Simple Debian Lockdown(for those of you under NESSUS scrutiny)
by ZZTopping on Jun.19, 2008, under Linux
There are a million ways to lock down a server. I prefer the non-paranoid method, since none of the data I work with is valuable enough warranting all the extra setup for paranoia-mode.
I recommend the following three, very simple, tasks to lock down your Linux server(specifically Debian Etch).
- Prevent root logins from SSH
- Turn off ident
- Disable RPC(only do this if you do not use NFS)
Preventing root logins via SSH is a good idea for two reasons.
- Allows you to accurately log who is accessing your system…root can be somewhat anonymus if people know the password.
- If someone who does know the root password becomes a threat, you simple have to restrict their username from being granted access(and physical security of course). This is a lot better than haveing to change the root password in a pinch (I like not having to update documentation every time someone leaves my company).
Removing Ident is merely to make NESSUS complain less. Its not really needed so lets shut it off.
- Open /etc/inetd.conf in Vi/Emacs/whatever
- Comment out the line that begins with ident(just add a # at the beginning of the line)
- Save the file and restart inetd: /etc/init.d/inetd restart
Finally, another thing to make NESSUS happy is to disable RPC if you arent using it(NFS shares mainly). Simple remove the package portmap from your system. On Debian: apt-get remove portmap
2 comments for this entry:
July 30th, 2008 on 8:03 pm
I need to update more.
September 19th, 2008 on 5:12 am
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.