[NTLUG:Discuss] If you were using an intrusion detection system...
David Stanaway
david at stanaway.net
Mon May 8 10:36:40 CDT 2006
One thing you might like to consider is disabling password
authentication with ssh since there are a number of brute force ssh
worms in the wild. Use key based authentication instead.
Kyle Davenport wrote:
> *** Authentication Certificate ***
>
> From: Leroy Tennison
>> What would you use?
>
> snort.
>
> OK, so I would rather stop them before they intrude. I have perhaps gone
> overboard in applying security to my internet gateway, but I consider it a
> learning opportunity. Does the gang here see anything I've missed? I
> know I could have started with a more secure distribution, like Trustix,
> but I'm used to Redhat, so I started with Fedora Core 3.
>
> 0. Restrict accounts, strengthen id/passwds, test crackers
> 1. configure firestarter firewall, default deny.
> 2. default deny in tcpwrappers
> 3. blockhosts.py (tcpwrappers)
> 4. denyhosts.sf.net (blacklist)
> 5. PeerGuardian (blacklist)
> 6. iptables repeated new connections timeout (/etc/firestarter/user-post)
> 7. tripwire (used AIDE instead)
> 8. rpm -V
> 9. strict sudo
> 10 disable remote root logins
> 11 restrict hosts in ssh
> 12 squidGuard blacklist for squid proxy
> 13 blackholes.mail-abuse.org for sendmail
> 14 make http://localhost/robots.txt a bot-only php script
> 15 snort + snort-mysql + acid + base
> 16 nessus + metasploit + chkrootkit
> 17 grsecurity + PaX (patch kernel!)
> 18 analyse webserver security - verify auth
>
> I actually haven't been able to do the official grsecurity yet, because
> they are falling way behind kernel releases.
>
> Kyle
>
>
>
> _______________________________________________
> http://ntlug.pmichaud.com/mailman/listinfo/discuss
>
More information about the Discuss
mailing list