[GTALUG] Linux hardening question

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Wed Jun 28 10:05:16 EDT 2017


On Tue, Jun 27, 2017 at 07:53:02PM -0400, Kevin Cozens via talk wrote:
> On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
> >I am starting to go down the road to harden a Linux server, I am using
> >the Ubuntu server image as my starting point.
> [snip]
> >Q: What service should I consider disabling from starting automatically.
> 
> Disable any service you won't need for what you are going to be doing with
> the machine. :)
> 
> >I am reading up on iptable and also know about ufw, but not sure how
> >to setup a good firewall, like what to block and not.
> 
> It depends on the extent to which you want to harden the machine. One way to
> set up a firewall is deny everything by default then open the holes for the
> services you need. firewalld is also a firewall related package I've been
> running across lately.
> 
> Install logwatch and have it send the logs to you on a daily basis.
> Use fail2ban to automatically firewall any machine who fails too many times
> to login via SSH.
> 
> You may also want to "chmod 711 /etc", FWIW.

How well does that work out?  So regular users (and services not running
as root) can't resolve dns anymore (can't read nsswitch.conf or
resolv.conf).  That sounds inconvinient.

> If you are really serious about hardening a machine read up on SELinux.

-- 
Len Sorensen


More information about the talk mailing list