Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Membangun Server dari Awal dengan FreeBSD (part1)

, , | Friday, March 18, 2011

1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS

Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG

#### PF OPTION ####
device pf
device pflog
device pfsync


2. Setting SSHD
ee /etc/ssh/sshd.config

Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2


3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Saran dari Dru Lavigne sbb :

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

3 Comments  

General hardening tips from Dru..

|

does this system really need IPv6 support?
• do I really want NFS (and its inherent security risks) on an Internet facing server?
• should I be loading filesystems I'll never use? (e.g. DOS, CD9660)
• do I need SCSI drivers on a non- SCSI system?
• do I need hardware RAID drivers if I'm using software RAID?
• do I really need to load dozens of NIC drivers if I always buy the same brand of NIC?
• do I need PCMCIA or wireless support on a non- laptop system?
• will I be using USB or Firewire?

KERNEL

1. DIsable IPv6
2. DISABLE NFS

There are many tools available to create a custom backup solution, ranging
built- in FreeBSD utilities to third- party software applications available through
ports collection. In a more complex scenario you may wish to investigate:
• bacula http://www.bacula.org
• rsnapshot http://www.rsnapshot.org
• boxbackup http://www.fluffy.co.uk/boxbackup/


General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd , adding an ssh banner, and removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

0 Comments  

Disable SELINUX

, , | Monday, May 24, 2010

Here is the way to disable selinux:

1-Edit /etc/selinux/config and set the SELINUX variable to 'disabled'
2-Use the setenforce command to disable on-the-fly

With solution 1, your changes are permanent but only effective if you reboot the machine.

With solution 2, your changes are NOT permanent but effective immediately.

Hope this clears it up :-).

taken from : http://www.linuxquestions.org

0 Comments  

SE Linux

, , | Friday, May 07, 2010

Install SE Linux

# apt-get install selinux-basics selinux-policy-default
# reboot
# nano /etc/default/rcS
edit FSCKFIX=yes
# nano /etc/cron.daily/mlocate (digunakan agar locate database tidak berjalan terus)
tambahkan exit 0 pd baris ke 2

Jika sudah selesai ketikkan :
# check-selinux-installation
# rm /var/run/motd
# ln -s /etc/motd.baru /etc/motd

1 Comments  

Security Linux

, | Thursday, May 06, 2010

1. Matikan dan buang service2 yang tidak perlu.
bisa install rcconf u/ mengatur startup.
dan apt-get remove packagegakpenting

2. Edit partisi, matikan eksekusi untuk partisi dimana user menaruh data (terutama web server)

3. Ubah file descriptor di sysctl.conf
your file descriptor must be beyond 65535

4. Upgrade ke kernel paling baru.

5. Atur firewall se secure mungkin. Allow port yang diperlukan saja.

6. Atur akses login user.

7. Sebisa mungkin jangan gunakan default port.

8. Disable root login from remote

9. Edit motd.

10. Coba main2 dgn sysctl.conf (beware, resiko ditanggung sendiri).

11. Secure kan service2 dan option pada program yg terinstall, misalnya : my.cnf, php.ini, httpd.conf, ftp.conf, snmpd.conf named.conf

12. Install tool pendukung monitoring :
- snmpd, ifstat, iptraf, snort, lsof, htop, deborphan, mtr, nikto. well why do i forget other tool in this critical moment..

Nanti ditambahkan kalau ada lagi.

Thx to cakri n google. u;re all da best.

0 Comments  

disable telnet inetd

, , | Thursday, March 25, 2010

Ketik perintah berikut :

# /usr/sbin/update-inetd --disable telnet

0 Comments  

rootkitHunter

| Friday, November 16, 2007

Sebelumnya install rkhunter paling engga, qta musti punya : wget | curl | elinks | links | lynx bget GET

# fetch http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz
unpack the tarball and, as root, run the installation script:
tar zxf rkhunter-.tar.gz
cd rkhunter
./installer.sh --layout default --install
atau
./installer.sh --layout custom /usr/local/ --install

To show where files are installed using the "oldschool" layout run:

./installer.sh --layout oldschool --show
PREFIX: /usr/local
Application: /usr/local/bin
Configuration file: /usr/local/etc
Documents: /usr/local/rkhunter/lib/rkhunter/docs
Man page: /usr/local/rkhunter/lib/man/man8
Scripts: /usr/local/rkhunter/lib/rkhunter/scripts
Databases: /usr/local/rkhunter/lib/rkhunter/db
Temporary files: /usr/local/rkhunter/lib/rkhunter/tmp

./rkhunter --update
./rkhunter -c

Before running RKH you will need to fill the file properties database by
running the following command:

rkhunter --propupd


To run RKH, as root, simply enter the following command:

rkhunter --check


By default, the log file '/var/log/rkhunter.log' will be created. It
will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

rkhunter --help


NOTE: The first run of 'rkhunter' after installation may give some
warning messages. Please see the FAQ file for more details
about this.

Uninstall

tar zxf rkhunter-.tar.gz
cd rkhunter
./installer.sh --layout default --remove

If you chose a different layout, for example '/usr', then run the
installer using:

./installer.sh --layout /usr --remove

0 Comments  

Subscribe to: Posts (Atom)