Default installation & software upgrades not enough!
Firstly, I'm writing my first tutorial... so I'd love to be DoSssed with suggestions. The article is purely aimed to scare you &push you towards better security practices. The article is aimed for those ppl. who have a fair knowledge about the technology. This article just aims to scratch the surface of everything.............
==============================
Lets start with the obvious... basics:
""""""""
# Obviously, Default Installation doesn't come with a virus/spy ware / Trojan scanner. If your PC isn't a single user OS, there is even a likelihood of mail ware, Trojan, spy wares running with user privileges... or worst a root kit.
<.../>
""""""""
# Regardless of the OS its always better to encrypt your sensitive files and "shear" (not: rm/del) temp files & clean it periodically. Many program create unsecure temp files so its better to create seprate temp folders for every users with file/disk quota limit set to them. You can specify unique temp folder location for every user on '/etc/profile.d' or with "SET" command in windows. Try:
Windows: cipher.exe /?
*NIX: shred –-help
<.../>
---
# Its always better to run system backups periodically of your documents, and important files. Its quick to append new files to your backup in a secure location "via. an secure tunnel"
*nix: use a "cron job" to schedule a periodic backup and "tar" to archive the file. Its always advisable to run schedule tasks at that time when there is least system load.
Windows: ntbackup.exe has it all... you need.
<.../>
""""""""
# Set a Harden firewall rules... Depending on your server/OS. Set strict firewall rules to filter out all unnecessary inbound/outbound traffic. Make sure Port scan, Banner grabbing, OS fingerprinting (counter mearures: http://ippersonality.sourcefor
Moreover, check for easy Connection hijack etc... in your LAN. Detect ARP Spoofing & Man in the middle attack when possible. Set your firewall( iptables) rules to map a ip to its MAC address and set firewall rules based on IP+SYSTEM MAC for local access in your trusted network and discard the rest. This will add an extra level of security. You may even want to disable the whole 'inetnum' of online services like www.netcraft.com
<.../>
""""""""
# There might be SYSTEM services, & software module that you may not be using. ONLY ENABLE THOSE SERVICES WHAT YOU USE. Disabling those will always reduce probability of a successful intrusion.
<.../>
""""""""
Does your WAP/ Bluetooth devices... wireless keyboard/mouse support authentication & encryption. What if a snuffer... running next door! :)
<.../>
""""""""
# Log system events. and don't fear to keep/monitor necessary noise. Its better to mirror "system log" in a remote location. Make sure you monitor and secure LOGS/events generated from softwares & daemons as well... in a clean manner.
*nix: /etc/syslog.conf
/* set the parameters: *.* "Server's_ip" */
Windows: http://ntsyslog.sourceforge.ne
in windows secpol.msc <---to set sec. policy and manage... eventvwr.msc
Make sure your system logs won't be disrupted in DoS and critical system errors... situation or be fussed away or you run out of disk space!
<.../>
""""""""
# Auth. network traffic (SSH tunnel, KEYBROS, one-time passwd etc... ) Remember IP based auth. can always be fooled. Use IDS: (Snort) Use Tripwire like tools. Monitor system file hashes, startup dir/scripts, software & security configuration files & sensative registry keys etc.
Regularly monitor/log system performance & look for any suspicious packets that come & leave your system. Compare the IDS log with both inside & outside your firewall. Monitor your system performance.
perfmon.msc mrtg, snmp, ps -aux etc
http://www.nagios.org. How about using load balancing/clustering as well....
Create a profile of your system/network activity… this will help you spot the unusual.
If you have to test a software, run third-party code etc...... its ALWAYS better, easy & FLEXIBLE to run it in "VIRTUAL MACHINE" (vmware?)
Its better to run only 1 listening service (network service) per computer.... Make sure you have "unique" passwords in every system. Make sure… disruption / compromise in one system won't propagate or affect... rest of the network. DECENTRALIZATION!?
<.../>
""""""""
In the internet jungle I'd say... only "unique systems survives longer" Check if you could be another victim of spam, bandwidth rape, DoS, misuse of your network resources etc... Use search engines, online directories, telephone index etc... & try monitor/check the information that's flowing outside.
Try reducing your probably of being attacked by buffer overflow.
google: stack guard, lib safe, grsecurity.net, se-linux etc…
Make sure you won't be another victim of fork bombs, MEM & I/O exhaust attacks. Use QoS for system bandwidth.
*nix: 'ulimit -a' or use PAM modules.
<.../>
""""""""
Theory of least privilege always helps. You may not wanna run "system services" as root... instead create a seprate jail account each services when possible. Make sure these services don't queue a long list of jobs. You may wany to deny all connection attempts for [x]inetd, and TCP Wrappers services. Check... what, level of system resources/information that local users have access to. For un trusted users its always better to create a jail environment. It isn't stupid change default paths... disable the right to schedule tasks (CRON JOBS) for users... For users you may even wanna disable perl, gcc and many other... system executables that are unnecessary for users. You don't wanna see your machine get 0wn3d by a malicious user compiling a code locally via gcc, do you? Keep track of SUID/SGID programs... Make sure users have write access to only limited directories. Its better to statically compile the modules you need in your kernel and disable the further add of modules "in linux kernel" or via WINDOWS REGISTRY.... Did you ever consider about boot security, encypted file system, bios passwords, and disable autorun on removal medias?
<.../>
""""""""
# Poor file permission may lead to leak of sensitive information. Executables could be overwritten by a malicious one.
Only share what you have to... Even "r" permission to sensitive files could prove harmful. I suggest, at times its even better to change the file permission of all system executables to "r-only" (bye…bye virus… you gotta be little tricky now )
Windows: cacls.EXE *.(executable extension) /T /C /P Everyone:R
In windows make sure, unprivileged users don't have permission to write to system(variables) path. like c:\ %windir% etc...
threat?: if you/program don't provide absolute path to run programs... Internet Explorer by say:, start > run > "C:\Program Files\Internet Explorer\iexplore.exe" instead just try start > run > "~path\iexplore" then first... the system try searching and executing 'program.exe' in c:\ then 'internet.exe' in C:\Program Files and then only execute find and execute "C:\Program Files\Internet Explorer\iexplore.exe" this is a design flaw... in windows and could be misused. Try keeping a executable named “Program.exe
- hUNT3R's blog
- Login or register to post comments
Comments
You may also benefit from jailing your system if you have shell users.
Disable telnet and use only the ssh2 protocol to remotely logon to systems.
Disable direct root login.
Tranfer files via sftp or scp.
Additional Reading: Security Paranoia - restricting ssh access