1. Use encrypted channel
scp, ssh, OpenSSH, rsync, or sftp for file transfer
sshfs for remotefs
GnuPG/OpenPGP
SSL for apache (mod_ssl)
Avoid Using FTP, Telnet, And Rlogin / Rsh
2. Remove unnecessary software and services
3. Enable disk quota
-modify /etc/fstab file, remount the file system(s), create quota db files, assign quota policy
4. Keep Linux Kernel and Software Up to Date, patch accordingly
5: Use Linux Security Extensions such as SELinux
6: Strong UserAccounts/Password Policy
-password aging (chage), max failed login etc, force-on passwd changing on first login
-locking strategy etc, rectrict prev. password,
#chage -M 99999 userName
#chage -l userName
#chage -M 60 -m 7 -W 7 userName
#faillog ###checking /var/log/faillog
#faillog -r -u userName ###unlock###
#passwd -l userName; passwd -u userName ###lock and unlock accounts
# awk -F: '($2 == "") {print}' /etc/shadow ###checking empty passwd
7. Login as username, sudo and disable direct root login
8. Control physical access - server room, BIOS password, dvd/cdron, USB etc
9.Check listening network port, close unnecessary port
#netstat -tulpn
#nmap -sT -O localhost; nmap -sT -O server-FQDN
10. Use iptables, tcpwrappers or host-based firewall, IDS, IPS
11. Kernel parameter hardening /etc/sysctl.conf
Linux read /etc/sysctl.conf at boot time.
kernel.exec-shield=1 ### Turn on execshield
kernel.randomize_va_space=1
net.ipv4.conf.all.rp_filter=1 # Enable IP spoofing protection
net.ipv4.conf.all.accept_source_route=0 ### Disable IP source routing
net.ipv4.icmp_echo_ignore_broadcasts=1 ### Ignoring broadcasts request
net.ipv4.icmp_ignore_bogus_error_messages=1
net.ipv4.conf.all.log_martians = 1 ### Make sure spoofed packets get logged
12. Separate Disk Partitions (may increase performance, security - subjective tho)
/usr, /home, /var and /var/tmp, /tmp
Edit /etc/fstab file and add the following options:
noexec - Do not set any binaries execution (prevents execution of binaries but allows scripts)
nodev - Do not allow character or special devices (prevents use of device files such as zero, sda etc).
nosuid - Do not set SUID/SGID access (prevent the setuid bit).
13. Disable Unwanted SUID and SGID Binaries & world-writable file & orphan/not owned file
SUID/SGID bits enabled file can be misused when it has a security problem or bug.
Finding SGID/SUID
#find / -perm +4000 ###See all set user id files
# find / -perm +2000 ###See all group id files
#find / \( -perm -4000 -o -perm -2000 \) -print
#find / -path -prune -o -type f -perm +6000 -ls
Find all world writable and sticky bits set files:
#find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Files not owned by any valid user or valid group
#find /dir -xdev \( -nouser -o -nogroup \) -print
14. Centralized AAA, Logging and auditing
AAA - Kerberos, RADIUS etc
Logging - Syslog server, rotate log file etc
log monitoring - logwatch, logcheck
System Accounting/auditing - auditd ( /etc/audit.rules) for system startup and shutdown events (reboot / halt), date/time of the event, user of the event, type of event, status of event (fail/success), etc
15.Secure Email
SSL certificates/GPG keys to secure email communication on both server/client
Dovecot IMAPS, POP3S, Postfix SMTP (Mail Server) SSL, IMAP SSL,Sendmail SSL etc
No comments:
Post a Comment