View Single Post
Old 12th May 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Default

My suggestions for hardening (that I can remember without documentation ):

-Disable root login for sshd (should be done by default)
-Change SSHD port to something different and only allow certain users/groups to login to sshd
-If you can't/don't want to change the listening port then setup something like swatch or denyhosts to block any IP addresses attempting to brute force accounts on your box
-Disable any services you do not need (don't use inetd if you don't need to)
-add -ss to disable syslogd binding to a socket
-use secure permissions on log files (don't allow any user who doesn't need to read logs files access to them)
-remove stick bit on set UID/GID binaries
-only allow authorised users to run cron jobs
-change default encryption for passwords to blowfish
-setup PF to block network access to services that remote hosts don't need access to
-add the following to /etc/rc.conf
-+ icmp_drop_redirect="YES"
-+ icmp_log_redirect="YES"
-+ log_in_vain="YES"
-Bring the ARP cache timeout down to five minutes. Append to /etc/sysctl.conf - 'net.link.ether.inet.max_age=300'
-remove toor account
-nosuid options on /tmp in /etc/fstab
__________________
It was a new day yesterday, but it's an old day now.
Reply With Quote