[SWLUG] keeping server secure

Chris King swlug at csking.co.uk
Mon Sep 20 10:22:30 UTC 2010

On Sun, September 19, 2010 16:28, Matthew Moore wrote:
> On 18/09/10 22:32, Chris Jackson wrote:
>> There's a few to get started.  Could make for an interesting topic for
>> a talk ...
> I vaguely thought Chris K did one on security.  Or not.  I have a poor
> memory.

No, I did the OpenBSD talk - Carwyn (?) did the security one.
For me, that would be too much like being at work :-)

> One other thing to do it lock down root access.  Make sure you can't
> login as root.  Limit who can su(do).

Obvious stuff - and people STILL get this wrong even now:

(1) Make sure you're using an up-to-date version of your distro, not
    something that came with a magazine two years ago. I've seen people
    do this, and dealing with the resulting compromises isn't pretty ;

(2) Ensure your system is fully patched before offering services to the
    internet - this applies to Linux systems as much as it does to
    Windows boxes, Macs etc ;

(3) Check your software configs before you go live - going with defaults
    may be less secure than you think ;

(4) Avoid using insecure protocols to manage the system - telnet, RSH and
    FTP are unencrypted, use SSH/SFTP instead ;

(5) Turn off non-essential services - if they aren't running, they can't
    be attacked. Reboot the machine before going live to check that those
    services don't mysteriously restart ;

(6) Don't log into the machine as root unless you absolutely have to -
    make use of sudo(8) and even then, use it sparingly ;

(7) Use strong passwords for all services - something that is easy for
    you to remember, hard for someone else to guess and not easily
    crackable ;

(8) If you're running a database server on the same machine as your
    web server, configure it to listen on the loopback (lo) interface
    so that other systems can't get to it.

Chris King

More information about the Swlug mailing list