[GTALUG] Linux hardening question
Christopher Browne
cbbrowne at gmail.com
Wed Jun 28 11:34:27 EDT 2017
On 27 June 2017 at 19:53, Kevin Cozens via talk <talk at gtalug.org> wrote:
> On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
>>
>> I am starting to go down the road to harden a Linux server, I am using
>> the Ubuntu server image as my starting point.
>
> [snip]
>>
>> Q: What service should I consider disabling from starting automatically.
>
>
> Disable any service you won't need for what you are going to be doing with
> the machine. :)
Better still, uninstall...
The OpenBSD philosophy is that they set up virtually all services as
deactivated by default; you are expected to configure and activate anything
that you need.
That's philosophically pretty approprate.
Unfortunately, some services may induce others that you weren't expecting.
At any rate, reviewing /etc/init.d, /lib/systemd/system, and such is a wise
idea.
> You may also want to "chmod 711 /etc", FWIW.
That means that non-root-space applications will have no access to their
configuration in /etc, thereby breaking services.
Notable ones I notice there include:
- Oops, your shell can't get at defaults under /etc
- Postgres default configuration on my Debian system
- MySQL default configuration
It also breaks users' DNS resolution, normally controlled
by /etc/resolv.conf
/etc/passwd is probably needful too...
I wouldn't be too quick to chmod /etc ...
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
More information about the talk
mailing list