Fresh linux install security
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Fresh linux install security

  1. #1
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550

    Fresh linux install security

    Asside from the SUID and GUID files, is there anything else that I should modify on a linux server that will be exposed to the public? I will be running telnet, ftp and apache on SuSE 8.1. Thanks a lot.

  2. #2
    i'll say that you should disable all the services that you ain't gonna use in your box
    \"Knowledge is Power\"

  3. #3
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    Posts
    553
    Erm, I'd really advise against running telnet at all, because it sends everything unencrypted over the internet, meaning its very vulnerable to someone sniffing the traffic. If you want to allow access for users simliar to telnet, try SSH, but make sure you have a current version of the server, as some of the older ones have vulnerabilites. You might also want to chroot your ftp users to a certain directory to keep them from exploring other parts of your server. It might also be a good idea to look into an IDS like Snort or something along the lines of Bastille to help secure the box.
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  4. #4
    Senior Member
    Join Date
    Nov 2002
    Posts
    103
    SuSe Linux has Kssh and so on. Im With Syini on this one, use that instead of telnet, and make sure no one can remote log in as root also. also, make sure you have the SuSe firewall2 running

    SuSe is a beautiful distro. Im glad you chose it. Also, SuSe has a "harden SuSe" file log in as root and run that, if for some reason you dont liek it theres a go back script that will undo what you did with it.

  5. #5
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550
    You guys are probably right about using ssh instead. I just liked the idea of telnet because anyone can log in from any OS without a 3rd party utility. I'll probably just use ssh though.

  6. #6
    Member
    Join Date
    Mar 2003
    Posts
    46
    Accesability is an inportant face of the tecnology but a risky one too... so you have to be shure
    about who is gona access to youre server because i don't think is good idea to let anyone to access it. So if the number of members is rasonable, you could spread any free ssh client so you can give accesability and security to both you and youre costumers.

    xDrack.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    If you have windows users, just get the PuTTY client for Windows. It works very well for SSH sessions. Also, if you use Bastille to lockdown your box, be SURE that you have a regular user account setup on the box so that you don't lock yourself out by accident. Many first time users of Bastille find themselves outta luck when they overlock the box.

    A quick and dirty way to shut down services on RH is to type 'setup' at the command line and then go into SYSTEM SERVICES and then turn off anything that you dont need. This takes seconds and of you hit F1, you get a detailed description of the services on the list so as not to disable something you may need.

    -TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    Posts
    553
    If you want to access a SSH server w/o third party software, check out AppGate Mind Term which will run on any java enabled machine. I've found it quite useful for when I'm at college and cant get access to any kind of SSH clients ( and the school definately wont let me install any ) and i need to check my server or do some remote work.
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  9. #9
    Member
    Join Date
    Feb 2003
    Posts
    41
    Telnet is evil like without SSH or something secure like if you enter a password to server an attacker can capture your seq and ack number reset your connection using arp poisoning and enter his/her evil commands as you BTW please if you use SSH make darn sure it's configured properly disable remote root login etc make sure it's the latest version with security fixes if SSH is not configured properly your opening a door and trouble



    Doc

  10. #10
    Senior Member
    Join Date
    May 2003
    Posts
    115
    go check out cisecurity.org or nsa they have a template to shutdown and harden your system.

    w0rm3y

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •