LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-25-2003, 04:42 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
README


Hi,

First I'd like to outline something from my README file:
Code:
----------------------------------------------------------------------
intended audience
----------------------------------------------------------------------
I assume you match the following requirements:


        x good knowledge about computers in general
        x hostile to M$ testers (= users)
        x USB turned off
        x real linux knowledge
                [ not distribution specific stuff only ]
        x sensitive care for security
        x know how to use debian-tools like apt-get and dpkg


If you don't match all requirements you will not be able to
understand the ChangeLogs. By the way, I give NO WARRANTY OF ANY
KIND that after you did all these steps your system is more performant,
stable, secure or anything else. Don't cry - you have been warned!


Greetings to unSpawn, a security expert from Belgium who has helped
me out a lot so far!
----------------------------------------------------------------------
If you understand that you could continue reading. I just don't want complains or anything :-)

If you have a question to something plz quote ONLY the relevant part. This issue will be spread to different threads and maybe even different forums. I'll link those together though!

BTW, you CAN'T copy that 1:1 and use it for your system. Like everything else it needs to be adjusted to your system. Just like network config, e-Mail addresses, etc.

Last edited by markus1982; 05-25-2003 at 04:53 AM.
 
Old 05-25-2003, 04:52 AM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
BASE INSTALL + MOVING DATA TO SPECIFIC PARTITIONS

Code:
----------------------------------------------------------------------
installation
----------------------------------------------------------------------
	x bf24 as boot option to install Kernel 2.4
----------------------------------------------------------------------




----------------------------------------------------------------------
base configuration
----------------------------------------------------------------------
	x MD5 passwords
	x shadow passwords
----------------------------------------------------------------------
I'm using Kernel v2.4 since I have some hardware that requires that and of course I want to use iptables. I'll built a customized kernel anyways but it's good to have some default fall-back kernel which supports my netfilter configuration :-)
Code:
----------------------------------------------------------------------
moved specific directories to other partitions
----------------------------------------------------------------------
why am I doing that ?
	x performance tuning (partition-specific)
	x security


how to do something alike ?
	x create the partitions using fdisk
	x format those using mkfs.ext3 (you need to adjust those)
	x edit /etc/fstab so you can follow my instructions


each of the following will get it's own partition:
	/boot
	/home
	/tmp
	/usr
	/usr/local
	/var/log
	/var/spool/postfix
	/var/tmp



/boot
	mv /boot /boot.old
	mkdir /boot
	mkfs.ext3 /dev/hdd6
	mount /dev/hdd6 /boot
	mv /boot.old/* /boot
	rm -r /boot.old

/home (directory is empty)
	mkfs.ext3 /dev/hdd7
	rmdir /home
	mount /dev/hdd7 /home
	chown root:users /home
	chmod o-rwx /home

/tmp (directory is empty)
	mkfs.ext3 /dev/hdd8
	mount /dev/hdd8 /tmp
	chmod 777 /tmp
	chmod +t /tmp

/usr
	mv /usr /usr.old
	mkdir /usr
	mkfs.ext3 /dev/hdd9
	mount /dev/hdd9 /usr
	mv /usr.old/* /usr
	rm -r /usr.old

/usr/local
	mv /usr/local /usr/local.old
	mkdir /usr/local
	mkfs.ext3 /dev/hdd10
	mount /dev/hdd10 /usr/local
	mv /usr/local.old/* /usr/local
	chmod g-sw -R /usr/local
	chown root:root -R /usr/local
	rm -r /usr/local.old

/var/log
	mv /var/log /var/log.old
	mkdir /var/log
	mkfs.ext3 /dev/hdd11
	mount /dev/hdd11 /var/log
	mv /var/log.old/* /var/log
	rm -r /var/log.old

/var/tmp
	mkfs.ext3 /dev/hdd13
	mount /dev/hdd13 /var/tmp
	chmod 777 /var/tmp
	chmod +t /var/tmp


Next thing of course is to modify /etc/fstab according to those
changes!
----------------------------------------------------------------------



