Yes, a can of worms... But general direction would be nice...

Kyle Waters unum at unum5.org
Wed Jul 15 10:49:59 MDT 2009


On 07/14/2009 07:49 PM, Scott Morris wrote:
> --------------------------
> When you have been hacked:
> --------------------------
>   

I agree with what has been said else where.  Look at what happened and
reinstall.


> ----------
> HOSTS.DENY
> ----------
>   

I'm not such a big fan of this.  There may be others who think this is
still the way to go but I use iptables for all my filtering needs.

>From what I understand it's up to the service to look at the hosts.deny
and not all services use it.  iptables is ran by the kernel so it is
handled before it even gets to the service.  So I consider iptables more
secure, and convenient.  You may get double security by going this route
but I don't consider it to be worth it.

> ------------------------------------------------------
> DROP ALL PACKETS FROM HOST RANGE - FIREWALL - IPTABLES
> ------------------------------------------------------
>   

An important security principle I'll talk about more later is KISS.  I
use a firewall script to block everything I'm not using.  I like
shorewall.  I find it simple and easy to use, but I don't just block
ip's that are known to be problems.  I block all ports that the world
doesn't need access to. 

Also ip tables allows you to limit the number of connection attempts per
minute.  This is real useful in discourage automated brute force
attacks.  If you don't use this hackers could be testing your
authentication methods hundreds of times per seconds(remember imaps and
pop3s in this).


> ------------------------
> ADD ADDITIONAL ROOT USER
> ------------------------
>   

I don't think there is any good reason to do this.  It know give people
two root accounts to try and guess the password for. Thus weakening your
security
> Then, create public/private keys for your root user and your sysrt user
>   

And this sounds like a REALLY bad idea.  The main reason you create
public/private keys is so you can ssh into the account as that user with
out a password.  You don't want people to be able to directly connect to
your machine as root.  You should not be connecting directly to you
machine as root. You should disable root login in the ssd_config
>
> --------------------------
> CREATE PUBLIC/PRIVATE KEYS
> --------------------------
>
>   

Useful in that it makes it faster, but only makes it more secure if you
disable password authentication through ssh and you set a passphrase on
the ssh key, otherwise you have made yourself less secure.

> ----------------------------------
> RESET MYSQL ROOT PASSWORD IN LINUX
> ----------------------------------
>
>   

Good plan.
>
> ---------------
> ALLOW_URL_FOPEN
> ---------------
>   
probably good
>
>
> ----------
> FTP SERVER
> ----------
>
> Never ever use an FTP server.
>
> If you do, make sure it is the only thing running on that box.  Make
> sure that it does not have access to any other machine in your network
> (i.e., that it is outside your network).  Make sure it is jailed.  Make
> sure it is in India.
>
>
>   


I agree with this.


> Anyone have some sources that I could consult that give some generally
> good ideas of security measures, and then how to clean up once you've
> been pwnd?  Or comments on the above suggestions?
>   





Anyways.  One of the most important security principles is: KISS

Keep it simple stupid.  Don't install anything you don't need.  My
servers don't even have X installed.  So make sure you don't install
anything you don't need especially servers.

If you do need it make sure only the people that need that service can
access it(limit by ip, etc).

Moving some service to a different port can help reduce random attacks
but often isn't worth the inconvenience.

Make it so root can not log in remotely.  You may even want to disable
direct root login locally(ala ubuntu).  Don't use root unless you have to. 

Don't use your servers as clients.

Set up your backups to run as a cron job.

Frequently check your security.  Run nmap and nessus.

I'm sure I'll think of some more later.

Kyle


ps

I forgot I had all this:

http://unum5.org/presentations/

I should update all of that into something coherent.





More information about the PLUG mailing list