Re: [GTALUG] Linux hardening question

2017-06-30 Thread Giles Orr via talk
UFW, fail2ban, and Ansible have all been mentioned, which gives me an opportunity to mention a Hugh-like "war story" related to hardening. It appears that Debian 9 (aka "stretch," which is now "stable") included a stupid-ass version of fail2ban. Our cloud machines have always included a

Re: [GTALUG] Linux hardening question

2017-06-30 Thread Daniel Villarreal via talk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mr. Mohammed, Thanks for sharing your thoughts. At no time did you ever state that you refused to use IPv6. You actually stated that you do, in fact, use IPv6. Neither did you ever state that IPv4 is "good enough." Aside from IPv4 vs IPv6, do you

Re: [GTALUG] Linux hardening question

2017-06-30 Thread James Knott via talk
On 06/30/2017 10:53 AM, Lennart Sorensen wrote: > On Fri, Jun 30, 2017 at 09:34:06AM -0400, James Knott via talk wrote: >> According to Vint Cerf, IPv4 was never intended to be released as a >> public system. It was intended to demonstrate the concepts, and the >> "official" version would have a

Re: [GTALUG] Linux hardening question

2017-06-30 Thread James Knott via talk
On 06/30/2017 08:45 AM, Russell wrote: > "If you fail to plan, you are planning to fail!" > > This is the sort of reasoning which provided for IPV6's creation in the first > place. The internet is running out of address space. Any networked system, > currently hardened or otherwise, has to take

Re: [GTALUG] Linux hardening question

2017-06-30 Thread Russell via talk
On June 29, 2017 7:37:54 PM EDT, James Knott via talk wrote: >On 06/29/2017 06:46 PM, Ansar Mohammed wrote: >> Actually James, incompetence would be opening up a high security >> system to additional attack vectors without a good business or >> technical reason (which you really

Re: [GTALUG] Linux hardening question

2017-06-29 Thread James Knott via talk
On 06/29/2017 06:46 PM, Ansar Mohammed wrote: > Actually James, incompetence would be opening up a high security > system to additional attack vectors without a good business or > technical reason (which you really haven't provided). > > The business reason is the world is moving to IPv6.

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Ansar Mohammed via talk
Actually James, incompetence would be opening up a high security system to additional attack vectors without a good business or technical reason (which you really haven't provided). On Thu, Jun 29, 2017 at 6:33 PM James Knott via talk wrote: > I have worked with

Re: [GTALUG] Linux hardening question

2017-06-29 Thread James Knott via talk
On 06/29/2017 06:18 PM, Ansar Mohammed wrote: > Oh, and that growing portion of the internet that's IPv6 only is > primarily China. > Actually, Belgium is in the lead, at around 35%. However, in many parts of the world including, but not limited to, China IPv6 is the only thing available,

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Ansar Mohammed via talk
It's not a matter of being afraid of anything. Security 101 tells you to reduce your attack surface area. I would not increase my attack surface area just for the sake of being an early adopter of IPv6. To be clear the conversation is about hardening. This is the right thing to do. On Thu, Jun

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Thu, Jun 29, 2017 at 07:31:10PM +, Ansar Mohammed wrote: > IMHO if you are looking for a hardened system you should not start with > Ubuntu. > Ubuntu is what l like to call 'kitchen sink Linux' Yeah I wouldn't start with that either. > Start with a minimal Debian install, then add the

Re: [GTALUG] Linux hardening question

2017-06-29 Thread James Knott via talk
On 06/29/2017 03:31 PM, Ansar Mohammed via talk wrote: > Disable IPv6. Why? That's the way the Internet is moving. Perhaps something like this would be useful: https://www.suse.com/documentation/sles11/book_hardening/data/book_hardening.html --- Talk Mailing List talk@gtalug.org

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Ansar Mohammed via talk
IMHO if you are looking for a hardened system you should not start with Ubuntu. Ubuntu is what l like to call 'kitchen sink Linux' Start with a minimal Debian install, then add the packages you need incrementally. Package removal is never an exact rollback of package installation. Then add your

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Thu, Jun 29, 2017 at 10:18:26AM -0400, Anthony de Boer via talk wrote: > Lennart Sorensen wrote: > > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on > > > many key files, the upshot of

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Anthony de Boer via talk
Lennart Sorensen wrote: > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on > > many key files, the upshot of which was that everything on the "secured" > > firewall had to run as root and it

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Mauro Souza via talk
I think OP will be the only user on the server, so chmod /etc is not that important. If someone exploits any service and gets a shell on the box, chmod will not help too much. Jailing the accessible servers on a container, or a old school chroot would be nice. On Jun 29, 2017 10:24, "Lennart

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Blaise Alleyne via talk
On 27/06/17 07:37 PM, Truth Hacker via talk wrote: > Hi All, > > I am starting to go down the road to harden a Linux server, I am using > the Ubuntu server image as my starting point. > > I searched a few articles and compiled a list of things to do, so far > the stuff is a bit dated. So I was

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Thu, Jun 29, 2017 at 09:24:09AM -0400, Lennart Sorensen via talk wrote: > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > Christopher Browne via talk wrote: > > > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote: > > > > You may also want to

Re: [GTALUG] Linux hardening question

2017-06-29 Thread Lennart Sorensen via talk
On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > Christopher Browne via talk wrote: > > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote: > > > You may also want to "chmod 711 /etc", FWIW. > > > > That means that non-root-space applications will

Re: [GTALUG] Linux hardening question

2017-06-28 Thread Christopher Browne via talk
On 27 June 2017 at 19:53, Kevin Cozens via talk wrote: > On 2017-06-27 07:37 PM, Truth Hacker via talk wrote: >> >> I am starting to go down the road to harden a Linux server, I am using >> the Ubuntu server image as my starting point. > > [snip] >> >> Q: What service should I

Re: [GTALUG] Linux hardening question

2017-06-28 Thread Myles Braithwaite via talk
On Tue, Jun 27, 2017 at 7:37 PM, Truth Hacker via talk wrote: > Hi All, > > I am starting to go down the road to harden a Linux server, I am using > the Ubuntu server image as my starting point. > > I searched a few articles and compiled a list of things to do, so far > the stuff

Re: [GTALUG] Linux hardening question

2017-06-27 Thread Kevin Cozens via talk
On 2017-06-27 07:37 PM, Truth Hacker via talk wrote: I am starting to go down the road to harden a Linux server, I am using the Ubuntu server image as my starting point. [snip] Q: What service should I consider disabling from starting automatically. Disable any service you won't need for

[GTALUG] Linux hardening question

2017-06-27 Thread Truth Hacker via talk
Hi All, I am starting to go down the road to harden a Linux server, I am using the Ubuntu server image as my starting point. I searched a few articles and compiled a list of things to do, so far the stuff is a bit dated. So I was wondering if anyone has stuff ideas to help me harden my system