| View previous topic :: View next topic |
| Author |
Message |
Bose-Einstein
n00b
Joined: 17 Oct 2004
Posts: 43
|
 Posted: Mon Dec 27, 2004 1:43 pm Post subject: Security hints and tips? |
 |
|
Hi, I've recently installed Gentoo on a machine I'm using as a web/mail/ftp and database server and I'm looking for as many pointers as possible to secure the box. I've looked all around the forum and seen one or two ideas here and there but it'd be good to have as many as possible all in one place.
So for I've come across the prevention of using SSH1 protocol, not allowing root to SSH in, not adding regular users to the wheel group. All passwords are akin to : adb43wpt etc but other than regular emerge -u to keep the system up to date what other things can I do to make this as secure as possible? |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Dec 27, 2004 1:56 pm Post subject: |
|
|
Insert a firewall between the box and the Internet.
Really.
Or prepare for iptables hell as you try to figure it all out 
I opted to just drop in an ipcop machine as a dedicated firewall and forgot about it.
Ipcop can run on a 90MHz Pentium-1 with 32 MB of RAM and 2 NICs.
Monowall runs on even older machines.
As for the database: disable all access from the network.
It doesn't need it, and can only lead to possible security holes.
Other than that, you can do a quick scan from another *nix machine with nmap, or set up a larger testing environment and run nessus.
If it passes all of nessus' scans and attacks succesfully you shouldn't need to worry.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
MrStubby
n00b
Joined: 29 Oct 2004
Posts: 3
|
| Posted: Mon Dec 27, 2004 5:39 pm Post subject: |
|
|
| Just don't run Nessus in its most aggressive mode unless you're sure you have the latest on almost everything including drivers. A friend of mine who works for the state's information technology department actually fried a motherboard with it. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Dec 28, 2004 9:29 am Post subject: |
|
|
Really ?
That's nice to know if ever I need to harass a cow-orker
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Tue Dec 28, 2004 10:41 am Post subject: |
|
|
I would close all ports to the internet and only open the needed. That is much better than close the notwanted.
Also a good idea is to switch the ssh port to some other like 1223 or whatever.
Keeping PHP and other web-scriptlanguages uptodate and try to avoid securityholes in websites is also important (cross-site-scripting, sql injection etc.)
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Dec 28, 2004 10:54 am Post subject: |
|
|
| Quote: | | Also a good idea is to switch the ssh port to some other like 1223 or whatever |
...not necessarily.
See, any decent scanner will see that it is in fact an SSH port soon enough.
By not using a standard port you are only achieving one goal: people will be more interested in finding out what it is that you wanted to hide.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
|
Networking & Security
