Re: [GTALUG] Linux hardening question

2017-06-29 Thread James Knott via talk
On 06/29/2017 06:46 PM, Ansar Mohammed wrote: > Actually James, incompetence would be opening up a high security > system to additional attack vectors without a good business or > technical reason (which you really haven't provided). > > The business reason is the world is moving to IPv6.

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Ansar Mohammed via talk
Actually James, incompetence would be opening up a high security system to additional attack vectors without a good business or technical reason (which you really haven't provided). On Thu, Jun 29, 2017 at 6:33 PM James Knott via talk wrote: > I have worked with

Re: [GTALUG] Linux hardening question

2017-06-29 Thread James Knott via talk
On 06/29/2017 06:18 PM, Ansar Mohammed wrote: > Oh, and that growing portion of the internet that's IPv6 only is > primarily China. > Actually, Belgium is in the lead, at around 35%. However, in many parts of the world including, but not limited to, China IPv6 is the only thing available,

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Ansar Mohammed via talk
It's not a matter of being afraid of anything. Security 101 tells you to reduce your attack surface area. I would not increase my attack surface area just for the sake of being an early adopter of IPv6. To be clear the conversation is about hardening. This is the right thing to do. On Thu, Jun

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Thu, Jun 29, 2017 at 07:31:10PM +, Ansar Mohammed wrote: > IMHO if you are looking for a hardened system you should not start with > Ubuntu. > Ubuntu is what l like to call 'kitchen sink Linux' Yeah I wouldn't start with that either. > Start with a minimal Debian install, then add the

Re: [GTALUG] Linux hardening question

2017-06-29 Thread James Knott via talk
On 06/29/2017 03:31 PM, Ansar Mohammed via talk wrote: > Disable IPv6. Why? That's the way the Internet is moving. Perhaps something like this would be useful: https://www.suse.com/documentation/sles11/book_hardening/data/book_hardening.html --- Talk Mailing List talk@gtalug.org

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Ansar Mohammed via talk
IMHO if you are looking for a hardened system you should not start with Ubuntu. Ubuntu is what l like to call 'kitchen sink Linux' Start with a minimal Debian install, then add the packages you need incrementally. Package removal is never an exact rollback of package installation. Then add your

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Thu, Jun 29, 2017 at 10:18:26AM -0400, Anthony de Boer via talk wrote: > Lennart Sorensen wrote: > > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on > > > many key files, the upshot of

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Anthony de Boer via talk
Lennart Sorensen wrote: > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on > > many key files, the upshot of which was that everything on the "secured" > > firewall had to run as root and it

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Mauro Souza via talk
I think OP will be the only user on the server, so chmod /etc is not that important. If someone exploits any service and gets a shell on the box, chmod will not help too much. Jailing the accessible servers on a container, or a old school chroot would be nice. On Jun 29, 2017 10:24, "Lennart

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Blaise Alleyne via talk
On 27/06/17 07:37 PM, Truth Hacker via talk wrote: > Hi All, > > I am starting to go down the road to harden a Linux server, I am using > the Ubuntu server image as my starting point. > > I searched a few articles and compiled a list of things to do, so far > the stuff is a bit dated. So I was

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Thu, Jun 29, 2017 at 09:24:09AM -0400, Lennart Sorensen via talk wrote: > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > Christopher Browne via talk wrote: > > > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote: > > > > You may also want to

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > Christopher Browne via talk wrote: > > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote: > > > You may also want to "chmod 711 /etc", FWIW. > > > > That means that non-root-space applications will