----------------------------------------------------------------------
optimized mount flags                                   [ /etc/fstab ]
----------------------------------------------------------------------
	/boot			defaults,nodev,noexex,nosuid
	/home			defaults,nodev,noexex,nosuid
	/tmp			defaults,nodev,noexec,nosuid
	/usr			defaults,noatime,nodev
	/usr/local		defaults,noatime,nodev
	/var/log		defaults,nodev,nosuid,noexec
	/var/spool/postfix	defaults,noatime,nodev,nosuid
	/var/tmp		defaults,nodev,nosuid

	went into init 1 to be able to remount all of those
	umount -a
	mount -a
----------------------------------------------------------------------
Now we have everything split up to different partitions. I install self-coded scripts, etc in /usr/local/sbin. All daemons that will be installed chrooted will be under /usr/local/. For instance bind: /usr/local/bind. Remember this is just a BASE IMAGE for other servers. After securing the base image you can use that to set up new servers quickly ... you have to adjust AIDE, etc configuration for each server of course.

Last edited by markus1982; 05-25-2003 at 04:54 AM.
 
Old 05-25-2003, 04:57 AM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
getting rid of not required software

A secure system should have as few as possible software on it. Like you don't need a compiler or anything on it (and you shouldn't have). Or would you like to provide an attacker with a full-featured tool set?
Code:
----------------------------------------------------------------------
packages I purged
----------------------------------------------------------------------
	- base-config		no need to modificate config!
	- dhcp-client		no DHCP required
	- ed			don't like that editor 
	- fdutils		no floppy stuff required
	- ipchains		iptables since Kernel 2.4+
	- lilo			will install grub
	- mbr			not required
	- modconf		I know my modules 
	- pciutils		not required
	- ppp			permanent connection
	- pppconfig		permanent connection
	- pppoe			permanent connection
	- pppoeconf		permanent connection
	- setserial		not required
	- tasksel		I prefer apt-get and dpkg 
----------------------------------------------------------------------
You might need DHCP and PPP stuff so remove only those you don't really require.
 
Old 05-25-2003, 05:01 AM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
configuring apt & installation of additional software

Before we can install the software we need configure APT:
Code:
----------------------------------------------------------------------
configured apt					 [ /etc/apt/apt.conf ]
----------------------------------------------------------------------

	mkdir /var/cache/apt/tmp
	created /etc/apt/apt.conf

	APT
	{
		// ExtractTemplates
		ExtractTemplates
		{
			// standard is /tmp which is mounted noexec
			TempDir "/var/cache/apt/tmp";
		}
	};
----------------------------------------------------------------------




----------------------------------------------------------------------
reconfigured apt sources		     [ /etc/apt/sources.list ]
----------------------------------------------------------------------

# ====================================================================
# base system
# --------------------------------------------------------------------
deb http://ftp.de.debian.org/debian/ stable main
deb http://non-us.debian.org/debian-non-us stable/non-US main
# ====================================================================



# ====================================================================
# security updates
# --------------------------------------------------------------------
deb http://security.debian.org/ stable/updates main
# ====================================================================

----------------------------------------------------------------------
You wonder why I moved the temporary directory away from /tmp? Well apt-get relies on execution of scripts and since /tmp is noexec you do not have the chance to execute there, ergo we need to move it to a new path.

Now we can install the software we require:
Code:
----------------------------------------------------------------------
installed additionally software (no configuration required)
----------------------------------------------------------------------
	+ bzip2			used for compression, etc
	+ dump			for easing backups using images 
	+ ftp-ssl		used for secure ftp communication
	+ libdate-calc-perl	required for pflogsumm
	+ mutt			mail user agent
	+ openssl		ssl 
	+ sudo			no comment 
	+ traceroute		no comment 
----------------------------------------------------------------------
You might not need traceroute, mutt or dump. So install those only if you require those!

Last edited by markus1982; 05-25-2003 at 05:03 AM.
 
Old 05-25-2003, 05:11 AM   #5
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
what's next ?

Next step to take is to install grub!

Last edited by markus1982; 05-25-2003 at 05:13 AM.
 
