LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-31-2010, 02:31 PM   #1
inara72
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Rep: Reputation: 0
Need advise on Security , SSH , security policies


We have a 30 Computer Network , one small business Server and 29
Workstations , we have 10 Servers hosted in a Data Center (running on Red Hat Enterprise Servers)
Communication normally take place between SBS server and 29 clients
(internal) , between 29 Clients and 10 Data Center Servers through SSH ,
Between external Clients accessing 10 Servers at Data Center ,
Between External Clients accessing SBS server and 29 Workstations
we are also running Apache Web Server , QMail , Mysql Server
on our Data Center Servers
i need advise that what will be the best practice to secure all these
communications between internal/external clients and Data Center Servers , between external clients and SBS server/internal clients ,
within our office network
currently all of our communication within network is not secure
we access Red Hat servers in data center through simple ssh
external clients access data centers and our office through remote logins and ssh
so how can security be implemented internally as well as remotely
(accessing data center servers & external clients)
please be as brief as possible ,
 
Old 01-31-2010, 05:33 PM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,082

Rep: Reputation: 799Reputation: 799Reputation: 799Reputation: 799Reputation: 799Reputation: 799Reputation: 799
First off, unless you're absolutely certain that your SBS installation is secure; i.e., it's running with SSL and SSH, I'd give serious consideration to replacing it with a Linux server -- there just isn't all that much that SBS can do that cannot be done at least as well (and probably more securely) with Linux, SSL and SSH. If that's not practical, you may want to consider a VPN setup although that may be more expense and trouble than it's worth unless it's done at your router(s) with RSA security tokens or the like for any external; i.e., outside the building, employee or not, authorized users.

One simple thing you can do is make sure your site does not respond to ping; if the bad actors don't know you're there, they're not going to bother you quite as much. That doesn't mean that you're not going to be probed, however, so make certain that your system logs are scanned at least weekly to identify sshd and other probes; add any site that has done that to your /etc/hosts.deny file and/or your IPTABLES data base -- identify the domain the probe is coming from (with whois and simply deny access to the entire domain. Here's a few that I block because I've had multiple probes and break-in attempts from them:
Code:
iptables -A INPUT -s 74.6.0.0/16 -j DROP
iptables -A INPUT -s 200.169.98/24 -j DROP
iptables -A INPUT -s 149.20.0.0/16 -j DROP
iptables -A INPUT -s 208.53.128.0/18 -j DROP
I also completely bock China and Korea based simply on experience with attempts from those countries and I do not do business with either.

You should be running any web-based applications with Apache security; i.e., the web address is https-something, not -- internal or external -- http. Your MySQL server(s) should be locked down with individual passwords (not internal or external site-wide passwords); make sure that administration has at least executed mysql-secure-installation on every one of your MySQL servers (and that the test data base has been removed from MySQL). There should be zero access to any MySQL data base without a user id and password. Use individual accounts and passwords for all employees, administrators or not (although that is somewhat impractical for those absolutely required root access).

You should already be aware than Microsoft products are to be assumed insecure no matter what -- given a long, long history of intrusion along with extensive and expensive damage, it may be better to be safe than sorry and simply migrate everything to Linux. I'm not being prejudiced here, I've been burned and I didn't much like it. I also got real tired of spending hundreds if not thousands of dollars to protect computers from things that should never have existed in the first place had the vendor done a professional job. Essentially, Microsoft products have never been and I don't expect them ever to be secure -- it's your money and it's your data, you decide.

Never, under any circumstance, allow a vendor or client to plug a computer into your network, particularly a Microsoft computer. Do not allow anyone -- internal or external -- to plug in a flash drive, floppy disk, CD-ROM or DVD unless it has first been scanned by your system administrators. Don't allow people to tote floppies, CD's, DVD's and especially flash drives back and forth. If you're using wi-fi, it must be password-protected; better yet, hard-wired is always more secure than wi-fi.

The combination of SSL and SSH is about as secure as you can practically get if you insist that all access to any computer in your facility is done only with SSH. When you use Apache securely, you're using SSL and SSH and you simply insist that all outside access is done with proper user identification and password. That means that any new user be stopped at the front page and either enters a known user id and password or requests a new account in which case you go through establishing the account with human review before replying with a validation (one of those "click here to validate your account" e-mails). It's worth setting up account numbers and it's really worth having password expire periodically (monthly is good, quarterly is less annoying but remember that it's your system and act accordingly). You should use PAM or some other utility to insist on "good" password and don't let anybody re-use previous passwords. If an employee is discharged or leaves voluntarily, lock every account they use during the exit interview.

If you insist on permitting Microsoft products internally, make sure they're as secure as you can get them -- every box must be updated when Microsoft issues security patches, every box must be running McAfee, Norton or some other favorite security software (and kept up-to-date, no excuses). No user should have administrative privileges; i.e., no user can install software on the box. In any event, schedule runs of the security software an audit periodically to assure that there isn't "foreign," user- or bad-guy-installed software on your Microsoft systems.

Bottom line is that you can pretty much trust SSH -- but you have to actually use it; establish standards and stick to them, no exceptions.

Hope this helps some.
 
Old 01-31-2010, 07:23 PM   #3
inara72
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks . That was a great advise , hope this will help a lot for our network
 
Old 01-31-2010, 07:56 PM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Actually, another good idea, if it possible to use MAC filtering in your network, and I would suggest to put linux firewall/filter before your network. I always think that stand-alone firewall/filter much better.
 
Old 02-01-2010, 06:49 AM   #5
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,082

Rep: Reputation: 799Reputation: 799Reputation: 799Reputation: 799Reputation: 799Reputation: 799Reputation: 799
Quote:
Originally Posted by nimnull22 View Post
Actually, another good idea, if it possible to use MAC filtering in your network, and I would suggest to put linux firewall/filter before your network. I always think that stand-alone firewall/filter much better.
Second that.

Another thing I forgot to mention is that you should consider shutting down (or do not enable) every port on your routers that is not necessary. With routers I'm familiar with, you have to enable ports individually and that's good. Routers that are wide-open by default, that's bad; shut 'em all down except the ones needed for your communications. Your routers are the front end to the world and you don't want to have people probing away through unnecessarily-open ports in them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware 12 -> security policies, unable read /etc/shadow etc. rocknroll Slackware 2 03-17-2008 07:56 AM
general security advise phsythax Linux - Security 4 11-27-2005 09:55 AM
A security concern! Please advise! vharishankar General 5 11-30-2004 10:05 AM
Setting Security Policies in MDK? unixfreak Linux - Security 1 09-01-2004 08:32 PM


All times are GMT -5. The time now is 05:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration