dealing with Reiserfs partition
... A strength of linux is that there are so many users. ... "There is some work involved to recompile kernel with new ... I'm not saying either group is wrong. ...
(alt.os.linux.suse)
Re: Dealing with Reiserfs partition
... > "There is some work involved to recompile kernel with new ... > I'm not saying either group is wrong. ... > linux is to succeed, which I would like, it needs both groups. ...
(alt.os.linux.suse)