Fresh linux install security

[NeuTron]

Asside from the SUID and GUID files, is there anything else that I should modify on a linux server that will be exposed to the public? I will be running telnet, ftp and apache on SuSE 8.1. Thanks a lot.

[whitedragon]

i'll say that you should disable all the services that you ain't gonna use in your box

[Syini666]

Erm, I'd really advise against running telnet at all, because it sends everything unencrypted over the internet, meaning its very vulnerable to someone sniffing the traffic. If you want to allow access for users simliar to telnet, try SSH, but make sure you have a current version of the server, as some of the older ones have vulnerabilites. You might also want to chroot your ftp users to a certain directory to keep them from exploring other parts of your server. It might also be a good idea to look into an IDS like Snort or something along the lines of Bastille to help secure the box.

[TheFiend]

SuSe Linux has Kssh and so on. Im With Syini on this one, use that instead of telnet, and make sure no one can remote log in as root also. also, make sure you have the SuSe firewall2 running

SuSe is a beautiful distro. Im glad you chose it. Also, SuSe has a "harden SuSe" file log in as root and run that, if for some reason you dont liek it theres a go back script that will undo what you did with it.

[NeuTron]

You guys are probably right about using ssh instead. I just liked the idea of telnet because anyone can log in from any OS without a 3rd party utility. I'll probably just use ssh though.

[XDrack]

Accesability is an inportant face of the tecnology but a risky one too... so you have to be shure
about who is gona access to youre server because i don't think is good idea to let anyone to access it. So if the number of members is rasonable, you could spread any free ssh client so you can give accesability and security to both you and youre costumers.

xDrack.

[thehorse13]

If you have windows users, just get the PuTTY client for Windows. It works very well for SSH sessions. Also, if you use Bastille to lockdown your box, be SURE that you have a regular user account setup on the box so that you don't lock yourself out by accident. Many first time users of Bastille find themselves outta luck when they overlock the box.

A quick and dirty way to shut down services on RH is to type 'setup' at the command line and then go into SYSTEM SERVICES and then turn off anything that you dont need. This takes seconds and of you hit F1, you get a detailed description of the services on the list so as not to disable something you may need.

-TH13

[Syini666]

If you want to access a SSH server w/o third party software, check out AppGate Mind Term which will run on any java enabled machine. I've found it quite useful for when I'm at college and cant get access to any kind of SSH clients ( and the school definately wont let me install any ) and i need to check my server or do some remote work.

[doc crontab]

Telnet is evil like without SSH or something secure like if you enter a password to server an attacker can capture your seq and ack number reset your connection using arp poisoning and enter his/her evil commands as you BTW please if you use SSH make darn sure it's configured properly disable remote root login etc make sure it's the latest version with security fixes if SSH is not configured properly your opening a door and trouble



Doc

[w0rm3y]

go check out cisecurity.org or nsa they have a template to shutdown and harden your system.

w0rm3y