I recommend the following three, very simple, tasks to lock down your Linux server(specifically Debian Etch).
- Prevent root logins from SSH
- Turn off ident
- Disable RPC(only do this if you do not use NFS)
Preventing root logins via SSH is a good idea for two reasons.
- Allows you to accurately log who is accessing your system...root can be somewhat anonymus if people know the password.
- If someone who does know the root password becomes a threat, you simple have to restrict their username from being granted access(and physical security of course). This is a lot better than haveing to change the root password in a pinch (I like not having to update documentation every time someone leaves my company).
Removing Ident is merely to make NESSUS complain less. Its not really needed so lets shut it off.
- Open /etc/inetd.conf in Vi/Emacs/whatever
- Comment out the line that begins with ident(just add a # at the beginning of the line)
- Save the file and restart inetd: /etc/init.d/inetd restart
Finally, another thing to make NESSUS happy is to disable RPC if you arent using it(NFS shares mainly). Simple remove the package portmap from your system. On Debian: apt-get remove portmap
I need to update more.
ReplyDelete