For awhile now I’ve wanted to assemble a generic document that I could hand to a junior admin and expect some degree of comprehension and which would be immediately demonstrable. I have some loose guidelines for starting from a clean minimal install that goes something like this:
### General Linux Install Guidelines ###
Do not log in as root@host.domain.com. It’s a terrible idea. Instead, create some other user, like……mtimersen. mtimersen@host.domain.com is how you should login and you should give mtimersen a strong password like:
bHu8#EDCvfr4
That’s only 12 characters, but with a password like this you can expect it won’t show up in any wordlist. Then add mtimersen to the wheel group with “usermod -a -G wheel mtimersen” this will give the user mtimersen some rights as an admin. Use the “su” command to become root when that’s required.
This is a clean install with minimal services. Install SSH from your package system and then edit /etc/ssh/sshd_config. Don’t listen for ssh connections on port 22 – make it something bigger like port 16543. Then set PermitRootLogin no so that attempts to login as “root” bomb immediately. Then enforce the use of SSH version 2. Then limit the users who can login with the “AllowUsers” directive. Be aware that none of your changes will “take” until you restart the SSH service.
You will likely need more services installed than SSH and some of those services may require your box listen for connections. Here are some guidelines for this.
- use a firewall. IPTABLES is a good one, but use it to limit access to services and use IP-based filters whenever possible
- for each service you start check to see if it is going to be listening for connection.s. If so you should bind it to localhost if at all possible. Examples of services that you can do this for include MySQL and Postfix assuming it is sending only.
- netstat -tap and lsof -i can be used to see which services/processes are using network resources. Frequently check the output of these commands to ensure your site has not been compromised or your services are going rogue.
- stop using ftp, which is very insecure, and replace it with SCP which can be encrypted via SSH. Same with NFS. NFS over SSH is much better than NFS. Be aware you trade overhead for piece of mind.
- use chroot jails if at all possible. You can chroot apache, mysql, postfix, and many other services. If this box is going to be your VirtualHosts apache web server you can chroot each user to prevent privilege escalation.
- Keep in mind that even in a perfect world you can limit but not eliminate avenues of attack.
No comments yet
Comments feed for this article