[svlug] Server Hardening

Alvin Oga alvin at mail.Linux-Consulting.com
Wed Sep 20 19:49:48 PDT 2006 

hi ya 

- all of the following is opinion only and not for "you're wrong, i'm right"

> Lord Sauron wrote:
> 
> I'm totally new to hardening a server.  I'm a desktop person, so I know=20
> a lot about that, but on the other side of the net I'm a total newbie. =20

there should be no differences in hardending of servers vs hardening of desktops

> So, educate me please!

that can take years .. for anybody ..

>  I do want ten different answers, since they all will have something to add.

yes .. everybody will have something to add

the simple ( semi-undisputable ) answer is:

	- do what the boss says .. even if they're wrong but let them know
	  politely and why and in writing to cover your butt from being fired
	( boss == your managers, their managers, the one cutting the checks, etc )

	- make sure you have backups of everything important
	( what is important is what the boss's say and have budgeted for )

	- how you do it will be what makes everybody different and
	some ways works and some other ways fails for various reasons

	- if you know why one is better than another and why it might fail,
	than you can make the informed choice and do what the boss wants

to see that all that stuff is working and is secure ..

	you might want to get some vulnerability testing
	and pen-testing by competent and licensed security droids

	always get "security help" from outside  :-) 

some links to go play with and aruge with amongst your left and right hands

	http://www.dshield.org/

	http://www.sans.org/resources/errors.php

	http://www.sans.org/top20/2000/

	http://www.sans.org/top20/
	
	http://www.sans.org/reading_room/

	http://www.Linux-Sec.net 


> Also, I just wanted to ask what the SELinux policies do for me.  I've=20
> read some about them, and I know that it's possible to install the=20
> SELinux policies under Gentoo.  Are they real, or are they something to=20
> be avoided?  I'd like to know, and to hear it from some of the people=20
> (like you) who are out in the real world hosting servers that are=20
> successful and secure without going totally nuts and totally overboard=20
> like some other (FREAKS!) I happen to know.

selinux is good and bad ..depending on your paranoia level and skill set

other kernel hardening:

	http://linux-sec.net/Kernel/

	- selinux, gr-sec, lids, stackshield, etc

	- for 2.4 kernels.. openwall is a 1minute hardening problem
	so there is no excuse not to do it

c ya
alvin

More information about the Svlug mailing list