Old 05-25-2003, 05:16 AM   #6
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
more additional software (configurtion required though)

Well now you have a nice bootloader and next step is of course to install some more software. Replace EXIM with a more performant MTA, etc:
Code:
----------------------------------------------------------------------
installed less
----------------------------------------------------------------------
	Application/* as mime handler
----------------------------------------------------------------------




----------------------------------------------------------------------
installed ntpdate
----------------------------------------------------------------------
	ntp-servers: ntp0.fau.de ptbtime1.ptb.de
----------------------------------------------------------------------




----------------------------------------------------------------------
installed pflogsumm (backported package)
----------------------------------------------------------------------
	created backport of pflogsumm at other host:
		apt-get source -b pflogsumm


	installed backported package:
		dpkg -i packages/pflogsumm/*.deb
----------------------------------------------------------------------




----------------------------------------------------------------------
installed postfix (backported package)
----------------------------------------------------------------------
	downloaded following backported packages of Postfix from
		http://people.debian.org/~nobse/debian/woody/

		backported/libdb4.1/libdb4.1_4.1.25-1.nobse.*.deb
		backported/postfix/postfix-pcre*.deb
		backported/postfix/postfix-tls*.deb
		backported/postfix/postfix_2.0.9-0.nobse.*.deb

	dpkg --purge exim
	dpkg -i packages/libdb4.1/*.deb
	dpkg -i packages/postfix/*.deb

	No configuration

	/usr/bin/newaliases
----------------------------------------------------------------------




----------------------------------------------------------------------
installed slocate
----------------------------------------------------------------------
	/etc/cron.daily/slocate
----------------------------------------------------------------------




----------------------------------------------------------------------
installed and secured ssh
----------------------------------------------------------------------
	Allow SSH protocol 2 only
	Do NOT install /usr/lib/ssh-keysign SUID root


	added/changed following in /etc/ssh/sshd_config:

	AllowGroups				users
	ChallengeResponseAuthentication		no
	ClientAliveInterval			15
	ClientAliveCountMax			4
	DenyGroups				root
	DenyUsers				root
	KeepAlive				no
	KeyRegenerationInterval			900
	ListenAddress				192.168.0.82:22
	LoginGraceTime				15
	MaxStartups				5:50:100
	PasswordAuthentification		no
	PermitRootLogin				no
	PubkeyAuthentication			yes
	RSAAuthentification			no
	ServerKeyBits				1024


	i'm restricting the users to be able to login using PAM, so
	inserted as 1st line to /etc/pam.d/ssh
	
	auth       required     pam_listfile.so \
				sense=allow \
				onerr=fail \
				item=user \
				file=/etc/ssh/allowed_users

	echo "markus" > /etc/ssh/allowed_users



	i've created a second ssh instance which will be just
	accessable from the internal network and by 1 person. the
	server is listening on a unassigned high port:

		cp /etc/ssh/sshd_config /etc/ssh/sshd_config_hp
		cp /etc/init.d/ssh /etc/init.d/ssh_hp
		update-rc.d ssh_hp start 20 2 3 4 5 . stop 20 0 1 6 .


	adjusted /etc/ssh/sshd_config_hp:

		AllowUsers	markus
		ListenAddress	192.168.0.82:49150
		PidFile		/var/run/sshd_hp.pid


	adjusted /etc/init.d/ssh_hp:

		x added "-f /etc/ssh/sshd_config_hp" to the config test
		x changed /var/run/sshd.pid to /var/run/sshd_hp.pid
		x added "-- -f /etc/ssh/sshd_config_hp" to
		  start-stop-daemon commands
----------------------------------------------------------------------




----------------------------------------------------------------------
installed uptimed
----------------------------------------------------------------------
	20 records to be kept
	never send mail
----------------------------------------------------------------------




----------------------------------------------------------------------
installed xinetd
----------------------------------------------------------------------
	do NOT convert /etc/inetd.conf to /etc/xinetd.conf

	created secure xinetd default configuration
						   [ /etc/xinetd.conf ]
		defaults
		{
			bind		= 127.0.0.1
			cps		= 64 5
			instances	= 255
			log_on_failure	= HOST ATTEMPT
			log_on_success	= PID
			log_type	= SYSLOG authpriv
			only_from	= 
			per_source	= 2
		}

		includedir /etc/xinetd.d


	mkdir /etc/xinetd.d
----------------------------------------------------------------------
Now everything for the bare base system is installed. Configuration is not done yet though (except for the ones that got freshly installed and don't have a lot of configuration lines). Remeber: this needs to be ADJUSTED TO YOUR SYSTEM.
 
