[SWLUG] keeping server secure

[Chris King]

On Sun, September 19, 2010 16:28, Matthew Moore wrote:
> On 18/09/10 22:32, Chris Jackson wrote:
>> There's a few to get started.  Could make for an interesting topic for
>> a talk ...
>
> I vaguely thought Chris K did one on security.  Or not.  I have a poor
> memory.

No, I did the OpenBSD talk - Carwyn (?) did the security one.
For me, that would be too much like being at work :-)

> One other thing to do it lock down root access.  Make sure you can't
> login as root.  Limit who can su(do).

Obvious stuff - and people STILL get this wrong even now:

(1) Make sure you're using an up-to-date version of your distro, not
    something that came with a magazine two years ago. I've seen people
    do this, and dealing with the resulting compromises isn't pretty ;

(2) Ensure your system is fully patched before offering services to the
    internet - this applies to Linux systems as much as it does to
    Windows boxes, Macs etc ;

(3) Check your software configs before you go live - going with defaults
    may be less secure than you think ;

(4) Avoid using insecure protocols to manage the system - telnet, RSH and
    FTP are unencrypted, use SSH/SFTP instead ;

(5) Turn off non-essential services - if they aren't running, they can't
    be attacked. Reboot the machine before going live to check that those
    services don't mysteriously restart ;

(6) Don't log into the machine as root unless you absolutely have to -
    make use of sudo(8) and even then, use it sparingly ;

(7) Use strong passwords for all services - something that is easy for
    you to remember, hard for someone else to guess and not easily
    crackable ;

(8) If you're running a database server on the same machine as your
    web server, configure it to listen on the loopback (lo) interface
    so that other systems can't get to it.

-- 
Chris King
http://www.csking.co.uk/