• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

good linux security guide?

Red Squirrel

Red Squirrel

No Lifer
Can anyone recommend a good security guide on securing a Linux server where users have ssh access? For example, how to stop that bug where people can just su as root with no password. Things of that nature, and also protecting from outside threats.

I know the basics, and I've recently been messing with iptables to be able to do basic IP/port blocks, but I want to go further.
 
I donno. There is a nice book called 'Hardening Linux" that you can usually find in bigger bookstores.

Otherwise there are websites all over the place. Linuxsecurity.com is probably a handy place to start.

Here is somethings that I know:

a) Simple is better. Complexity is the enemy of security.
b) Reduce the amount of services you use to a bare minimum to reduce attack footprint. The only thing I have running on my systems most of the time is SSH (it can file transfer, remote gui, remote file systems, etc).
c) Encryption is easy, but unless used correctly is worse then useless.
d) Use long and irritating passwords that are unique. They also need to be changed periodically.
e) Periodically check your system to make sure that your not running anything unexpected. Keep your system up to date.

That's about it. Thats about 95% of the battle and probably covers most of the important stuff going.
 
Yeah I also have iptables to block EVERYTHING then I just unblock what I need. And by everything, even ICMP, gone. I opened up the IPs to the data center's monitoring, and thats it.

And yeah I try to stay away from complex setups unless I really understand them.

Like I have a semi complex setup with the way my VMs are secured behind the virtual nat, with the actual service on another bridged nic, but I fully understand the setup and have it documented.

Things like SSH public key, I decided against due to the complexity of it. I'll want to play around with it and research it before I consider implementing it as a booboo could end up enabling no password access, or something, if I do something wrong.
 
If your box allows port 22 connections from the internet I'd highly recommend disabling root SSH access and installing denyhosts.

At my last job, the geniuses at the company that bought ours decided it would be easier to simply open our internal network to the whole world than deal with a VPN so they could remotely access our systems.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top