Differences between revisions 5 and 6
Revision 5 as of 2011-04-26 20:37:48
Size: 2094
Editor: skizzhg
Comment:
Revision 6 as of 2013-02-22 00:38:45
Size: 2101
Editor: ?EliFlanagan
Comment: Bad link
Deletions are marked like this. Additions are marked like this.
Line 34: Line 34:
 * See http://www.linux-sec.net/Kernel/  * See --(http://www.linux-sec.net/Kernel/ )--

Translation(s): English - Italiano

SecurityChecklist

Installing new packages

How do you check the signatures on packages you install are based on the keys from the debian-keyring package?

General

These are some basic points but be sure to read the HOWTO.

Networking

  • Check '/etc/inetd.conf' to ensure you haven't left any open ports/services you didn't mean to.
  • Use a firewall if you have services you want available locally or to a restricted set of IPs but not to everyone - 'ipchains' (potato), 'iptables' (woody)
  • 'lsof -Pan -i tcp -i udp ||less' (as root) This shows all network connections

  • 'netstat -le --inet||less' (as root) This lists open ports

  • Ensure you know exactly what service has which port open and verify that any odd ports that are open are from daemons you mean to be running. Close any ports that you do not need open or any services that you do not want accessible to the outside world.

    Ask yourself if you really * need ** that daemon to have an open port and if not then disable it (perhaps it has switches to do so or a config option that would disable networking (like mysql for instance))

  • Use encrypted protocols so that passwords don't go over the network as clear text leaving them vulnerable to anyone who may be listening in. You can avoid this by wrapping services which have no encrypted alternative in SSL for instance. You might look at stunnel to do this for instance for POP or IMAP daemons.

Kernel Hardening