Linux notes
A page of notes and links to information about Linux systems
Contents
1. General information
Which Linux flavour/version? See this page: http://linuxmafia.com/faq/Admin/release-files.html
2. Security checklist for new systems
This checklist has served me well enough to date, but I invite further suggestions -- GrahamKlyne.
See also: http://www.ontonet.org/moin/LinuxSecurityNotes.
2.1. General
- Secure root password selected
- Shadow passwords enabled (on debian: shadowconfig on)
- Firewall activated, with incoming access for required services only
Check running services (on RedHat: chkconfig --list)
No unsecured Telnet or FTP access
- Security updates automatically checked and applied
- All accounts with non-trivial passwords (how to check?)
Restrict remote access to selected accounts (use AllowGroups in sshd.conf)
Install SshBlack: see InstallingSshblack
- [[[TODO: Disable login to root account]]]
- [[[TODO: Enable SELinux controls for external services]]]
2.2. Apache httpd
- httpd installed to run using a non-root account (apache)
- CGI processes run in separate non-apache accounts (via suexec)
- /var/www/html/... files ownership apache:apache.
2.3. Restricting SSH access
add the following directive to /etc/ssh/sshd_config:
AllowGroups remote
Create a new group called remote, it it doesn't already exist:
groupadd -r remote
The -r flag here is optional, and creates a "system" group (gid less than 1024).
edit the file /etc/group, locate the entry for group remote, and add the accounts for which remote access is to be permited as members; e.g.
remote:x:555:tom,dick,harry,bioimage
Check that file /etc/group is writeable only by the root user; e.g.
# ls -al /etc/group -rw-r--r-- 1 root root 779 Jan 4 10:48 /etc/group
3. References
(TBD)
-- GrahamKlyne 2006-09-20 21:42:45
