Services Hardening
|
|
| Login Services |
- ALWAYS Require SSH or SSL-enabled logins only
- ALWAYS require users to enter their passwds ( though its a little inconvenient )
- Have one trusted machine that other hosts will not ask for user passwds for access to its resources
- Elminiate clear text user login passwds services
- Disallow telnet -- use ssh instead or telnet-ssl
- Disallow ftp for users -- use scp and/or sftp instead
- Disallow pop3 from netscape/IE -- user secure pop3/imap ( SSL ) instead
- Keep insecure server/services SEPARATE from your local lan
- Keep insecure servers BEHIND your firewall thru a ssh-secure gateway if you want it to access your local LAN
- Keep insecure servers OUTSIDE your firewall if you dont trust it and just allow them to get to/from the internet
- PPP dailup server -- typically has passwd in a text file
- PPTP server are typically behind your firewall
- Samba server are typically behind your firewall
- Configure for encrypted samba passwd vs (insecure)cleartext passwds
- kerberos server are typically behind your firewall
|
| NIS/YP Services |
- Auburn.edu
Securing NIS
- have at least 2 secondary NIS servers for each local LAN segment
|
| TCP_Wrappers |
- SSLwrap
- Use TCPWrappers for desired services
- Selectively enable tcp_wrapped services to local servers/users
- Uncomment telnet to enable (insecure) telnet connections only to the IP# listed in /etc/hosts.allow
- Uncomment ftp to enable (insecure) ftp connections only to the IP# listed in /etc/hosts.allow
- cr.yp.to/ucspi-tcp/tcpserver.html
- Cr.yp.to ^ TCPServer
Porcupine.org TCP wrappers
- Sans.org
TCPWrappers
ECST.CSUChico.edy
Cert.org tcpwrappers, hosts.allow, hosts.deny
Stanford.edu TCP_wrappers + kerberos
|
|
#
# Start hosts.allow file -- it is READ before checking hosts.deny
#
# Allow telnet connection ONLY from 192.168.1.1
in.telnetd: 192.168.1.1
#
# allow all local IE/Netscape to get emails on this POP3 servers
in.pop3d: 192.168.1.0
#
# end of file
|
|
|
#
# Start hosts.deny file
#
# By default Deny all Services to everybody
#
ALL:ALL
#
# end of file
|
|
- /etc/hosts.equiv
- Don't trust any other machine
- mv /etc/hosts.equiv /etc/hosts.orig.equiv
|
Porcupine.org TCP wrappers
- /etc/hosts.lpd
- Which machines are allowed to print to the printer connected to this (printer) server
- Don't allow any clint to print
- mv /etc/hosts.lpd /etc/hosts.orig.lpd
|
|
| Turn Off inetd |
|
- Selectively enable pop3 to certain hosts running netscape/IE
|
#
# Uncomment to enable it
#
#
# Selectively turn on the (insecure) pop3 -- enable in /etc/hosts.allow too
#
# pop3 stream tcp nowait root /usr/sbin/tcpd in.pop3d
#
# Run Secure SSL-wrapped POP3 instead
# -----------------------------------
#
pop3s stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem -port 110
#
# end of inetd.conf
|
|
| X11 Services |
X.org
X11.org
XFree86.org
XFree86.org Security
rootshell.com X11 Security
LLNL.gov Securing X Windows
MIT.edu Tunneling X11 data through the secure link
OneEyedCrow.net Securing X11
Make X11_Forward is turned on in /etc/ssh/sshd_config
ssh -l username -v -C -X remotehostname
- root should NEVER login into X11
- login as a user and run startx/xinit than su to root
- remove all occcurance of "xhost +"
- use "xhost +server:0.0" and "xhost -server:0.0" when done
|