Linux-Sec.net

http://www.Linux-Sec.net

Hardening-Tightening

Security_Policy

Hardening-HOWTO

Linux Distros

Distro Patches

Kernel-Patches

Dedicated Servers

Web Servers

Turn-Off Daemons

Tighten Inetd Services

Top-10 Vulnerabilities

Top-7 Security Mistakes

Top-10 Vulnerabilities

Top-20 Most Critical Vulnerability

Top-10 Virus

Scans/Attacks Stats

Top-10 Attacks

Hacked Servers

One Minute Audits

OpenPorts Audit

AntiVirus - AntiSpam

spam.wav

Wireless [In]Security

Sniffers

Security Tools

SSH_SSL

Firewalls

MailServer

FileSystem

VPN

Port Scan Detectors

IDS Tools

LogFile Analysis

Ethernet Monitoring

Server Monitoring

Tracking & Forensics

Hackers Tools

Audit Tools

Port Scanners

Hacking Tools

Sniffer Tools

Exploits & Vulnerbilities

Wireless

Wireless [In]Security

Misc

Statistics

Linux/BSD Distros

Links,Articles,WatchDogs

Security Mailing Lists/FAQs

Liability Insurance

1U Rackmount Chassis
Custom-Chassis.com
Linux-1U.net
1U-ITX.net

ITX-Blades.net

Small PC cases
Mini-Box.net
Wrap-Box.net
Wrap-OS.net

Wan-Sim.net

Linux-Consulting.com
Linux-CAE.net
Linux-Sec.net
Linux-Boot.net
Linux-Backup.net
Linux-Wireless.org
Linux-Office.net
Linux-Video.net
Linux-Jobs.net
Linux-Diff.net
1U-Raid5.net

Spam Reporting

Free Linux CDs
ISO9660.org
Distro-CD.org
Patch-CD.org

Contact

Linux is a registered trademark of
Linus Torvalds

More Linux Legalese

Turn off and Tightening Daemon

Killing Daemons

Some daemons run standalone with its own wrappers
- eg: sendmail, httpd

Most of the daemons startup scripts are in:

```
Debian:  /etc/init.d 
```
```
Redhat:  /etc/rc.d/init.d 
```
```
Suse:    /etc/init.d 
```
```
Slackware:  /etc/rc.d 
```

Comment out the un-used daemons from the startup scripts in /etc/rc.d/*
- Kill the processes from /etc/rc.d/rc.local if needed
The Infamous Turn Off All Unused Daemons
- See what is on
  - chkconfig --list | grep on
- Turn off your daemons
  - chkconfig --level 2345 named off
  - Repeat the command for each unused daemon
- Manually Turn Off, Turn On, Check the Status the Daemons
  - /etc/rc.d/init.d/named stop
  - /etc/rc.d/init.d/named start
  - /etc/rc.d/init.d/named status
- Another way to kill daemons
  - kill -9 `pidof named`
The Infamous Turn Everything Off in inetd

System Daemons

System Daemon you probably want to keep

kerneld keytable random rawdevices	Generic system stuff
crond or atd	Run jobs at certains times of the day - usually for regular maintenace
syslogd	For logging the server activities
network	Allow network connectivity
sshd	Secure login into the server
autofs or amd	For automouting remote file systems
gpm	Allow cut-n-paste in normal console ( NOT X11 )

Turn off all remaining daemons ECST.CSUChico.edu

Client WorkStations

X11
- xfs
- /etc/X11/*
- Users will need to run xfs for X11 ( netscape, xterm, etc )
- Running X11 security

Dedicated Server Daemons

Dedicated Function Server Hardening
Download and Install the latest versions of the daemons
Audit and Perform Penetration Testing on Your servers

Firewalls
- ipchains, netfilter
- /etc/rc.d/rc.firewall
- Use a secure distro
- Configure it carefully

LogHost Servers
- syslog
- /etc/syslog.conf
- Use a secure distro
- Keep logfiles secure from tampering on an extremely secure server

Backup Servers
- Backup your important data to multiple backup servers
- Encrypt backup files with confidential data

DNS Servers
- bind-named
- /etc/hosts, /etc/resolv.conf, /etc/hosts.conf, /etc/named.conf, /etc/nisswitch.conf
- harden the DNS servers
- To resolve names to ip#

Outgoing/Incoming Mail Servers
- Sendmail, postfix, Exim etc
- /etc/mail/sendmail.cf, /etc/mail/sendmail.cw
- Test for Open Relays and and install AntiSpam Scanners
- Run a more secure MTA
- Turn off sendmail on servers that does NOT receive incoming emails ( you can still send outgoing emails )
- Sendmail.net Sendmail Security
- Sendmail.net Sendmail Security - part2
- Sendmail.net Anti-Spam

Local Pop3 Mail Servers
- identd/inetd, pop3d/imapd
- used in conjuction with inetd
- Run Secure POP3 server
- Run Anti-Virus Scanners
- identd - authenticate incoming email adresses
- pop3d - allow netscape/IE users to get email via pop3/imap

Web Servers
- httpd/apache and/or Apache-SSL, ModSSL
- /etc/httpd/conf/access.conf
- Carefully Check your CGI scripts
- Prevent them from running their CGI scripts
- Do NOT send confidential credit card info, etc back to the user via email

FTP Servers
- wu-ftpd
- /etc/ftpaccess, /etc/ftphosts, /etc/ftp*
- used in conjuction with inetd
- Secure the ftp file hierachy tree
- for user's FTP - use scp/sftp
- for anonymous ftp - use secure ftp daemons
- FTP Check Script: ftp_check.pl

NFS Servers
- nfs/portmapper
- /etc/exports
- Run secure-NFS, secure-RPC, Secure-PortMap
- For manual and/or automounts remote filesystems

File/Home Servers
- smbd, nmbd
- /etc/smb.conf
- For user login and authentication
- Run secure-NIS
- Use encrypted samba passwds for MS windows users
- smb - For MS windows users to write into ther home directories

NTP Servers
- xntpd
- /etc/ntp.conf
- Use ntpdate to initially synchronize to the outside world public NTP servers

NTP Clients
- /etc/ntp.conf
- Use ntpdate, rdate to synchronize local workstations to your local NTP server

Printer Servers
- lpd
- /etc/printcap
- For printing

X11 Servers
- X
- /etc/X11/XF86-Config-4
- Turn off X11 for exposed servers

Misc Daemons

apcd	Turn if off unless you have an RS232 connected to your UPS
isdn	Turn it off if you dont use ISDN service ( similar to DSL )
pcmcia	Turn if off if this is NOT a laptop


Copyright © 2000	Linux-Consulting	All Rights Reserved.	Updated: Sun Nov 21 23:52:11 2004 PDT