Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:ubuntu:hardening [2009/03/14 11:32] a |
linux:ubuntu:hardening [2009/07/23 15:17] (current) 193.164.137.40 |
||
---|---|---|---|
Line 1: | Line 1: | ||
FIXME!! | FIXME!! | ||
- | links: http:// | + | links: http:// |
+ | ** | ||
System Hardening Checklist | System Hardening Checklist | ||
Line 129: | Line 129: | ||
15. Chmod dangerous file | 15. Chmod dangerous file | ||
+ | < | ||
chmod 700 /bin/ping | chmod 700 /bin/ping | ||
chmod 700 / | chmod 700 / | ||
Line 142: | Line 143: | ||
chmod 700 / | chmod 700 / | ||
chmod 700 / | chmod 700 / | ||
+ | </ | ||
16. Specify TTY Devices Root is allowed | 16. Specify TTY Devices Root is allowed | ||
vi / | vi / | ||
Leave only two connections: | Leave only two connections: | ||
- | tty1 | + | tty1 |
- | tty2 | + | |
17. Choose a secure password | 17. Choose a secure password | ||
Line 153: | Line 155: | ||
vi / | vi / | ||
change the detail from this: | change the detail from this: | ||
- | password requisite pam_unix.so nullok obscure md5 | + | password requisite pam_unix.so nullok obscure md5 |
to | to | ||
- | password requisite pam_unix.so nullok obscure md5 min=6 | + | password requisite pam_unix.so nullok obscure md5 min=6 |
Change min=6 with your company password policy length. | Change min=6 with your company password policy length. | ||
18. Checking for Rootkits | 18. Checking for Rootkits | ||
Install it from Ubuntu Repository: | Install it from Ubuntu Repository: | ||
- | # apt-get install chkrootkit | + | # apt-get install chkrootkit |
You can run it with the following command: ./ | You can run it with the following command: ./ | ||
Now we are going to add it to contrab to schedule daily automatic scans in the system: | Now we are going to add it to contrab to schedule daily automatic scans in the system: | ||
vi / | vi / | ||
- | # | + | # |
- | # Enter the directory where the rootkit is installed | + | |
- | cd / | + | |
- | # Enter your email address where you want to receive the report | + | |
- | ./ | + | |
Now change the file permissions so we can run it: chmod 755 / | Now change the file permissions so we can run it: chmod 755 / | ||
Line 179: | Line 181: | ||
To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a | To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a | ||
Now let’s harden our sysctl.conf file | Now let’s harden our sysctl.conf file | ||
- | vi / | + | vi / |
and paste the hardened kernel variable (attached). | and paste the hardened kernel variable (attached). | ||
Line 187: | Line 189: | ||
Turn off some of this variable: | Turn off some of this variable: | ||
- | allow_call_time_pass_reference = Off | + | allow_call_time_pass_reference = Off |
- | magic_quotes_gpc = Off | + | |
- | register_long_arrays = Off | + | |
- | register_argc_argv = Off | + | |
- | allow_url_fopen = Off | + | |
- | expose_php = Off | + | |
- | disable_functions = symlink, | + | |
- | proc_open, | + | |
- | escapeshellarg, | + | |
- | apache_get_modules, | + | |
- | apache_getenv, | + | |
21. Apache Hardening | 21. Apache Hardening | ||
Line 216: | Line 214: | ||
Hardened Kernel Variable ( / | Hardened Kernel Variable ( / | ||
+ | < | ||
# Controls the System Request debugging functionality of the kernel | # Controls the System Request debugging functionality of the kernel | ||
kernel.sysrq = 0 | kernel.sysrq = 0 | ||
Line 314: | Line 312: | ||
# Increase the maximum amount of option memory buffers | # Increase the maximum amount of option memory buffers | ||
net.core.optmem_max = 57344 | net.core.optmem_max = 57344 | ||
- | Posted by Last King of Kho's Kingdom at 8:44 PM | + | </ |