Old 05-25-2003, 05:59 AM   #8
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
It's time to put up some restrictions:
Code:
----------------------------------------------------------------------
restricting console login access		    [ /etc/securetty ]
----------------------------------------------------------------------
	removed all except tty1
----------------------------------------------------------------------




----------------------------------------------------------------------
disabling system reboots through console              [ /etc/inittab ]
----------------------------------------------------------------------
	commented shutdown -t1 line out
----------------------------------------------------------------------




----------------------------------------------------------------------
providing secure user access
----------------------------------------------------------------------
	user authentification: PAM		  
						  [ /etc/pam.d/login ]
		disallow zero length passwords
		use md5
		password length min=8, max=64
		user limits (pam_limits.so)

						     [ /etc/pam.d/su ]
		addgroup wheel
		allow only users of group wheel to become root

		use access denied for other applications that are
		supporting pam			  [ /etc/pam.d/other ]

			auth     required       pam_deny.so
			account  required       pam_deny.so
			password required       pam_deny.so
			session  required       pam_deny.so


	limiting resource usage 	 [ /etc/security/limits.conf ]

		*		hard	 core		 0
		*		-	 maxlogins	 3
		markus		-	 maxlogins	 4


	user login actions			   [ /etc/login.defs ]
		FAIL_DELAY		60
		FAILLOG_ENAB		yes
		LOG_UNKFAIL_ENAB	yes
		PASS_MAX_LEN		64


	disallow remote administrative access
	non-root logins are diallowed on console #1
					  [ /etc/security/access.conf ]
		-:wheel:ALL EXCEPT LOCAL
		-:ALL EXCEPT root:tty1


	setting users umasks			       [ /etc/profile,
					      /etc/skel/.bash_profile ]
		umask 077


	limiting access to other users's information
						  [ /etc/adduser.conf ]
		DIR_MODE = 0700
----------------------------------------------------------------------




----------------------------------------------------------------------
file system control (setuid check)	   [ /etc/checksecurity.conf ]
----------------------------------------------------------------------
	CHECKSECURITY_EMAIL	linux-admins@example.com

changed CHECKSECURITY_DEVICEFILTER:
CHECKSECURITY_DEVICEFILTER="-path /dev/ptmx -o -path /dev/tty*"
----------------------------------------------------------------------




----------------------------------------------------------------------
secured network access
----------------------------------------------------------------------

using /etc/host.conf:
	- adding spoofing protection
		nospoof on

	- adding spoofing alert
		spoofalert on



using /etc/sysctl.conf:

	filesystem tuning:
	- max open files [ (ram/4) * 256 ]
		fs/file-max = 24576

	more resctrictive interface default setting (no router):
	- don't accept ICMP redirect messages
		net/ipv4/conf/default/accept_redirects = 0

	- don't accept packets with SRR option
		net/ipv4/conf/default/accept_source_route = 0

	- disable ip forwarding as interface default
		net/ipv4/conf/default/forwarding = 0

	- log packets with impossible adresses
		net/ipv4/conf/default/log_martians = 1

	- proxy arp
		net/ipv4/conf/default/proxy_arp = 0

	- enable source validation by reversed paths
		net/ipv4/conf/default/rp_filter = 1

	- accept ICMP redirect messages only for default gateways
		net/ipv4/conf/default/secure_redirects = 1

	- don't send redirects
		net/ipv4/conf/default/send_redirects = 0


	ipv4 general settings:
	- ignore ICMP ECHO requests sent to multicast / broadcast
		net/ipv4/icmp_echo_ignore_broadcasts = 1

	- enable bad error protection (avoid logging of RFC 1122
	  router violations)
		net/ipv4/icmp_ignore_bogus_error_responses = 1

