[GTALUG] Linux hardening question

[Ansar Mohammed]

IMHO if you are looking for a hardened system you should not start with
Ubuntu.
Ubuntu is what l like to call 'kitchen sink Linux'

Start with a minimal Debian install, then add the packages you need
incrementally.
Package removal is never an exact rollback of package installation.

Then add your IDS, customize whatever host based firewall.
Disable IPv6.
Disable broadcast icmp.

Etcetera etcetera etcetera ....




On Thu, Jun 29, 2017 at 3:20 PM Lennart Sorensen via talk <talk at gtalug.org>
wrote:

> On Thu, Jun 29, 2017 at 10:18:26AM -0400, Anthony de Boer via talk wrote:
> > Lennart Sorensen wrote:
> > > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk
> wrote:
> > > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod
> 600 on
> > > > many key files, the upshot of which was that everything on the
> "secured"
> > > > firewall had to run as root and it ended up less secure.
> > >
> > > And 711 is no better.  744 might work OK though.
> >
> > You mean "OK" in the "OK if you want to really torque nonroot users
> > off" sense, right?
> >
> > Just for fun, try "chmod 744 /etc" in a root shell, then "ls -la /etc"
> > from a nonroot shell.  Then change it back to 755 and deal with any other
> > users wondering why the machine did a weird there.  (For extra points, do
> > this on a nonshared machine!)
> >
> > Things like ls get really confused if they can see that the files are
> > there but can't even stat them let alone any other access.  Users
> > staring at all that STDERR don't fare much better.
>
> I find accidentally changing permissions on /tmp a much better way to
> get people confused and annoyed at you.
>
> --
> Len Sorensen
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20170629/8ad37d96/attachment.html>