April 8th, 2003, 10:31 PM
*nix services - which to turn off for which *nix?
Ok - I wanted to post in the newbie section to hopefully avoid being blasted me'ah, but I am really struggling with this.
I am working on a network services list of what will be turned 'on' on a *nix server and what will be turned 'off.' For those who have not seen my posts before, our shop me'ah is mostly HPUX, but we also have Sun, AIX, Irix, Linux. So what I am wondering is:
1) If there is or should be, a difference in what network services are turned off or left on between various flavors of *nix (including Linux).
An example would be echo. It is recommended to turn off that service for HPUX? Does that follow for other flavors of *nix? I am tracking down right now as many resources as I can on this to see if there are noted differences between the different flavors, but everything at this point has been HPUX or just general *nix.
Thanks much in advance!
\"Quis custodiet ipsos custodes?\"
April 8th, 2003, 11:37 PM
Yes. Echo would be one to shut off if your not using ICMP or don't want your machines to respond to it. General rule of thumb, regardless of the OS, is to turn off, remove/delete any service you are not using.
When you are searching for security ideas to use for each of your *nix are you typing in "Linux + Security" in one google search and then "Solaris + Security" in another? The reason I ask is that if you did it like "Linux + Solaris + HPUX.. etc. + Security" you won't find a be-all-end-all site/advice. It's better to do it individually.
April 9th, 2003, 12:20 AM
I was using the trailed line in Google "HPUX + Linux + ... + ... + Security" I will try splitting them out. Thanks much.
I am also using "The 60 Minute Network Security Guide" from the SNAC, what was listed in the SANS/FBI list and a confidential (why I am not sure) guide from HP. The guide from HP lists specific ports and their descriptions for the services to turn off and I am working to maintain a list of both open and closed services in general for most if not all flavors of our UX (that's better) servers in the enterprise. I just want to make sure I get as many of the UX flavors as possible in this effort.
I would also like to cross-reference that list against a somewhat periodic nmap (or similiar) scans of our servers to make sure we are getting everything represented in one form or fashion. This effort, much like all of security, will be a -cliche alert - uphill battle. Mainly because I also have to educate users and management on the importance and certain specifics of what we are dealing with, and the best way to retro-fit this into an already existing infrastructure of many UX servers.
\"Quis custodiet ipsos custodes?\"
April 9th, 2003, 12:27 AM
I basically turn off ALL network services that I do not require... Also, to beef up security of your *nix machine, you will not only have to disable non-essential services, but also harden the OS.
Check out the hardening scripts called "Titan". This is a fantastic resource for hardening a variety of *nix platforms.
Hardening scripts are available for the following OS's:
You can either run the scripts to harden your machine, or run them in an informative mode and they let you know where your system is weak. (I highly recommend all security fanatics to do this, cause I personally learnt a hell of a lot!!)
It is also pretty easy to modify the scripts for your personal needs.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
April 9th, 2003, 01:01 AM
Well, I have previously used the Bastille Linux script to secure my config. But your Titan script seems really interesting, SoggyBottom, I will check it out and bookmark its page to compare.
Life is boring. Play NetHack... --more--