hacked - looking for doc/suggestions on hardening/securing systems from the start

Rick Stevens ricks at alldigital.com
Wed Dec 18 18:01:48 UTC 2013


On 12/18/2013 09:05 AM, bruce issued this missive:
> Hey guys. - subject says it all!!
>
> For a basic centos/fedora install. Need to have
> pointers/docs/suggestions/solid steps to actually harden/secure a
> system.
>
> I've looked at a bunch of different articles/sites, so I'm also turning here.
>
> Also, are there any good (i know) security lists/resources (people) I
> could talk to about remotely hiring for this process..

Depends on how "hardened" you want the machines. There are a raft of
options, some of the more simple:

1. Use a VPN to get at the machines from the outside world.

1a. As part of 1. above, set up the firewalls (both external and
iptables) to not allow ANY externally initiated connections except for
those from the VPN--and even then restrict those as much as possible
(e.g. only allow ssh access).

2. Disable any service you do not need.

3. Make sure you enforce complex passwords and require them to be
rotated at least every 90 days.

4. Disable ssh root logins and enforce sudo options.

5. Use something like tripwire on a freshly installed machine to watch
for non-standard software being installed.

6. Use tools like rkhunter and clamscan to look for virii.

7. Enable and use SELinux and its tools or use a hardened kernel such
as grsec.

There are tons more of those sorts of things. A good set of guidelines
are the PCI compliance standards. Those are the standards a company must
meet (and must be audited annually by an external agency) to be
permitted to process credit card transactions online. One of our
subsidiaries is fully PCI-compliant as they do process credit card data.

The rest of the company is PCI-compliant as far as network access and
system updating is concerned. Our main business precludes being fully
compliant but we implement as many of those standards as we can. As the
old saying goes:

"I may be paranoid, but that doesn't mean they AREN'T out to get me!"

----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-                   Never try to outstubborn a cat.                  -
----------------------------------------------------------------------


More information about the users mailing list