Re: hacked - looking for doc/suggestions on hardening/securing systems from the start

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/18/2013 09:05 AM, bruce issued this missive:

Hey guys. - subject says it all!!

For a basic centos/fedora install. Need to have
pointers/docs/suggestions/solid steps to actually harden/secure a
system.

I've looked at a bunch of different articles/sites, so I'm also turning here.

Also, are there any good (i know) security lists/resources (people) I
could talk to about remotely hiring for this process..


Depends on how "hardened" you want the machines. There are a raft of
options, some of the more simple:

1. Use a VPN to get at the machines from the outside world.

1a. As part of 1. above, set up the firewalls (both external and
iptables) to not allow ANY externally initiated connections except for
those from the VPN--and even then restrict those as much as possible
(e.g. only allow ssh access).

2. Disable any service you do not need.

3. Make sure you enforce complex passwords and require them to be
rotated at least every 90 days.

4. Disable ssh root logins and enforce sudo options.

5. Use something like tripwire on a freshly installed machine to watch
for non-standard software being installed.

6. Use tools like rkhunter and clamscan to look for virii.

7. Enable and use SELinux and its tools or use a hardened kernel such
as grsec.

There are tons more of those sorts of things. A good set of guidelines
are the PCI compliance standards. Those are the standards a company must
meet (and must be audited annually by an external agency) to be
permitted to process credit card transactions online. One of our
subsidiaries is fully PCI-compliant as they do process credit card data.

The rest of the company is PCI-compliant as far as network access and
system updating is concerned. Our main business precludes being fully
compliant but we implement as many of those standards as we can. As the
old saying goes:

"I may be paranoid, but that doesn't mean they AREN'T out to get me!"

----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-                   Never try to outstubborn a cat.                  -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux