Annotated edit history of
AdvancedSecurityNotes version 3, including all changes.
View license author blame.
Rev |
Author |
# |
Line |
1 |
PerryLorier |
1 |
!!!Some advanced security hints |
|
|
2 |
|
|
|
3 |
!!Use tcpwrappers |
|
|
4 |
|
|
|
5 |
Use tcpwrappers to limit exposure of services to the Internet. For instance, set up tcpwrappers to only allow services to be used from a very strict number of places eg: |
|
|
6 |
/etc/hosts.allow |
|
|
7 |
ssh: 192.168.2. |
|
|
8 |
/etc/hosts.deny |
|
|
9 |
ssh: DENY |
|
|
10 |
|
|
|
11 |
Consider where you will be connecting from, for instance within a netblock, within NZ, or not from korea and configure tcpwrappers accordingly. |
|
|
12 |
|
|
|
13 |
!!Change offsets |
|
|
14 |
use |
|
|
15 |
preload -R |
2 |
PerryLorier |
16 |
which randomises offsets of libraries, making more exploits fail. Not a great help, but worth a try, every bit helps. As a nice side effect, dynamic linking time is improved too :) |
1 |
PerryLorier |
17 |
|
|
|
18 |
!!Prevent system accounts using networking in unauthorised ways |
|
|
19 |
use iptables(8) stateful firewalling to disallow incoming connections to ports that aren't explicitly allowed by the administrator, but still allow ftp etc through. Thus exploits which open a rootshell on port 6666 will fail, as incoming connections to port 6666 will be firewalled. |
|
|
20 |
|
|
|
21 |
use iptables(8) uid matching to disallow outgoing connections from system accounts. This prevents exploits from downloading more stuff (such as a local root exploit to get root) and is usually a very good indicator that your box is compromised and can be used to generate automatic notifications. |
|
|
22 |
iptables --insert OUTPUT --jump DROP -m state --state NEW --uid-owner www-data |
|
|
23 |
(note, check the above line, I've not tested it, although I've used the principle before). |
3 |
PerryLorier |
24 |
|
|
|
25 |
Remember to allow system accounts access to things such as SMTP on the local machine, and DNS if they require them. If you're running web mail, you'll also need access from the web server to imap for instance. |