-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
P PRABHU wrote:
> HI
>
> Steps :
>
> 1 ) Dont run Xwindows and better install MINIMAL/SERVER edition of OS
> 2 ) Remove all unwanted packages. U can very well reduce the number of
> packages to 300max
> 3 ) Remove all unwanted user/group accounts
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Oliver Antwerpen wrote:
>
> Steve schrieb:
>> Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath
>> ([EMAIL PROTECTED]) a écrit :
>>
>>
>>>just my two pence.
>>>
>>
>> and my two centimes.
>>
>>
>>>* Change the ports of most p
On Thu, 08 May 2008 08:40:12 +0200 Bjørn Mork wrote:
> martin f krafft <[EMAIL PROTECTED]> writes:
>> also sprach Simon Brandmair <[EMAIL PROTECTED]> [2008.05.07.2020 +0100]:
>>> > no security benefit
>>>
>>> Just wondering: Why not?
>>
>> http://www.bpfh.net/simes/computing/chroot-break.html
>
The database should be on read-only media - I assume that was meant ... try
samhain in combination with gnupg for a remedy ...
Joh
On Friday 09 May 2008 14:54:40 phobot wrote:
> On May 7, 1:10 pm, martin f krafft <[EMAIL PROTECTED]> wrote:
> > > use integrit/aide/tripwire
> >
> > only useful wit
On Fri, 2008-05-09 at 09:24 -0400, Noah Meyerhans wrote:
>
> At least tripwire has the ability to encrypt its database, which helps
> to mitigate this problem. The claim that tripwire is only useful with
> read-only media is too strong; it can be quite useful without it.
>
And you can sign yo
On Fri, May 09, 2008 at 05:54:40AM -0700, phobot wrote:
> On May 7, 1:10 pm, martin f krafft <[EMAIL PROTECTED]> wrote:
> > > use integrit/aide/tripwire
> >
> > only useful with read-only media
>
> OK, I don't get it if the media is read-only none can alter it so you
> don't really need tripwire.
On May 7, 1:10 pm, martin f krafft <[EMAIL PROTECTED]> wrote:
> > use integrit/aide/tripwire
>
> only useful with read-only media
OK, I don't get it if the media is read-only none can alter it so you
don't really need tripwire.
But if the media is writable so changes can be made you need to run
tr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Jean-Paul Lacquement wrote/schrieb @ 07.05.2008 13:03:
|> Besides that, what applications you plan to run?
|
| This server will only run proftpd, ssh, apache, nagios(via http),
samba and cups
*Oh*. IMHO you should consider whom you will serve,
martin f krafft <[EMAIL PROTECTED]> writes:
> also sprach Simon Brandmair <[EMAIL PROTECTED]> [2008.05.07.2020 +0100]:
>> > no security benefit
>>
>> Just wondering: Why not?
>
> http://www.bpfh.net/simes/computing/chroot-break.html
You still need to be root before breaking the jail, and one of
HI
Steps :
1 ) Dont run Xwindows and better install MINIMAL/SERVER edition of OS
2 ) Remove all unwanted packages. U can very well reduce the number of packages
to 300max
3 ) Remove all unwanted user/group accounts
4 ) Update the packages
5 ) Do security tunings in Sysctl.conf
6 ) Do security tu
Hey guys,
nice that you take care so much for server safety. But is this list not about
"debian-security"? So, about security issues related to debian packages?
There are hundreds of websites and forums about how to administrate and secure
a webserver. Why do it here in this emaillist?
Thanks
Jean-Paul Lacquement un jour écrivit:
Hi,
I plan to secure my Debian stable (or testing if you say it's better) server.
The followings daemon are installed :
- proftpd
- apache2
- ssh
If you need to offer a public ftp access, and that you don't need all
the features of proftpd, I would su
also sprach Simon Brandmair <[EMAIL PROTECTED]> [2008.05.07.2020 +0100]:
> > no security benefit
>
> Just wondering: Why not?
http://www.bpfh.net/simes/computing/chroot-break.html
--
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' : proud Debian developer, author, administrator, and user
On Wed, 07 May 2008 12:10:08 +0200 martin f krafft wrote:
> also sprach weakish <[EMAIL PROTECTED]> [2008.05.07.1028 +0100]:
>
>> You may consider chroot.
>
> no security benefit
Just wondering: Why not?
Cheers,
Simon
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscr
Jean-Paul Lacquement <[EMAIL PROTECTED]> wrote: Hi,
I plan to secure my Debian stable (or testing if you say it's better) server.
I already did the followings:
- installed chkrootkit
- installed fail2ban (for ssh and proftpd)
- allow only one user (not root) via /etc/ssh/sshd_config, only ssh
Am Mittwoch, den 07.05.2008, 19:39 +0800 schrieb Abdul Bijur
Vallarkodath:
> haha. not really! if u have really managed an online server u'd have
> seen tons of attacks and login attempts on your default ports by bots
> looking around for weaker systems.
But what you suggest doesn't increase th
Alex Mestiashvili wrote:
Jean-Paul Lacquement wrote:
Hi,
I plan to secure my Debian stable (or testing if you say it's better)
server.
