UFW, fail2ban, and Ansible have all been mentioned, which gives me an
opportunity to mention a Hugh-like "war story" related to hardening.
It appears that Debian 9 (aka "stretch," which is now "stable")
included a stupid-ass version of fail2ban. Our cloud machines have
always included a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mr. Mohammed,
Thanks for sharing your thoughts.
At no time did you ever state that you refused to use IPv6. You
actually stated that you do, in fact, use IPv6. Neither did you ever
state that IPv4 is "good enough."
Aside from IPv4 vs IPv6, do you
On 06/30/2017 10:53 AM, Lennart Sorensen wrote:
> On Fri, Jun 30, 2017 at 09:34:06AM -0400, James Knott via talk wrote:
>> According to Vint Cerf, IPv4 was never intended to be released as a
>> public system. It was intended to demonstrate the concepts, and the
>> "official" version would have a
On 06/30/2017 08:45 AM, Russell wrote:
> "If you fail to plan, you are planning to fail!"
>
> This is the sort of reasoning which provided for IPV6's creation in the first
> place. The internet is running out of address space. Any networked system,
> currently hardened or otherwise, has to take
On June 29, 2017 7:37:54 PM EDT, James Knott via talk wrote:
>On 06/29/2017 06:46 PM, Ansar Mohammed wrote:
>> Actually James, incompetence would be opening up a high security
>> system to additional attack vectors without a good business or
>> technical reason (which you really
On 06/29/2017 06:46 PM, Ansar Mohammed wrote:
> Actually James, incompetence would be opening up a high security
> system to additional attack vectors without a good business or
> technical reason (which you really haven't provided).
>
>
The business reason is the world is moving to IPv6.
Actually James, incompetence would be opening up a high security system to
additional attack vectors without a good business or technical reason
(which you really haven't provided).
On Thu, Jun 29, 2017 at 6:33 PM James Knott via talk
wrote:
> I have worked with
On 06/29/2017 06:18 PM, Ansar Mohammed wrote:
> Oh, and that growing portion of the internet that's IPv6 only is
> primarily China.
>
Actually, Belgium is in the lead, at around 35%. However, in many parts
of the world including, but not limited to, China IPv6 is the only thing
available,
It's not a matter of being afraid of anything. Security 101 tells you to
reduce your attack surface area.
I would not increase my attack surface area just for the sake of being an
early adopter of IPv6.
To be clear the conversation is about hardening. This is the right thing to
do.
On Thu, Jun
On Thu, Jun 29, 2017 at 07:31:10PM +, Ansar Mohammed wrote:
> IMHO if you are looking for a hardened system you should not start with
> Ubuntu.
> Ubuntu is what l like to call 'kitchen sink Linux'
Yeah I wouldn't start with that either.
> Start with a minimal Debian install, then add the
On 06/29/2017 03:31 PM, Ansar Mohammed via talk wrote:
> Disable IPv6.
Why? That's the way the Internet is moving.
Perhaps something like this would be useful:
https://www.suse.com/documentation/sles11/book_hardening/data/book_hardening.html
---
Talk Mailing List
talk@gtalug.org
IMHO if you are looking for a hardened system you should not start with
Ubuntu.
Ubuntu is what l like to call 'kitchen sink Linux'
Start with a minimal Debian install, then add the packages you need
incrementally.
Package removal is never an exact rollback of package installation.
Then add your
On Thu, Jun 29, 2017 at 10:18:26AM -0400, Anthony de Boer via talk wrote:
> Lennart Sorensen wrote:
> > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > > many key files, the upshot of
Lennart Sorensen wrote:
> On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > many key files, the upshot of which was that everything on the "secured"
> > firewall had to run as root and it
I think OP will be the only user on the server, so chmod /etc is not that
important. If someone exploits any service and gets a shell on the box,
chmod will not help too much.
Jailing the accessible servers on a container, or a old school chroot would
be nice.
On Jun 29, 2017 10:24, "Lennart
On 27/06/17 07:37 PM, Truth Hacker via talk wrote:
> Hi All,
>
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff is a bit dated. So I was
On Thu, Jun 29, 2017 at 09:24:09AM -0400, Lennart Sorensen via talk wrote:
> On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > Christopher Browne via talk wrote:
> > > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> > > > You may also want to
On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> Christopher Browne via talk wrote:
> > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> > > You may also want to "chmod 711 /etc", FWIW.
> >
> > That means that non-root-space applications will
On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
>>
>> I am starting to go down the road to harden a Linux server, I am using
>> the Ubuntu server image as my starting point.
>
> [snip]
>>
>> Q: What service should I
On Tue, Jun 27, 2017 at 7:37 PM, Truth Hacker via talk wrote:
> Hi All,
>
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff
On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
I am starting to go down the road to harden a Linux server, I am using
the Ubuntu server image as my starting point.
[snip]
Q: What service should I consider disabling from starting automatically.
Disable any service you won't need for
Hi All,
I am starting to go down the road to harden a Linux server, I am using
the Ubuntu server image as my starting point.
I searched a few articles and compiled a list of things to do, so far
the stuff is a bit dated. So I was wondering if anyone has stuff ideas
to help me harden my system
22 matches
Mail list logo