Make my box secure!

Kinetic^

Not with a chastity belt I need to make my server secure. I've heard of IP tables and what was talked about in the project thread a few notches down.

Any help/links would be great.

bman

Tbh, google it.

There's so much info out there on Linux and this is such a common requirment; you should have no trouble finding tutorials on it.

bullpost

This app. should help - It will analyse and harden your server:
http://bastille-linux.sourceforge.net/

Kinetic^

bman wrote: »

Tbh, google it.

There's so much info out there on Linux and this is such a common requirment; you should have no trouble finding tutorials on it.

Google is always an option, I just want to make sure I get the right tutorial the first time around.

PogMoThoin

Install webmin, it gives you web gui, then configure Shorewall firewall

[-0-]

Secure it in what way? From remote attacks, local attacks or both?

Kinetic^

Both would be good.

PogMoThoin

Good easy to follow guide here on setting up webmin, shorewall etc

[-0-]

Find all suid-root binaries on your system and disable the +s flag (chmod -s <file>) for starters. The only suid-root binary on my shell server is sudo and my account is the only account with sudo access.

Disable all services you don't require.

For the services you need running - ensure you're using the most up to date version of every daemon and make sure they are all chrooted.

Restrict access to these daemons if possible (by host).

Use iptables to create some very strict firewall rules - for instance on my shell server I have all outgoing ports blocked except for IRC and SILC.

Restrict access to pretty much everything locally - and give users access to a tool when they request it. For instance, don't let people use nmap, ping, etc. Also, don't give users read access to /etc.

Use a very strict password policy. I don't allow passwords less than 20 digits in length and they can't be dictionary words.. they also need to be alphanumeric and a mix of upper + lower case.

For the services you are using - check what is enabled in them by default and only enable what you require. If you have apache running with all fancy stuff like mod_ssl, etc, and you don't need it then disable them.

If you're using Linux, install GRSecurity to harden the kernel.

Also, install an IDS and have it monitor pretty much every file/binary on your system.

Naikon

Plug the network cable out, 100% secure:)

Kinetic^

Thanks for the links etc, I'll be getting around to this at the weekend.

Naikon wrote: »

Plug the network cable out, 100% secure:)

What about the wireless smarty pants?

FruitLover

[-0-] wrote: »

Use a very strict password policy. I don't allow passwords less than 20 digits in length and they can't be dictionary words.. they also need to be alphanumeric and a mix of upper + lower case.

And what do you do when your users leave the piece of paper they've inevitably written this 20+ char password on lying around?

djmarkus

Install fail2ban if its a publically facing server. this will protect against brute force attacks.

Arbuzas

If your server is running RedHat/CentOS/Fedora u can use simple config tool for firewall: system-config-security-tui or system-config-firewall-tui ..its very basic but dose the trick. Also use strong password and keep system up 2 date.

Some nice basic commands to see if there is already some evil running on ur box:
"pstree -pul | less" - look for process that is running from main process tree for i.e. Apache. Mostly for IRC bots and backdoors.

"netstat -ntlp" - check if there is anything listed on unusual port.