I already did the followings:
- installed chkrootkit
- installed fail2ban (for ssh and proftpd)
- allow only one user (not root) via /etc/ssh/sshd_config, o
Jean-Paul Lacquement wrote:
Hi,
I plan to secure my Debian stable (or testing if you say it's better) server.
I already did the followings:
- installed chkrootkit
- installed fail2ban (for ssh and proftpd)
- allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
The followings
Just install xinted and use the "only_from" option.
H
On Wed, 2008-05-07 at 19:39 +0800, Abdul Bijur Vallarkodath wrote:
> haha. not really! if u have really managed an online server u'd have
> seen tons of attacks and login attempts on your default ports by bots
> looking around for weaker sys
Steve schrieb:
Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a
écrit :
just my two pence.
and my two centimes.
* Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
default ones to some other ones.
>From my poo
In article <[EMAIL PROTECTED]> you wrote:
>>* Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
>>default ones to some other ones.
>
>>From my poor understanding of security related issues, I guess this is
> totally useless since any (good) port scanner will defeat th
Le 07-05-2008, à 19:39:57 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a
écrit :
>haha. not really! if u have really managed an online server u'd have
>seen tons of attacks and login attempts on your default ports by bots
>looking around for weaker systems.
Yes I have also s
If your running apache I'd suggest installing modsecurity.
As for the other services, disable password authentication on ssh (start
using ssh keypairs), force ssh2
proftpd has a couple of tweaks, remove the banner, implement connection
limits
inetd is always worth shutting down unless you really
Le Wed, 7 May 2008 13:03:03 +0200,
"Jean-Paul Lacquement" <[EMAIL PROTECTED]> a écrit :
> > > I already did the followings:
> > > - installed chkrootkit
> > > - installed fail2ban (for ssh and proftpd)
> >
> > Beware of DOS.
> >
> >
> > > - allow only one user (not root) via /etc/ssh/sshd_con
Jean-Paul Lacquement schrieb:
Would you please list me which packages to install and which rules to apply ?
The Center of Internetsecurity has several documents of how to secure
different operating systems:
http://www.cisecurity.org/
Hope this helps.
Regards,
Holger
--
To UNSUBSCRIBE, em
haha. not really! if u have really managed an online server u'd have seen
tons of attacks and login attempts on your default ports by bots looking
around for weaker systems.
This is hence especially helpful, I myself have seen these bot attacks
reduce to almost zero once i had changed the port n
Jean-Paul Lacquement wrote:
Hi,
I plan to secure my Debian stable (or testing if you say it's better) server.
I already did the followings:
- installed chkrootkit
- installed fail2ban (for ssh and proftpd)
- allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
The followings
On Wednesday, 2008-05-07 at 12:47:37 +0200, Steve wrote:
> Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED])
> a écrit :
> >just my two pence.
> and my two centimes.
> >* Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
> >default o
> > I already did the followings:
> > - installed chkrootkit
> > - installed fail2ban (for ssh and proftpd)
>
> Beware of DOS.
>
>
> > - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
>
> If you have multiple administrators, you should not do that.
I am the only one.
>
Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a
écrit :
>just my two pence.
and my two centimes.
>* Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
>default ones to some other ones.
>From my poor understanding of security rela
also sprach weakish <[EMAIL PROTECTED]> [2008.05.07.1028 +0100]:
> Use update-rc.d or sysv-rc-conf to disable unwanted daemons
disable by making them all K00 links
> logcheck
hardly a security measure.
> use integrit/aide/tripwire
only useful with read-only media
> You may consider chroot.
In article <[EMAIL PROTECTED]> you wrote:
> I already did the followings:
> - installed chkrootkit
> - installed fail2ban (for ssh and proftpd)
Beware of DOS.
> - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
If you have multiple administrators, you should not do that.
>
just my two pence.
* Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
default ones to some other ones.
It would be nice if you could mention what are you trying to shut out and
against what are u trying to secure.
Thanks,
Abdul
On 5/7/08, Jean-Paul Lacquement <[EMAIL PROT
Yes, I already have a look at those links. I asked this list because
this web page may not cover every threats.
Many thanks.
Jean-Paul
2008/5/7 Yves-Alexis Perez <[EMAIL PROTECTED]>:
> On Wed, May 07, 2008 at 09:09:02AM +, Jean-Paul Lacquement wrote:
> > Hi,
> >
> > I plan to secure my Deb
Just too many things.
For example,
Use update-rc.d or sysv-rc-conf to disable unwanted daemons
Edit /etc/security/limits.conf
logcheck
use integrit/aide/tripwire
configrue firewall (via shorewall or iptables directly)
etc.
You may consider chroot.
It's a good idea to read through securin
On Wed, May 07, 2008 at 09:09:02AM +, Jean-Paul Lacquement wrote:
> Hi,
>
> I plan to secure my Debian stable (or testing if you say it's better) server.
[…]
> Would you please list me which packages to install and which rules to apply ?
http://www.debian.org/doc/manuals/securing-debian-howto
36 matches
Mail list logo
