[[linux:ubuntu:hardening]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
linux:ubuntu:hardening [2008/11/27 12:09]
a created FIXME 		linux:ubuntu:hardening [2009/07/23 15:17] (current)
193.164.137.40
Line 1: Line 1:
 FIXME!! FIXME!!
 +
 +links: http://www.itsecurity.com/features/ubuntu-secure-install-resource/ | see: **http://wiki.centos.org/HowTos/OS_Protection
 +**
  
 System Hardening Checklist System Hardening Checklist
Line 126: Line 129:
  
 15. Chmod dangerous file 15. Chmod dangerous file
 +<code>
 chmod 700 /bin/ping chmod 700 /bin/ping
 chmod 700 /usr/bin/who chmod 700 /usr/bin/who
Line 139: Line 143:
 chmod 700 /usr/bin/apt-get chmod 700 /usr/bin/apt-get
 chmod 700 /usr/bin/aptitude chmod 700 /usr/bin/aptitude
 +</code>
  
 16. Specify TTY Devices Root is allowed 16. Specify TTY Devices Root is allowed
 vi /etc/securetty vi /etc/securetty
 Leave only two connections: Leave only two connections:
-tty1 +   tty1 
-tty2+   tty2
  
 17. Choose a secure password 17. Choose a secure password
Line 150: Line 155:
 vi /etc/pam.d/common-password vi /etc/pam.d/common-password
 change the detail from this: change the detail from this:
-password requisite pam_unix.so nullok obscure md5+   password requisite pam_unix.so nullok obscure md5
 to to
-password requisite pam_unix.so nullok obscure md5 min=6+   password requisite pam_unix.so nullok obscure md5 min=6
 Change min=6 with your company password policy length. Change min=6 with your company password policy length.
  
 18. Checking for Rootkits 18. Checking for Rootkits
 Install it from Ubuntu Repository: Install it from Ubuntu Repository:
-# apt-get install chkrootkit+   # apt-get install chkrootkit
 You can run it with the following command: ./chkrootkit You can run it with the following command: ./chkrootkit
 Now we are going to add it to contrab to schedule daily automatic scans in the system: Now we are going to add it to contrab to schedule daily automatic scans in the system:
 vi /etc/cron.daily/chkrootkit.sh and type vi /etc/cron.daily/chkrootkit.sh and type
-#!/bin/bash +   #!/bin/bash 
-# Enter the directory where the rootkit is installed +   # Enter the directory where the rootkit is installed 
-cd /root/chkrootkit/ +   cd /root/chkrootkit/ 
-# Enter your email address where you want to receive the report +   # Enter your email address where you want to receive the report 
-./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com+   ./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com
  
 Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh
Line 176: Line 181:
 To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a
 Now let’s harden our sysctl.conf file Now let’s harden our sysctl.conf file
-vi /etc/sysctl.conf+   vi /etc/sysctl.conf
 and paste the hardened kernel variable (attached). and paste the hardened kernel variable (attached).
  
Line 184: Line 189:
 Turn off some of this variable: Turn off some of this variable:
  
-allow_call_time_pass_reference = Off +   allow_call_time_pass_reference = Off 
-magic_quotes_gpc = Off +   magic_quotes_gpc = Off 
-register_long_arrays = Off +   register_long_arrays = Off 
-register_argc_argv = Off +   register_argc_argv = Off 
-allow_url_fopen = Off +   allow_url_fopen = Off 
-expose_php = Off +   expose_php = Off 
-disable_functions = symlink,shell_exec,proc_close, +   disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog,apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo
-proc_open,dl,passthru, +
-escapeshellarg,escapeshellcmd,openlog, apache_child_terminate, +
-apache_get_modules,apache_get_version, +
-apache_getenv,apache_note,apache_setenv,virtual, phpinfo+
  
 21. Apache Hardening 21. Apache Hardening
Line 213: Line 214:
  
 Hardened Kernel Variable ( /etc/sysctl.conf ) Hardened Kernel Variable ( /etc/sysctl.conf )
 +<code>
 # Controls the System Request debugging functionality of the kernel # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0 kernel.sysrq = 0
Line 311: Line 312:
 # Increase the maximum amount of option memory buffers # Increase the maximum amount of option memory buffers
 net.core.optmem_max = 57344 net.core.optmem_max = 57344
-Posted by Last King of Kho's Kingdom at 8:44 PM +</code>
linux/ubuntu/hardening.1227784174.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready