Focus on Linux
Hardening CentOS Jul 03 2008 03:53PM
Florin Iliescu (iliescufm yahoo com) (12 replies)
Re: Hardening CentOS Jul 05 2008 08:46PM
Andraz Sraka (a aufbix org)
RE: Hardening CentOS Jul 04 2008 07:37AM
Nokin Jérôme (jerome nokin trasys be)
Re: Hardening CentOS Jul 03 2008 11:32PM
flying mayo (flyingmayo gmail com) (1 replies)
On Thu, Jul 3, 2008 at 8:53 AM, Florin Iliescu <iliescufm (at) yahoo (dot) com [email concealed]> wrote:
> Helo,
>
> Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP.
>
> Thank you,
>
> Florin
>
>
>
>
My personal pre-production check list includes as a default:

1. Don't connect the server to the net until all other steps are done.
2. Apply all vendor supplied patches/updates and devise a plan for
getting new updates in a timely manner.
3. Get yourself connected to a security email alert portal where you
can find out about new vulnerabilities that might affect you. I
suggest bugtraq.
4. Stop/disable all unnecessary services
5. Do some research into SELinux and bastille to see if they can be of
some benefit in your specific situation.
6. Scan your system with a network security tool such as Nessus. If
you're doing this prior to launching into production you'll have the
luxury of safely doing a penetrating test as opposed to a safer
non-penetrating test. I'd suggest you let nessus down your server if
it can. Better to know now than later. If your summary report
doesn't come back all green, make sure you know why.

SSH/SFTP specific:
1. Ensure sshv1 is turned off (protocol 2 in your sshd_config)
2. Ensure that PermitRootLogin is set to 'no' in your sshd_config
3. Ensure that your SSH daemon chroot's (jail/sandbox) incoming
connections. You don't want your users being able to traverse your /
filesystem.
4. If at all possible, run your service on a non-standard port. This
suggestion is inevitably followed by outcry that this is security by
obscurity. To which I would reply that no, this is security though
all and every means possible including, but not limited to, obscurity.
In a nut shell, you can count on your SFTP server being pounded daily
by automated brute force attacks. Moving the service off of port 22
will eliminate 90% of this traffic. Given that these attacks are
largely based on the statistical probability that they will guess a
password on one of your account, side stepping the majority of such
attacks is only going to help you. And then there's the fact that
this will hop the size of your auth logs to a fraction of what they
would otherwise be.
5. Use a restrictive shell for connections.
6. Turn off PubkeyAuthentication
7. Most importantly, manage your user accounts. Don't be afraid to
implement a policy that locks accounts after N days of inactivity.

[ reply ]
Re: Hardening CentOS Jul 04 2008 07:02PM
Seth Mattinen (sethm rollernet us)
Re: Hardening CentOS Jul 03 2008 08:14PM
Mario Spinthiras (mspinthiras gmail com)
Re: Hardening CentOS Jul 03 2008 07:51PM
Chase Simms (Csimm pubpress com)
Re: Hardening CentOS Jul 03 2008 05:41PM
Jure Krasovic (jure krasovic lusp com)
RE: Hardening CentOS Jul 03 2008 05:18PM
Tony UcedaVelez (tonyuv versprite com)
Re: Hardening CentOS Jul 03 2008 05:10PM
Peter Hinse (loco d0pefish de)
Re: Hardening CentOS Jul 03 2008 04:58PM
aurbain (aurbain interactivebrokers com)
Re: Hardening CentOS Jul 03 2008 04:51PM
Jeronimo Zucco (jczucco ucs br)
Re: Hardening CentOS Jul 03 2008 04:20PM
Mohd Irwan Jamaluddin (mij irwan name)
Re: Hardening CentOS Jul 03 2008 04:19PM
David A. Kennel (dkennel lanl gov) (1 replies)
Re: Hardening CentOS Jun 22 2009 04:45PM
Tony Murphy (tmurphy trustedcs com) (1 replies)
Re: Hardening CentOS Nov 24 2009 04:25PM
Tony Murphy (tmurphy trustedcs com)


 

Privacy Statement
Copyright 2010, SecurityFocus