Differences between revisions 1 and 2
Revision 1 as of 2004-01-11 21:34:14
Size: 1965
Editor: anonymous
Comment:
Revision 2 as of 2009-03-16 03:31:36
Size: 1996
Editor: anonymous
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:
 * Use a firewall if you have services you want available locally or to a restricted set of !["IPs"] but not to everyone----'ipchains' (potato)----'iptables' (woody)  * Use a firewall if you have services you want available locally or to a restricted set of ![[IPs]] but not to everyone----'ipchains' (potato)----'iptables' (woody)

SecurityChecklist

Installing new packages

How do you check the signatures on packages you install are based on the keys from the debian-keyring package?

General

These are some basic points but be sure to read the HOWTO.

Networking

  • Check '/etc/inetd.conf' to ensure you haven't left any open ports/services you didn't mean to.
  • Use a firewall if you have services you want available locally or to a restricted set of !?IPs but not to everyone


'ipchains' (potato)----'iptables' (woody)

  • 'lsof -Pan -i tcp -i udp ||less' (as root) This shows all network connections

  • 'netstat -vae --inet||grep LISTEN||less' (as root) This lists open ports

  • Ensure you know exactly what service has which port open and verify that any odd ports that are open are from daemons you mean to be running. Close any ports that you do not need open or any services that you do not want accessible to the outside world.

    Ask yourself if you really * need ** that daemon to have an open port and if not then disable it (perhaps it has switches to do so or a config option that would disable networking (like mysql for instance))

  • Use encrypted protocols so that passwords don't go over the network as clear text leaving them vulnerable to anyone who may be listening in. You can avoid this by wrapping services which have no encrypted alternative in SSL for instance. You might look at stunnel to do this for instance for POP or IMAP daemons.

Kernel Hardening