Hello David, hello Matthias, hello list, Davids your sugguestions "sound" good to my newbie ears I have reposted it with my remarks. Sorry this got a little bit too long but to cut off your list would have given a wrong picture form your suggestion. Maybe the others can comment it? I am too green in some subjects an need to appologize if the question are not so professional. Right now I work myselfe to the man pages. Guess I need to add some words about the contallation:
Here is the problem, I need to runn a productive server SuSE 8.0 to which real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp. I need rsync only within the local net to mirror some data of the server. ssh/sftp will only be used by a direct dialin connection form *one* phone number - never via the internet. Does this open an option to close more doors?
David M. Fetter wrote:
It sounds like you're trying to really lock down this system. Yes, the server should be as much locked as possible - but still usabel :-)
1. Install susefirewall, configure it to allow only the tftp terminals to access the various services you plan to run. This is very important for portmap/nfs. What about sftp, ssh?
2. Comment out everything in the /etc/inetd.conf. You didn't mention anything that you plan on using which exists in this so need to have unnecessary services available.
3. Use SSH instead of telnet/ftp. You should also run rsync over ssh using the "-e" switch with rsync. i.e. Don't run the rsync daemon. I will but would that differ since I use it only within the local net?
4. Do not allow remote access for root in any case, unless for some reason it is the only way to accomplish some task (perhaps the backups?). Instead use sudo and configure it so you can execute privileged commands with that. If you do have to allow root access, be very specific where root can login from (i.e. tcp wrappers). I am not sure if this is possible, if a remote connection is needed than in emergency situations where privileged rights are needed. The only things which may could "narrow" the access is that the connection must be a dial in connection via isdn from a certian IP Address in the 192.168.x.x space.
5. SSH can utilize TCP wrappers so use that as an extra layer to your firewall. This basically means, edit the /etc/hosts.deny file and put "ALL:ALL" in it, then edit the /etc/hosts.allow and add in the specific IP address you want to allow (man 5 hosts_access for more info).
6. Disable any services you are not using. Only run the specific services you need.
7. For the dialin, if you use mgetty, there are optional parameters you can use to tighten down who can connect, etc. You'll need to read up on mgetty more to figure out what it is you specifically want. Well on an other machine I use mgetty/callback (still analog) and this works fine Though you need to complile mgetty to enable the called-id support to block unwanted calls. But in this case the dialin will be only isdn.
8. Setup tripwire. What is this?
9. Setup a good log watcher (i.e. swatch). This is important so you know what's going on.
10. Don't run portsentry or IDS on this system itself. If you want to run these they should be on a separate system. They are good if you want to see if anyone is probing your network and watch the activity.
11. Things like chkchroot and chkrootkit are tools which will check your system for chroot processes or rootkits. If they're installed then you'll be notified and basically in most cases that means you've been compromised. I need to read more about it, "chkchroot and chkrootkit" is new to me.
-- Encrypted eMail welcome! GnuPG/OpenPGP-Key: 0xC82CD70C. Fingerprint: BB76 0DED 1329 D3B7 04D0 F6BB 2033 3B11 C82C D70C
8. Setup tripwire.
What is this?
A file integrity tool. Tripwire creates a database and stores information about important files in the database. This information includes things such as: - modification time - owner, group - cryptographic checksum(s) - etc. After initializing (creating) the tripwire database you should store a copy of it off-line (on a CDROM on somewhere else it can not be tampered with). Then, security monitoring includes checking the tripwire database agains the file system of your running installation. If anything (important, or at all) changes in the file system tripwire prints out a report of it - and you'll check what changed and why. Be sure to remember that some changes are legal and thus you should do upgrades and installations (new software added) in the following manner: - (consider taking the system off line for duration of maintenance?) - run tripwire checking agains current database - install software and do other maintenance - update tripwire database so that it contains the changes from new/changed files And if you are just starting with security... I can recommend an excellent (if occasionally terrifying book) by Bruce Schneier: Secret & Lies, Digital Security in a Networked World. Of course there is a lot of others... regards, timo
On Sunday 09 March 2003 17:29, Michael Hoeller wrote:
Hello David, hello Matthias, hello list,
Davids your sugguestions "sound" good to my newbie ears I have reposted it with my remarks. Sorry this got a little bit too long but to cut off your
I'm a bit concerned that for a newbie, the answers coming back are along the lines of everything that is possible to do, to make for a very secure installation, rather than what Michael orginally asked, which was, what he "really needed to do". Michael you you need to balance the risks, and decide on the right cost/benefit tradeoff. Actually reaping the low hanging fruit, will bring most of the beneftis fairly simply and easily. So let's look at the question again : On Sunday 09 March 2003 09:46, Michael Hoeller wrote:
Here is the problem, I need to runn a productive server SuSE 8.0 to which some real terminals are connected (-> no harddrive) the terminals boot via tfpt and mount the certain drives via nfs. For "online"backups I run rsync. The server must be reachable for remote maintenance via isdn dialin, also telnet and ftp. The temporary connects to the internet for surfing and email should also be possible.
What would you suggest to protect the machine? It would be great if you could point me to the right direction that way I can focus on the things which are really needed.
Can you explain more about how those machines connect to the Internet, is it permanently on or via dialup? (If it's dialup then you might be able to take advantage of the /etc/ppp/ip-{up,down}.local scripts). Is the access via ISDN dialin, also the line used for 'temporary connects' to the net? The time and effort to spend on securing that network, depends on balancing the risks, and the amount of time you're able to put in on configuration and administration. There's not a lot of point in setting up Intrusion or Scan detection systems for that network, if it's on dialup, connected just a few hours a week, and you're not going to have time to monitor the IDS or scanner's output anyway. What is clear is : 0) Read Nix's Security FAQ at http://www.susesecurity.com/ 1) Check what services you are offering on the Internet connected machine (netstat -lp) 2) Set up an appropriate firewall, that only permits the UDP and TCP/IP client connections to things that are *required*. 3) Set up a cron job to ensure either YaST Online Update (or fou4s) runs and applies security fixes. 4) Use ssh(1), scp(1), sftp(1) or rsync -essh (rsync '-essh -c blowfish' will save CPU time on large transfers). Rob
participants (3)
-
MichaelHoeller@t-online.de
-
Robert Davies
-
timo