README
Hi,
First I'd like to outline something from my README file: Code:
---------------------------------------------------------------------- If you have a question to something plz quote ONLY the relevant part. This issue will be spread to different threads and maybe even different forums. I'll link those together though! BTW, you CAN'T copy that 1:1 and use it for your system. Like everything else it needs to be adjusted to your system. Just like network config, e-Mail addresses, etc. |
BASE INSTALL + MOVING DATA TO SPECIFIC PARTITIONS
Code:
---------------------------------------------------------------------- Code:
---------------------------------------------------------------------- |
getting rid of not required software
A secure system should have as few as possible software on it. Like you don't need a compiler or anything on it (and you shouldn't have). Or would you like to provide an attacker with a full-featured tool set?
Code:
---------------------------------------------------------------------- |
configuring apt & installation of additional software
Before we can install the software we need configure APT:
Code:
---------------------------------------------------------------------- Now we can install the software we require: Code:
---------------------------------------------------------------------- |
what's next ?
Next step to take is to install grub!
|
more additional software (configurtion required though)
Well now you have a nice bootloader and next step is of course to install some more software. Replace EXIM with a more performant MTA, etc:
Code:
---------------------------------------------------------------------- |
It's time to put up some restrictions:
Code:
---------------------------------------------------------------------- Code:
---------------------------------------------------------------------- Code:
---------------------------------------------------------------------- Code:
---------------------------------------------------------------------- |
Now you should set up some kind of policy and have every admin sign it. At the system you could use something like:
Code:
---------------------------------------------------------------------- |
Now that the whole system has been properly configured and secured it's time to secure all permissions:
Code:
---------------------------------------------------------------------- |
markus,
/var/tmp defaults,nodev,nosuid Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink? - timestamps as defined in RFC1323 net/ipv4/tcp_timestamps = 0 - window scaling as defined in RFC1323 net/ipv4/tcp_window_scaling = 0 Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)? Thanks, chris |
Oh, and good show. Nice to see stuff like this.
Thanks again, chris |
Quote:
regarding /var/tmp and /tmp: Quote:
Quote:
http://linuxperf.nl.linux.org/general/kerneltuning.html http://ruka12.tripod.com/performance.html Regarding tcp_window_scaling: http://www.checkpoint.com/techsuppor...rformance.html |
Well, it looks a little bit short and misses a lot of explanations (e.g. that the desktop user should be in group docs).
Quote:
For more in-depth coverage I suggest to read the Securing Debian Manual. |
Quote:
Quote:
|
All times are GMT -5. The time now is 06:54 PM. |