Thursday, June 19, 2008

Simple Debian Lockdown(for those of you under NESSUS scrutiny)

There are a million ways to lock down a server. I prefer the non-paranoid method, since none of the data I work with is valuable enough warranting all the extra setup for paranoia-mode.

I recommend the following three, very simple, tasks to lock down your Linux server(specifically Debian Etch).

  1. Prevent root logins from SSH

  2. Turn off ident

  3. Disable RPC(only do this if you do not use NFS)

Preventing root logins via SSH is a good idea for two reasons.

  • Allows you to accurately log who is accessing your system...root can be somewhat anonymus if people know the password.

  • If someone who does know the root password becomes a threat, you simple have to restrict their username from being granted access(and physical security of course). This is a lot better than haveing to change the root password in a pinch (I like not having to update documentation every time someone leaves my company).

Removing Ident is merely to make NESSUS complain less. Its not really needed so lets shut it off.

  • Open /etc/inetd.conf in Vi/Emacs/whatever

  • Comment out the line that begins with ident(just add a # at the beginning of the line)

  • Save the file and restart inetd:  /etc/init.d/inetd restart

Finally, another thing to make NESSUS happy is to disable RPC if you arent using it(NFS shares mainly). Simple remove the package portmap from your system. On Debian: apt-get remove portmap