Create and Configure User Account
*suggest users to make complicated password at least 8 characters
*enable shadow to avoid storing password in text mod
*do not use chsh command to modify /bin/false (it will prevent hacker to control system by default account for login)
*make sure that there is no account using ID nol and prevent login access remotely without password (configure file .rhost or /etc/host.equiv)
step 2
Secure Root Access
*login without root
*use root access for administration only
*edit /etc/security and add # in the beginning of rows
*disable telnet
*edit /etc/ssh/sshd_config to prevent SSH login
*set umask root to 077 (read, write, execute just for root) or 022 (for user)
step 3
Secure Physical Access
*open BIOS then create password
*set boot from harddisk only to prevent bootable disk
step 4
Disable or Turn Off Unnecessary Services
*use command ls -l/etc/rc.d/rc3.d/S* or -l/etc/rc.d/rc5.d/S* to view startup script
*use chkconfig to choose or disable service at startup
*exp : chkconfig -levels 2345 off
* edit /etc/xinetd or /etc/xinetd.conf then add # to disable service
step 5
Control Network Access
*edit /etc/hosts.allow to be ALL: LOCAL to allow local login
*edit /etc/hosts.deny to be ALL: to refuse remote connection
*add some ports to restrict or allow remote access
*use iptables to configure allowed some data packets
*check FTP service (disable or enable)
step 6
Configure Auditing and System Log
*check /etc/syslog.conf to control log files
*use freshmeat syslog-ng application
*use logwatch and swatch application
step 7
Configure File Security
*only root can access CRON
*root must be the owner of /etc/fstab, /etc/passwrd, /etc/group, /etc/shadow and ensure permission access to the files is 644 unless access to shadow should be 400
step 8
Prepare Damages Recovery
*create boot disk for recovery after configuration or use Mkboodisk utility
*use tar command to backup (exp : tar -cvf )
*read this (http://www.tldp.org/howto/linux-complete-backup-and-recovery-howto)
step 9
Do System Maintenance
*join group to get information about patch or update
step 10
Preparing Linux to the Internet
*make sure the connection is secure before connecting to the internet
step 11
Installation
*select the required application during installation (exp : samba, mail, etc)
step 12
Firewall Software Installation and Configuration
*use firewall to filter network traffic (exp : netfilter for mandriva)
step 13
File /etc/hosts.deny and /etc/hosts.allow Configuration
step 14
Turn Off or Delete Unnecessary Services
*use chkconfig to reduce the consumption of cpu cycles
step 15
Secure The Necessary/Required Services
*exp : configure ssh access (/etc/ssh/sshd_config)
step 16
Set Kernel Network Option
*edit or configure /etc/syscti.conf (network information logs)
step 17
Connect PC to The Router
*use router to restrict or limit connection
step 18
Update
step 19
upgrade
step 20
Other Applications/Softwares
*use Batille-Linux to "strengthen" linux
*use Tripware to monitor system modifications
References
http://e-newsletters.internet.com/linuxtodaysecurity.html
http://freshmeat.net - http://freshmeat.net/projects/syslog-ng
http://swatch.sourceforge.net
http://www.cert.org
http://www.debian.org
http://www.ibiblio.org/pub/linux
http://www.lindows.com
http://www.linuxberg.com
http://www.linuxsecurity.com
http://www.redhat.com
http://www.sans.org
http://www.securityfocus.com
http://www2.logwatch.org:8080
"curiosity is motivation"
"letz share coz i only ask for information"
No comments:
Post a Comment