On 07/14/2009 07:49 PM, Scott Morris wrote: > -------------------------- > When you have been hacked: > -------------------------- >
I agree with what has been said else where. Look at what happened and reinstall. > ---------- > HOSTS.DENY > ---------- > I'm not such a big fan of this. There may be others who think this is still the way to go but I use iptables for all my filtering needs. >From what I understand it's up to the service to look at the hosts.deny and not all services use it. iptables is ran by the kernel so it is handled before it even gets to the service. So I consider iptables more secure, and convenient. You may get double security by going this route but I don't consider it to be worth it. > ------------------------------------------------------ > DROP ALL PACKETS FROM HOST RANGE - FIREWALL - IPTABLES > ------------------------------------------------------ > An important security principle I'll talk about more later is KISS. I use a firewall script to block everything I'm not using. I like shorewall. I find it simple and easy to use, but I don't just block ip's that are known to be problems. I block all ports that the world doesn't need access to. Also ip tables allows you to limit the number of connection attempts per minute. This is real useful in discourage automated brute force attacks. If you don't use this hackers could be testing your authentication methods hundreds of times per seconds(remember imaps and pop3s in this). > ------------------------ > ADD ADDITIONAL ROOT USER > ------------------------ > I don't think there is any good reason to do this. It know give people two root accounts to try and guess the password for. Thus weakening your security > Then, create public/private keys for your root user and your sysrt user > And this sounds like a REALLY bad idea. The main reason you create public/private keys is so you can ssh into the account as that user with out a password. You don't want people to be able to directly connect to your machine as root. You should not be connecting directly to you machine as root. You should disable root login in the ssd_config > > -------------------------- > CREATE PUBLIC/PRIVATE KEYS > -------------------------- > > Useful in that it makes it faster, but only makes it more secure if you disable password authentication through ssh and you set a passphrase on the ssh key, otherwise you have made yourself less secure. > ---------------------------------- > RESET MYSQL ROOT PASSWORD IN LINUX > ---------------------------------- > > Good plan. > > --------------- > ALLOW_URL_FOPEN > --------------- > probably good > > > ---------- > FTP SERVER > ---------- > > Never ever use an FTP server. > > If you do, make sure it is the only thing running on that box. Make > sure that it does not have access to any other machine in your network > (i.e., that it is outside your network). Make sure it is jailed. Make > sure it is in India. > > > I agree with this. > Anyone have some sources that I could consult that give some generally > good ideas of security measures, and then how to clean up once you've > been pwnd? Or comments on the above suggestions? > Anyways. One of the most important security principles is: KISS Keep it simple stupid. Don't install anything you don't need. My servers don't even have X installed. So make sure you don't install anything you don't need especially servers. If you do need it make sure only the people that need that service can access it(limit by ip, etc). Moving some service to a different port can help reduce random attacks but often isn't worth the inconvenience. Make it so root can not log in remotely. You may even want to disable direct root login locally(ala ubuntu). Don't use root unless you have to. Don't use your servers as clients. Set up your backups to run as a cron job. Frequently check your security. Run nmap and nessus. I'm sure I'll think of some more later. Kyle ps I forgot I had all this: http://unum5.org/presentations/ I should update all of that into something coherent. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
