April 24th, 2005, 03:34 AM
8 to do's to tighten a hosts security on a network
If your on a LAN (broadband connections, like RoadRunner, are typically LANish) - if one host on the LAN is compromised the rest are all vulnerable. It has been said many times and and i thoroughly agree - that it is easier to completely tighten a system and loosen up what is needed than it is to keep it open and secure what is not needed.
So with that said here are a few things that should be dealt with:
1) Turn off ALL services that are not being used - netstat, telnet, FTP, tftp, POP3 services etc etc.
2) Completely remove all the "r" services (some are virtually obsolete now - but how am I to know what kind of box and specs you have) - rdist, rlogin, rsh, rcp, rexecd, rexd etc etc. including all .rhosts though they make things convenient for you they also make them for an intruder.
3) Completely remove all unused software on your machine - if the host is used as a file server, if it is a print server or if it is a workstation remove sendmail.
4) Use TCP/IP "wrappers" to enable full logging on all services that are in use. If your version of TCP/IP wrappers you are using allows for access control through subnet descriptions, use it. Don't just exclude some machines - exclude everything and then add what you need (remember what I said up top?)
5)Use TCP/IP logging to keep track of half-open connections and ICMP messages. Use something like SYNLOG to keep track of unclosed SYN connections, and ICMPwatch to keep up with ICMP messages.
6) If you use NFS, only export the directories that are needed, even if it means making many entries in the /etc/exports file.
7) If you are using an HTTP server, pay special attention to the CGI scripts that you are running.
Remove the sample and/or generic scripts that come with your distribution. Use NCSA or other security guidelines when writing CGI's.
8) Use xauth and xhost security structures to secure all X-windows clients, this will prevent (or at least help prevent) keystroke capture programs from remote machines.
Should this have been put into a Tuts forum? Sorry if that is the common consensus - my misjudgement wasn't intentional and Im sure a mod or admin will move it if it is deemed appropriate.
They can steal all my property and belongings, curtail all my rights and privileges, incarcerate me, beat me and even kill me. They then, will only have my dead body, NOT my obedience.