	- don't forward packets between interfaces
		net/ipv4/ip_forward = 0

	- time to hold packet in state if we closed the connection
		net/ipv4/tcp_fin_timeout = 30

	- interval to send out probes
		net/ipv4/tcp_keepalive_intvl = 60

	- keep alive probes until connection is declared as broken
		net/ipv4/tcp_keepalive_probes = 3

	- interval to send out keepalive messages
		net/ipv4/tcp_keepalive_time = 1800

	- no select acknowledgements
		net/ipv4/tcp_sack = 0

	- send out syncookies when the syn backlog queue of a socket
	  overflows (prevention against syn flood attack)
		net/ipv4/tcp_syncookies = 1

	- timestamps as defined in RFC1323
		net/ipv4/tcp_timestamps = 0

	- window scaling as defined in RFC1323
		net/ipv4/tcp_window_scaling = 0

	sysctl -p
----------------------------------------------------------------------




----------------------------------------------------------------------
created sudo entries (basic tasks)
----------------------------------------------------------------------

# Host alias specification


# User alias specification
User_Alias	ADMIN =		markus


# Cmnd alias specification
Cmnd_Alias	A_DUMPS =	/sbin/dump, \
				/sbin/restore
Cmnd_Alias	A_HALT =	/sbin/halt
Cmnd_Alias	A_REBOOT =	/sbin/reboot
Cmnd_Alias	A_SHUTDOWN =	/sbin/shutdown


# User privilege specification
ADMIN	ALL=	A_DUMPS, A_HALT, A_REBOOT, A_SHUTDOWN, \
		/etc/init.d/, \
		/usr/local/sbin/
root	ALL=(ALL) ALL

----------------------------------------------------------------------
Whou should be permitted to use cron? Nobody by default:
Code:
----------------------------------------------------------------------
secured cron
----------------------------------------------------------------------
	touch /etc/cron.allow
	echo "all" > /etc/cron.deny
----------------------------------------------------------------------
As you know you should run with the minimum number of services and you should have a minimum of ports open, so disable not required stuff:
Code:
----------------------------------------------------------------------
disabled inetd services
----------------------------------------------------------------------
	update-inetd --disable daytime
	update-inetd --disable discard
	update-inetd --disable time
----------------------------------------------------------------------
Inactive users should not be tollerated for a big time. Just think of somebody SSHing remotely to the server, gong outside for a beer and leaving SSH open forever ... this shouldn't be the case but it happens. Kick idle users after 60 seconds:
Code:
----------------------------------------------------------------------
configured pam_env			[ /etc/security/pam_env.conf ]
----------------------------------------------------------------------
	TMOUT		DEFAULT=60
----------------------------------------------------------------------

Last edited by markus1982; 05-25-2003 at 07:13 AM.
 
Old 05-25-2003, 07:14 AM   #9
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Now you should set up some kind of policy and have every admin sign it. At the system you could use something like:
Code:
----------------------------------------------------------------------
adjusted /etc/motd
----------------------------------------------------------------------

Unauthorized access to this server is prohibited! Everything which has
not been explicitly allowed is unauthorized usage.

All activities are monitored and logged. There is NO RIGHT for privacy
on this system. Unauthorized access and activities or any criminal
activity in general will be reported to appropriate authorities
without any exceptions! Don't cry - you have been warned!

----------------------------------------------------------------------




----------------------------------------------------------------------
adjusted /etc/default/rcS
----------------------------------------------------------------------
	EDITMOTD=no
----------------------------------------------------------------------
 
