-
Limit physical access and booting capabilities-
Enable BIOS password -
Disable floppy booting -
Set a LILO or GRUB password (/etc/lilo.conf
or/boot/grub/menu.lst
, respectively); check that the LILO or GRUB
configuration file is read-protected. -
Disallow MBR floppy booting back door by overwriting the MBR (maybe not?)
-
-
Partitioning-
Separate user-writable data, non-system data, and rapidly changing run-time
data to their own partitions -
Set nosuid,noexec,nodev mount options in/etc/fstab
on ext2 partitions such as /tmp
-
-
Password hygiene and login security-
Set a good root password -
Enable password shadowing and MD5 -
Install and use PAM-
Add MD5 support to PAM and make sure that (generally speaking) entries in/etc/pam.d/
files which grant access to the machine have the
second field in the pam.d file set to "requisite" or
"required". -
Tweak/etc/pam.d/login
so as to only permit local root logins. -
Also mark authorized tty:s in/etc/security/access.conf
and
generally set up this file to limit root logins as much as possible. -
Add pam_limits.so if you want to set per-user limits -
Tweak/etc/pam.d/passwd
: set minimum length of passwords higher (6
characters maybe) and enable md5 -
Add group wheel to/etc/group
if desired; add pam_wheel.so
group=wheel entry to/etc/pam.d/su
-
For custom per-user controls, use pam_listfile.so entries where appropriate -
Have an/etc/pam.d/other
file and set it up with tight security
-
-
Set up limits in/etc/security/limits.conf
(note that/etc/limits
is not used if you are using PAM) -
Tighten up/etc/login.defs
; also, if you enabled MD5 and/or PAM,
make sure you make the corresponding changes here, too -
Disable root ftp access in/etc/ftpusers
-
Disable network root login; usesu(1)
orsudo(1)
.
(consider installingsudo
) -
Use PAM to enforce additional constraints on logins?
-
-
Other local security issues-
Kernel tweaks -
Kernel patches -
Tighten up logfile permissions (/var/log/{last,fail}log
, Apache
logs) -
Verify that setuid checking is enabled in/etc/checksecurity.conf
-
Consider making some log files append-only and configuration files immutable
using chattr (ext2 filesystems only) -
Set up file integrity . Installdebsums
-
Consider replacing locate with slocate -
Log everything to a local printer? -
Burn your configuration on a bootable CD and boot off that? -
Disable kernel modules?
-
-
Limit network access-
Install and configuressh
(suggest PermitRootLogin No in/etc/ssh
, PermitEmptyPasswords No; note other suggestions in text
also) -
Consider disabling or removing in.telnetd -
Generally, disable gratuitous services in/etc/inetd.conf
using
update-inetd --disable (or disable inetd altogether, or use a
replacement such as xinetd or rlinetd) -
Disable other gratuitous network services; mail, ftp, DNS, www etc should not
be running if you do not need them and monitor them regularly. -
For those services which you do need, do not just use the most common programs,
look for more secure versions shipped with Debian (or from other sources).
Whatever you end up running, make sure you understand the risks. -
Set up chroot jails for outside users and daemons. -
Configure firewall and tcpwrappers (i.e.hosts_access(5)
); note
trick for /etc/hosts.deny in text -
If you run ftp, set up your ftpd server to always run chrooted to the user's
home directory -
If you run X, disable xhost authentication and go with ssh instead; better yet,
disable remote X if you can (add -nolisten tcp to the X command line and turn
off XDMCP in/etc/X11/xdm/xdm-config
by setting the requestPort to
0) -
Disable outside access to printers -
Tunnel any IMAP or POP sessions through SSL or ssh; install stunnel if you want
to provide this service to remote mail users -
Set up a loghost and configure other machines to send logs to this host
(/etc/syslog.conf
) -
Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as
a non-root pseudo-user) -
Install snort or a similar logging tool. -
Do without NIS and RPC if you can (disable portmap).
-
-
Policy issues-
Educate users about the whys and hows of your policies. When you have
prohibited something which is regularly available on other systems, provide
documentation which explains how to accomplish similar results using other,
more secure means. -
Prohibit use of protocols which use cleartext passwords (telnet, rsh and
friends; ftp, imap, http, ...). -
Prohibit programs which use SVGAlib. -
Use disk quotas.
-
-
Keep informed about security issues-
Subscribe to security mailing lists -
Subscribe to security updates -- add to/etc/apt/sources.list
an
entry (or entries) for http://security.debian.org/debian-security -
Also remember to periodically runapt-get update ; apt-get upgrade
(perhaps install as a cron job?).
-
No comments:
Post a Comment