[svlug] new svlug system

[Alvin Oga]

hi ya "lord"

i never did figure out if that'a screen name or not

i'm guess its not short for lourdess

> > ///////////////////////////////////////////////////////////////
> > - would anybody out in svlug world care that we take it
> >   down for an hr or two to rebuild a new distro onto a new disk
> > ///////////////////////////////////////////////////////////////
 
reminder :-)
but at this rate, its probably gonna be say midnight-ish

the new pres/vp can fix it up again later to their wishes later ...

the new disk is for backups ... just in case ..

> loan to SVLUG for a week or so 

machines is not a problem here

> Much of what's a fries does work, it's just their bargain bins that you=20
> have to be extra careful of.

that's where you find the good deals on disk drives
	250GB for $60 is extremely hard to beat ..

> > 	it's woody ..
> 
> Wow.  That's old.

that's still a new baby compared to other pc's i have running

> Educate me!  I know it makes it more secure, but I don't know the "how"=20
> part.

how to harden is a whole nother ball game

ask 10 people how to harden a server and you'd probably get 10 distinct
answers but some should overlap

for me .. hardending implies: ( in simple terms )

	- you have a complete backup of the "user data" you're baby-sitting
	( aka the problem i have right now with svlug.org )

		- i'd have at least 2 or 3 live copies and 1 offline copy
		where its ip# can be changed to become live in a minute

		- given a blank new brand new disk, how long to recover
		from backups ..  and how to verify it 

			# rsync --test /new-disk /mnt/old-system

			you better know what it's different

	- i assume that the machine has been cracked by a malicous 
	cracker ...  now protect your data before they "rm -rf /"

		- aka .. no machine trust other machines
		- no unknown machines connects from outside the lan/firewall

		and obviously, if you did things right, you don't really
		care about random disk crashes either ...
	
	- i'd blindly apply all distro patches at the time of the system install
	whether you do this hourly or daily, weekly or monthly depends
	on what the machine is doing .. production vs internal vs all 100
	employee's get to go home or 24hr ecomm that generates $1M/hr in sales

		- aka .. you need to test on an identical system, test  ALL patches
		before deploying onto the other machine that affects others

		- hourly/daily/weekly apt-get update/ugrade can be a pita, but
		that's your choice and how you do it and yet work and sleep
		and still know you're relatively safe

	- if there's only one other thing to do for hardening, 
	i would use the latest kernel 2.6 or 2.4 ..whatever it used before 


	---- rest techy hardening below is gravy and less important ---

	- if i'm allowed to change things and make lifer miserable for some,
	i'd change the following files:

	    vi /etc/hosts.deny
		all: all

	    vi /etc/hosts.allow
		sshd: w.x.y.z  a.b.c.d

		i'd clean up hosts, hosts.conf, resolv.conf, named.conf, apache.conf

	- apply kernel patches ( gr-sec, mac, .. )

	- save your /lib's and /bin's to cdrom and be able to do a 5-10 second compare
	in case of a breakin

	- remove /etc/inetd.conf or equivalent  or zero it out

	- install missing empty files like ~/.forward, ~/.profile, ~/.finger, ...

	- shitload of other stuff that can take days to do from manual typing

	- sometimes, i do chmod 750 /sbin  /usr/sbin ; chown root.root /sbin /usr/sbin

	- check all the "setuid" binaries .. do you need it ..

	- [re]move stuff like make/gcc/gzip/tar/su/sudo/wget/lynx/mozilla/chattr etc .. 
	( all the apps used by the script kiddies after they got into your system )

	- lots of ohter stuff

c ya
alvin