Old 05-25-2003, 07:16 AM   #10
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Now that the whole system has been properly configured and secured it's time to secure all permissions:
Code:
----------------------------------------------------------------------
secured permissions
----------------------------------------------------------------------
	groupadd docs


	find /home -type f -name .bash_logout \
		-exec chattr -i {} \; \
		-exec chown root:users {} \; \
		-exec chmod 750 {} \; \
		-exec chattr +i {} \;


	chmod go-rwx -R \
		/etc/skel


	chmod o-rwx -R \
		/boot \
		/etc/adduser.conf \
		/etc/aide \
		/etc/apt \
		/etc/checksecurity.conf \
		/etc/cron.d \
		/etc/cron.daily \
		/etc/cron.monthly \
		/etc/cron.weekly \
		/etc/crontab \
		/etc/deluser.conf \
		/etc/dpkg \
		/etc/fstab \
		/etc/gateways \
		/etc/grsec \
		/etc/host.conf \
		/etc/hosts.* \
		/etc/init.d \
		/etc/logcheck \
		/etc/modules \
		/etc/network \
		/etc/ppp \
		/etc/rc* \
		/etc/securetty \
		/etc/shells \
		/etc/ssh \
		/etc/sysctl.conf \
		/etc/syslog.conf \
		/etc/xinetd.conf \
		/etc/xinetd.d \
		/lib/iptables \
		/lib/modules \
		/root \
		/usr/lib/apt \
		/usr/lib/dpkg \
		/usr/share/doc* \
		/usr/share/info \
		/usr/share/man \
		/var/cache/apt \
		/var/lib/aide \
		/var/lib/apt \
		/var/lib/dpkg \
		/var/lib/iptables \
		/var/lib/logcheck \
		/var/log/aide


	chmod 640 \
		/var/log/faillog


	chmod 664 \
		/var/log/wtmp


	chmod 750 \
		/bin/df \
		/bin/dmesg \
		/bin/mknod \
		/bin/mount \
		/bin/mt \
		/bin/netstat \
		/bin/ping \
		/bin/umount \
		/bin/uname \
		/sbin/MAKEDEV \
		/sbin/badblocks \
		/sbin/cfdisk \
		/sbin/debugfs \
		/sbin/depmod \
		/sbin/dumpe2fs \
		/sbin/e2image \
		/sbin/fdisk \
		/sbin/fsck* \
		/sbin/genksyms \
		/sbin/grub* \
		/sbin/halt \
		/sbin/hwclock \
		/sbin/ifconfig \
		/sbin/ifdown \
		/sbin/ifup \
		/sbin/init \
		/sbin/insmod \
		/sbin/ip6tables* \
		/sbin/iptables* \
		/sbin/ippool \
		/sbin/killall5 \
		/sbin/klogd \
		/sbin/ldconfig \
		/sbin/mii-tool \
		/sbin/mke2fs \
		/sbin/mkfs* \
		/sbin/mkswap \
		/sbin/modinfo \
		/sbin/modprobe \
		/sbin/route \
		/sbin/runlevel \
		/sbin/sfdisk \
		/sbin/shutdown \
		/sbin/swapon \
		/sbin/sysctl \
		/sbin/syslogd \
		/sbin/resize2fs \
		/sbin/tune2fs \
		/sbin/update-grub \
		/sbin/update-modules \
		/usr/bin/apt* \
		/usr/bin/dpkg* \
		/usr/bin/traceroute \
		/usr/bin/uprecords \
		/usr/sbin/adduser \
		/usr/sbin/atd \
		/usr/sbin/atrun \
		/usr/sbin/checksecurity \
		/usr/sbin/deluser \
		/usr/sbin/dpkg* \
		/usr/sbin/groupadd \
		/usr/sbin/groupdel \
		/usr/sbin/groupmod \
		/usr/sbin/grpck \
		/usr/sbin/grpconv \
		/usr/sbin/grpunconv \
		/usr/sbin/inetd \
		/usr/sbin/logcheck \
		/usr/sbin/logrotate \
		/usr/sbin/lsof \
		/usr/sbin/newusers \
		/usr/sbin/ntpdate \
		/usr/sbin/pwck \
		/usr/sbin/pwconv \
		/usr/sbin/pwunconv \
		/usr/sbin/rdev \
		/usr/sbin/tcpd \
		/usr/sbin/tcpdchk \
		/usr/sbin/tcpdmatch \
		/usr/sbin/tunelp \
		/usr/sbin/useradd \
		/usr/sbin/userdel \
		/usr/sbin/usermod \
		/usr/sbin/vipw


