[[linux:ubuntu:hardening]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:ubuntu:hardening [2009/05/25 00:35]
127.0.0.1 external edit 		linux:ubuntu:hardening [2009/07/23 15:17] (current)
193.164.137.40
Line 1: Line 1:
 FIXME!! FIXME!!
  
-links: http://www.itsecurity.com/features/ubuntu-secure-install-resource/ +links: http://www.itsecurity.com/features/ubuntu-secure-install-resource/ | see: **http://wiki.centos.org/HowTos/OS_Protection 
 +**
  
 System Hardening Checklist System Hardening Checklist
Line 129: Line 129:
  
 15. Chmod dangerous file 15. Chmod dangerous file
 +<code>
 chmod 700 /bin/ping chmod 700 /bin/ping
 chmod 700 /usr/bin/who chmod 700 /usr/bin/who
Line 142: Line 143:
 chmod 700 /usr/bin/apt-get chmod 700 /usr/bin/apt-get
 chmod 700 /usr/bin/aptitude chmod 700 /usr/bin/aptitude
 +</code>
  
 16. Specify TTY Devices Root is allowed 16. Specify TTY Devices Root is allowed
 vi /etc/securetty vi /etc/securetty
 Leave only two connections: Leave only two connections:
-tty1 +   tty1 
-tty2+   tty2
  
 17. Choose a secure password 17. Choose a secure password
Line 153: Line 155:
 vi /etc/pam.d/common-password vi /etc/pam.d/common-password
 change the detail from this: change the detail from this:
-password requisite pam_unix.so nullok obscure md5+   password requisite pam_unix.so nullok obscure md5
 to to
-password requisite pam_unix.so nullok obscure md5 min=6+   password requisite pam_unix.so nullok obscure md5 min=6
 Change min=6 with your company password policy length. Change min=6 with your company password policy length.
  
 18. Checking for Rootkits 18. Checking for Rootkits
 Install it from Ubuntu Repository: Install it from Ubuntu Repository:
-# apt-get install chkrootkit+   # apt-get install chkrootkit
 You can run it with the following command: ./chkrootkit You can run it with the following command: ./chkrootkit
 Now we are going to add it to contrab to schedule daily automatic scans in the system: Now we are going to add it to contrab to schedule daily automatic scans in the system:
 vi /etc/cron.daily/chkrootkit.sh and type vi /etc/cron.daily/chkrootkit.sh and type
-#!/bin/bash +   #!/bin/bash 
-# Enter the directory where the rootkit is installed +   # Enter the directory where the rootkit is installed 
-cd /root/chkrootkit/ +   cd /root/chkrootkit/ 
-# Enter your email address where you want to receive the report +   # Enter your email address where you want to receive the report 
-./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com+   ./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com
  
 Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh
Line 179: Line 181:
 To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a
 Now let’s harden our sysctl.conf file Now let’s harden our sysctl.conf file
-vi /etc/sysctl.conf+   vi /etc/sysctl.conf
 and paste the hardened kernel variable (attached). and paste the hardened kernel variable (attached).
  
Line 187: Line 189:
 Turn off some of this variable: Turn off some of this variable:
  
-allow_call_time_pass_reference = Off +   allow_call_time_pass_reference = Off 
-magic_quotes_gpc = Off +   magic_quotes_gpc = Off 
-register_long_arrays = Off +   register_long_arrays = Off 
-register_argc_argv = Off +   register_argc_argv = Off 
-allow_url_fopen = Off +   allow_url_fopen = Off 
-expose_php = Off +   expose_php = Off 
-disable_functions = symlink,shell_exec,proc_close, +   disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog,apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo
-proc_open,dl,passthru, +
-escapeshellarg,escapeshellcmd,openlog, apache_child_terminate, +
-apache_get_modules,apache_get_version, +
-apache_getenv,apache_note,apache_setenv,virtual, phpinfo+
  
 21. Apache Hardening 21. Apache Hardening
Line 216: Line 214:
  
 Hardened Kernel Variable ( /etc/sysctl.conf ) Hardened Kernel Variable ( /etc/sysctl.conf )
 +<code>
 # Controls the System Request debugging functionality of the kernel # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0 kernel.sysrq = 0
Line 314: Line 312:
 # Increase the maximum amount of option memory buffers # Increase the maximum amount of option memory buffers
 net.core.optmem_max = 57344 net.core.optmem_max = 57344
-Posted by Last King of Kho's Kingdom at 8:44 PM +</code>
linux/ubuntu/hardening.1243204502.txt.gz · Last modified: 2009/06/22 22:42 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready