Linux-Sec.net Linux-Security.net Hardening-Tightening Security_Policy Hardening-HOWTO Linux Distros Distro Patches Kernel-Patches Dedicated Servers Firewalls DNS Servers Mail Servers Web Servers Turn-Off Daemons Tighten Inetd Services Top-10 Vulnerabilities Top-10 Vulnerabilities Top-20 Most Critical Vulnerability Top-10 Virus One Minute Audits OpenPorts Audit AntiVirus - AntiSpam Anti-Spam Anti-Virus spam.wav Wireless [In]Security Sniffers Security Tools SSH_SSL Firewalls MailServer FileSystem VPN Port Scan Detectors IDS Tools LogFile Analysis Ethernet Monitoring Server Monitoring Tracking & Forensics Hackers Tools Audit Tools Port Scanners Hacking Tools DDOS Tools Sniffer Tools Spoof Tools Exploits & Vulnerbilities Wireless Wireless [In]Security Misc Statistics Linux/BSD Distros Links,Articles,WatchDogs Security Mailing Lists/FAQs Liability Insurance

Services Hardening Login Services ALWAYS Require SSH or SSL-enabled logins only ALWAYS require users to enter their passwds ( though its a little inconvenient ) Have one trusted machine that other hosts will not ask for user passwds for access to its resources Elminiate clear text user login passwds services Disallow telnet -- use ssh instead or telnet-ssl Disallow ftp for users -- use scp and/or sftp instead Disallow pop3 from netscape/IE -- user secure pop3/imap ( SSL ) instead Keep insecure server/services SEPARATE from your local lan Keep insecure servers BEHIND your firewall thru a ssh-secure gateway if you want it to access your local LAN Keep insecure servers OUTSIDE your firewall if you dont trust it and just allow them to get to/from the internet PPP dailup server -- typically has passwd in a text file PPTP server are typically behind your firewall Samba server are typically behind your firewall Configure for encrypted samba passwd vs (insecure)cleartext passwds kerberos server are typically behind your firewall NIS/YP Services Auburn.edu Securing NIS have at least 2 secondary NIS servers for each local LAN segment TCP_Wrappers SSLwrap Use TCPWrappers for desired services Selectively enable tcp_wrapped services to local servers/users Uncomment telnet to enable (insecure) telnet connections only to the IP# listed in /etc/hosts.allow Uncomment ftp to enable (insecure) ftp connections only to the IP# listed in /etc/hosts.allow cr.yp.to/ucspi-tcp/tcpserver.html Cr.yp.to ^ TCPServer Porcupine.org TCP wrappers Sans.org TCPWrappers ECST.CSUChico.edy Cert.org tcpwrappers, hosts.allow, hosts.deny Stanford.edu TCP_wrappers + kerberos /etc/hosts.allow # # Start hosts.allow file -- it is READ before checking hosts.deny # # Allow telnet connection ONLY from 192.168.1.1 in.telnetd: 192.168.1.1 # # allow all local IE/Netscape to get emails on this POP3 servers in.pop3d: 192.168.1.0 # # end of file /etc/hosts.deny # # Start hosts.deny file # # By default Deny all Services to everybody # ALL:ALL # # end of file /etc/hosts.equiv Don't trust any other machine mv /etc/hosts.equiv /etc/hosts.orig.equiv Porcupine.org TCP wrappers /etc/hosts.lpd Which machines are allowed to print to the printer connected to this (printer) server Don't allow any clint to print mv /etc/hosts.lpd /etc/hosts.orig.lpd Turn Off inetd The Infamous Turn Off All Unused Daemons The Infamous Turn Everything Off in inetd.conf or xinetd.conf Optionally turn on identd for incoming pop3 servers xinetd tutorial cwru.edu xinetd info xinetd MandrakeUser.org inetd services Turn Off inetd ( move it aside ) mv /etc/inetd.conf /etc/inetd.orig.conf KILL inetd kill -9 `pidof inetd` Selectively enable pop3 to certain hosts running netscape/IE /etc/inetd.conf # # Uncomment to enable it # # # Selectively turn on the (insecure) pop3 -- enable in /etc/hosts.allow too # # pop3 stream tcp nowait root /usr/sbin/tcpd in.pop3d # # Run Secure SSL-wrapped POP3 instead # ----------------------------------- # pop3s stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem -port 110 # # end of inetd.conf X11 Services X.org X11.org XFree86.org XFree86.org Security rootshell.com X11 Security LLNL.gov Securing X Windows MIT.edu Tunneling X11 data through the secure link OneEyedCrow.net Securing X11 Make X11_Forward is turned on in /etc/ssh/sshd_config ssh -l username -v -C -X remotehostname root should NEVER login into X11 login as a user and run startx/xinit than su to root remove all occcurance of "xhost +" use "xhost +server:0.0" and "xhost -server:0.0" when done

Linux-Consulting.com == Linux-Consulting.org

ISO9660.org

BSD-Consulting.org == UNIX-Consulting.org

Hardware Products/Solutions gigEnn.net NetworkNightmare.net Custom-Chassis.net Linux-1U.net ITX-Blades.net 1U-Raid5.org Mini-Box.net

Infrastructure Consulting WanSim.net IPv6-Cloud.org Linux-Backup.net Linux-Boot.net Linux-VOIP.net Linux-Video.net C-J-K.net

Security Consulting Linux-Security.net Encrypted-Email.net Packet-Craft.net Linux-Wireless.net

Legalese Contact Legal

Copyright © 2000	Linux-Consulting	All Rights Reserved.	Updated: Sun Aug 19 23:19:44 2012 PDT