	chmod 4750 \
		/usr/bin/gpasswd


	chmod 6750 \
		/sbin/dump \
		/sbin/restore


	chown root:adm \
		/var/log/faillog


	chown root:docs -R \
		/usr/share/doc* \
		/usr/share/info \
		/usr/share/man


	chown root:root -R \
		/etc/xinetd.*


	chown root:utmp \
		/var/log/wtmp


	chown root:wheel \
		/usr/bin/uprecords


	chattr -R +i \
		/bin \
		/sbin \
		/usr/bin \
		/usr/local/bin \
		/usr/local/sbin \
		/usr/sbin \

	chattr +u \
		/var/log/wtmp
----------------------------------------------------------------------
Now you need to reinitialize the AIDE databases like described in this thread!
 
Old 05-25-2003, 06:24 PM   #11
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
markus,

/var/tmp defaults,nodev,nosuid

Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink?

- timestamps as defined in RFC1323
net/ipv4/tcp_timestamps = 0

- window scaling as defined in RFC1323
net/ipv4/tcp_window_scaling = 0

Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)?

Thanks,
chris
 
Old 05-25-2003, 06:26 PM   #12
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Oh, and good show. Nice to see stuff like this.

Thanks again,
chris
 
Old 05-25-2003, 06:39 PM   #13
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
/var/tmp defaults,nodev,nosuid
Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink?
noexec because of /tmp attacks. remember tmp is writeable by EVERYBODY. i know that you can circumvent that and it offers no real protections but at least it will keep pretty lame people (= script kiddies) out. they'll play somewhere if their stuff which requires /tmp to be exec doesn't work.

regarding /var/tmp and /tmp:
Quote:
Filesystem Hierarchy Standard: 5.15 /var/tmp : Temporary files preserved between system reboots
The /var/tmp directory is made available for programs that require temporary files or directories that are preserved between system reboots. Therefore, data stored in /var/tmp is more persistent than data in /tmp.
Files and directories located in /var/tmp must not be deleted when the system is booted. Although data stored in /var/tmp is typically deleted in a site-specific manner, it is recommended that deletions occur at a less frequent interval than /tmp
Quote:
- timestamps as defined in RFC1323
net/ipv4/tcp_timestamps = 0

- window scaling as defined in RFC1323
net/ipv4/tcp_window_scaling = 0

Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)?
Well there is not really a problem with this. It's tuning to be honest. But it also defeat's Nmap's uptime detection AFAIK. I can't remember the docs I got that from ... but a google search higlighted it again:

http://linuxperf.nl.linux.org/general/kerneltuning.html
http://ruka12.tripod.com/performance.html


Regarding tcp_window_scaling:
http://www.checkpoint.com/techsuppor...rformance.html

Last edited by markus1982; 05-25-2003 at 06:42 PM.
 
Old 06-19-2003, 06:50 AM   #14
Salz
LQ Newbie
 
Registered: Jun 2003
Distribution: Debian
Posts: 23

Rep: Reputation: 15
Well, it looks a little bit short and misses a lot of explanations (e.g. that the desktop user should be in group docs).
Quote:
All activities are monitored and logged.
You probably might want to check this part of your /etc/motd with your lawyer first, too

For more in-depth coverage I suggest to read the Securing Debian Manual.
 
Old 06-19-2003, 07:00 AM   #15
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Well, it looks a little bit short and misses a lot of explanations (e.g. that the desktop user should be in group docs)
Well I shouldn't call it HOWTO. I should call it "changelog", cause that is what it REALLY is. It focusses on using Debian as a SERVER without any GUI!

Quote:
You probably might want to check this part of your /etc/motd with your lawyer first, too
Probably :-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SNMP HOWTO - Debian vickyr Debian 1 03-12-2005 03:00 AM
FYI: HOWTO - securing debian markus1982 Debian 0 06-19-2003 06:07 AM
HOWTO: securing debian markus1982 Linux - Distributions 0 05-25-2003 04:46 AM
securing a debian system for use as a server markus1982 Linux - Security 2 04-12-2003 06:38 AM
securing shells on debian 2.2 ion Linux - Security 0 04-06-2001 08:59 PM


All times are GMT -5. The time now is 06:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration