Difference between revisions of "Basic security procedures"
Latest revision as of 00:00, 23 July 2006
|Harden-servers will conflict with most (maybe all) FTP servers.|
1. Install the Debian security packages. Use the command:
apt-get install logcheck syslog-summary harden harden-clients harden-environment harden-servers checksecurity libsafe harden-tools
2. This will automatically configure some basic security settings, remove any unsafe packages, and prohibit any unsafe packages from being installed. This is not by any means comprehensive and you should not consider your system unbreakable. However, it is a good starting point and automatically deals with some of the more obvious security holes.
3. Check for basic system vulnerabilities. Use the command:
4. Turn shadow passwords on. Shadowing your passwd file causes the password encryption strings to be stored in a special, separate password file which has limited read access.
5. If you wish to use Snort IDS (highly recommended), use the command:
apt-get install harden-nids snort snort-rules-default
6. If are running MySQL you should install the distribution of Snort with MySQL support instead of the vanilla package:
apt-get install snort-mysql
7. You will be prompted to configure a user account and database for Snort-MySQL to use. The user account and database can be created through the Webmin MySQL interface (see Articles/DebianWebmin). Once you have created the appropriate user account and database, run the following command to enter Snort's table data:
cd /usr/share/doc/snort-mysql; zcat create_mysql.gz | mysql -u username -h hostname -p databasename
8. Snort is also easily configured through the Webmin interface (see Articles/DebianWebmin). Another recommendation is to install the chkrootkit package. This package will check for most known "root kits" that may have been surreptitiously installed. Once again, this is not a definitive test but only part of a well-secured system. Use the command:
apt-get install chkrootkit
9. You will be presented with some basic configuration options. I recommend running a daily cron job in quiet mode (-q). This will run chkrootkit in the background and email the system administrator if any potential problems are found.
10. Another good security tool is the Nessus security auditor. It consists of a daemon and client which interact to scan your system for known vulnerabilities. Nessus is great for alerting you to potential security holes which may otherwise have slipped by undetected. Use the command:
apt-get install nessusd nessus nessus-plugins
11. Follow the installation prompts for creating a server certificate. Once you have done this and are back at the prompt go ahead and add a nessus user with the command:
12. Enter a username, select PASS, and enter a password. Then start the nessus daemon by using the command:
13. Now make sure you aren't logged in as the root user. This is critical! Start a remote desktop for whatever user you are logged in with (not root).
14. Log into the remote desktop. Click the start menu, programs, apps, system, then select Nessus. You may have to run update-menus from the command prompt first if Nessus doesn't appear on the start menu.
15. Enter the Nessus username and password you created and click log in. Accept the security certificate.
16. You may wish to modify some settings or scans, such as entering your SMB information. Click start scan and wait for the results.
17. Read through the report very carefully. Nessus will probably find many things, some minor and some severe. Correct the security vulnerabilites and scan your system again. Repeat this procedure until you are happy with the level of security (hopefully no vulernabilites).
18. I also recommend using the Bastille security auditor. It will check for potential security vulnerabilities and offer to correct them. Use the command:
apt-get install bastille InteractiveBastille
19. Follow through the prompts to audit your system's security. However, read each suggestion very carefully. Bastille may offer changes which prevent some software from operating correctly. For example, Bastille offered to limit Apache access to localhost on my system. Obviously if you wanted to run a public web server you would not want to enable this suggestion.
20. Finally I recommend installing a file integrity program. Use integrit for this:
apt-get install integrit
21. Preferably this should be done with a fresh install so you can be assured all critical files haven't been tampered with. Check /etc/integrit/integrit.debian.conf to verify the configuration options.
22. Then open /etc/integrit/integrit.conf and change the following:
uncommment: root=/ uncommment: known=/var/lib/integrit/known.cdb uncommment: current=/var/lib/integrit/current.cdb
23. Also uncomment the appropriate lines to prevent checking commonly changed, unmounted, etc files/directores. Usually this includes /cdrom, /proc, /var, and so on.
24. Lastly set the appropriate checks. I recommend:
checksum: s permissions: p number of links: l uid: u gid: g access tim: a modification time: m
25. Now create the initial databases:
integrit -u -C /etc/integrit/integrit.conf; cp /var/lib/integrit/current.cdb /var/lib/integrit/known.cdb
26. I recommend setting a crontab job which will automatically verify the integrity of critical files and mail root upon any failure:
crontab -e * 1 * * * integrit -C /etc/integrit/integrit.conf -c | mail root
27. This runs integrit every Sunday at 1 AM; adjust it according to your needs.
28. You may check file integrity at anytime using the command:
integrit -C /etc/integrit/integrit.conf -c > /somedirectory/changes.txt
29. This performs an immediate check and outputs the results to a file.