-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 P PRABHU wrote: > HI > > Steps : > > 1 ) Dont run Xwindows and better install MINIMAL/SERVER edition of OS > 2 ) Remove all unwanted packages. U can very well reduce the number of > packages to 300max > 3 ) Remove all unwanted user/group accounts > 4 ) Update the packages > 5 ) Do security tunings in Sysctl.conf > 6 ) Do security tunings in ssh like stop Xforwarding, No Root Login etc > 7 ) Put Warning in MOTD , issue and issue.nt > 8 ) Make sure u need anonymous ftp or not > 9 ) Signature off the Apache > 10 ) Put login alert script in ,bashrc and .bash_logout to mail u if someone > logsin/out > 11 ) Run tripwire daily > 12 ) Keep the machine behind firewall,ids/ips > 13 ) Do security tunings in security.conf > 14 ) Run apache-ssl instaed of apache > 15 ) Run apache etc in chroot > 16 ) Check whether u need Directory listing in Apache if not block it. > 17 ) Run Clamav kind of freeAV for scanning. > 18 ) > To prevent ProFTPd DoS attacks using ../../.., add the following line in > /etc/proftpd.conf: DenyFilter \*.*/ > > Finally > > 1 ) Run free Vulnerability scanners like Retina etc and find any > vulnerability is there in final machine > 2 )take all inventory like packages installed etc and do a weekly check is > there any change in packages. > > Libras > > ----- Original Message ---- > From: Jean-Paul Lacquement <[EMAIL PROTECTED]> > To: [email protected] > Sent: Wednesday, May 7, 2008 2:39:02 PM > Subject: securing server > > Hi, > > I plan to secure my Debian stable (or testing if you say it's better) server. > > > I already did the followings: > - installed chkrootkit > - installed fail2ban (for ssh and proftpd) > - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2 > > > The followings daemon are installed : > - proftpd > - apache2 > - ssh > > Would you please list me which packages to install and which rules to apply ? > > Many thanks, > Jean-Paul > >
Expanding on that, go to town with metasploit, nessus and nmap. See if _YOU_ can get in. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIKRo4LeTfO4yBSAcRAjCGAKDITgERoE9+kJ/lKQ/FF20wzz46qwCdHrMV wZyGTF8TFmC1vZA2/2V4Mgk= =ouEN -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
