View previous topic :: View next topic |
Author |
Message |
sg313 n00b
Joined: 25 Dec 2005 Posts: 34
|
Posted: Wed Mar 28, 2012 9:23 pm Post subject: How do you secure your server box |
|
|
I am running a server on gentoo (for severaly years now, I am quite happy with it), and was wondering how you guys secure your boxes? What I do at the moment is
- hardened kernel without module loading support
- keeping the open ports to a minimum (only ssh/http/https) using iptables
In particular does it make sense to use something like a virus scanner? |
|
Back to top |
|
|
Gentoo64 n00b
Joined: 21 Oct 2011 Posts: 52 Location: ::
|
Posted: Thu Mar 29, 2012 1:46 pm Post subject: |
|
|
The virus scanner should only be for scanning Windows viruses if you will transfer files to Windows computers.
I think as you're running hardened etc (make sure you use the hardened toolchain as well) and minimal services you should be ok as long as the services are setup securely themselves. Make sure ssh has decent password with some sort of rate limiting, or maybe use key only auth if it's not inconvenient.
You could have a go with RBAC if you haven't already as that will turn root into a pretty limited user- I found it much easier to setup and work with than selinux, and it can be very powerful.
Keep the system up to date... not really sure what else to suggest :s |
|
Back to top |
|
|
tel Tux's lil' helper
Joined: 15 Aug 2006 Posts: 112
|
Posted: Thu Mar 29, 2012 3:39 pm Post subject: |
|
|
Mine might be a bit of an overkill, but it's all automated, so what the heck.
1. No root login on ssh
2. Strong passwords
3. Non-standard ssh ports (debatable method)
4. I use fail2ban to limit ssh attempts
5. ClamAV as an antivirus, as my server also backs up local Windows machines
6. Daily chkrootkit with daily output emailed to me
7. Limited permissions for all my users
8. Daily email of all ssh attempted and actual logins
I don't use:
1. Key authentication for ssh, because users may log in from a variety of different machines
2. Local encryption, because if someone breaks in and steals stuff, I've got other things to worry about |
|
Back to top |
|
|
sg313 n00b
Joined: 25 Dec 2005 Posts: 34
|
Posted: Thu Mar 29, 2012 8:07 pm Post subject: |
|
|
Thanks for the replies, since I am not handling email or windows user data, I will not install a virus scanner. I've set up chkrootkit and denyhosts. My ssh system already forbid root login, but I have to check the password strength for the user accounts somehow (at least those which can su).
I've also skimmed the grsecurity and RBAC howto on gentoo, but I'll leave it for the weekend |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Fri Mar 30, 2012 2:07 am Post subject: |
|
|
Analyzing the password strength for users who are permitted to run /bin/su is a good step, but you should be aware that even users who cannot su to root can still run setuid binaries. Certain bugs can permit a malicious user to step up to the privileges of any setuid binary that he can execute. As far as I know, there are no publicly known unfixed bugs of this type in the latest kernels, but that is one more vector you should consider. Therefore, you should verify security on all users with login rights, even ones who are only guests on the system. Ideally, use the sshd Match directives to grant password-based login only to those users who cannot or will not use key-only login. |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Fri Mar 30, 2012 7:48 am Post subject: |
|
|
sg313 wrote: | Thanks for the replies, since I am not handling email or windows user data, I will not install a virus scanner. I've set up chkrootkit and denyhosts. My ssh system already forbid root login, but I have to check the password strength for the user accounts somehow (at least those which can su).
I've also skimmed the grsecurity and RBAC howto on gentoo, but I'll leave it for the weekend |
dont know if you've already stumbled onto this
http://www.gentoo.org/doc/en/security/security-handbook.xml?full=1
it's more general best practice than it is specific hardening, but some useful bits in there nonetheless. Some I agree with, some I disagree with, take it with a grain of salt.
That combined with the Hardened doc and you should be squared away. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
sg313 n00b
Joined: 25 Dec 2005 Posts: 34
|
Posted: Sat Mar 31, 2012 8:00 am Post subject: |
|
|
Thanks again, I looked at the tutorial, and will see what I can implement on the box! |
|
Back to top |
|
|
|