This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From slashdot comments:
by Kiwi (kiwi-nody4la@koala.samiam.org) on Friday June 02, @10:16AM
PST
(User Info) http://linux.samiam.org/linux_links.html
Since we are talking about security here, here are some things Linux
(and other UNIX) admins should keep in mind to keep their systems
secure:
* Use qmail or postfix instead of Sendamil.
* Make sure you have all security patches for your system installed.
Redhat users, for example, can find those patches here.
* Linux users can read Linux weekly news for security updates.
* Manage your SUIDs. Make sure you keep a close eye on all your
suids. For example, I use this script to put all my suid in the
directory /suid/bin:
#!/bin/sh
find / -type f -perm +6000 > /root/suids
for a in `cat /root/suids` ; do
mv $a /suid/bin
ln -s /suid/bin/`echo $a | awk -F/ '{print $NF}'` $a
done
* Obviously, turn off all unneeded network services in
/etc/inetd.conf and (usually) /etc/rc.d/rc3.d. You can see what
services are running on your machine with netstat -na.
* For a UNIX that is free and (hopefully) secure out of the box,
check out OpenBSD or Trustix.
The advantage of an open-source solution is that we have greater
control over our systems, and can better optimize our systems for
security.
===
Re:How to know if it's too late?
(Score:3, Informative)
by overshoot on Friday June 02, @01:52PM PST
(User Info)
Quick & Dirty: run
rpm -Vf /sbin/*
(or /usr/sbin or whatever)
on any rpm-based system. It does a quickie RC5 checksum check on the
executables (which shouldn't change from installation). Obviously this
only works for rpm-based systems, but there are a lot of them.
And, no, this is not a substitute for real tripwire-type watchdog
security. But don't knock it, either.
[ Reply to This | Parent ]
===
And here are the other lists.
(Score:5, Insightful)
by StenD (stend+slashdot@sten.org) on Friday June 02, @11:49AM PST
(User Info)
I've been told that they will be on the SANS web site Real Soon Now.
Mistakes People Make That Lead To Security Breaches
Technological holes account for a great number of the successful
break-ins, but people do their share, as well. Here are the SANS
Institute's lists of silly thinks people do that enable attackers to
succeed.
The Five Worst Security Mistakes End Users Make
1. Opening unsolicited e-mail attachments without verifying their
source and checking their content first.
2. Failing to install security patches - especially for Microsoft
Office, Microsoft Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups.
5. Using a modem while connected through a local area network.
The Seven Worst Security Mistakes Senior Executives Make
1. Assigning untrained people to maintain security and providing
neither the training nor the time to make it possible to learn and do
the job.
2. Failing to understand the relationship of information security to
the business problem-they understand physical security but do not see
the consequences of poor information security.
3. Failing to deal with the operational aspects of security: making a
few fixes and then not allowing the follow through necessary to ensure
the problems stay fixed
4. Relying primarily on a firewall.
5. Failing to realize how much money their information and
organizational reputations are worth.
6. Authorizing reactive, short-term fixes so problems re-emerge
rapidly.
7. Pretending the problem will go away if they ignore it.
The Ten Worst Security Mistakes Information Technology People Make
1. Connecting systems to the Internet before hardening them.
2. Connecting test systems to the Internet with default
accounts/passwords
3. Failing to update systems when security holes are found.
4. Using telnet and other unencrypted protocols for managing systems,
routers, firewalls, and PKI.
5. Giving users passwords over the phone or changing user passwords in
response to telephone or personal requests when the requester is not
authenticated.
6. Failing to maintain and test backups.
7. Running unnecessary services, especially ftpd, telnetd, finger,
rpc, mail, rservices
8. Implementing firewalls with rules that don't stop malicious or
dangerous traffic- incoming or outgoing.
9. Failing to implement or update virus detection software
10. Failing to educate users on what to look for and what to do when
they see a potential security problem.
And a bonus, number 11:
Allowing untrained, uncertified people to take responsibility for
securing important systems.
===
Subject: Re: Top 5 admin chores
From: "Anthony E. Greene" <agreene@pobox.com>
Date: Tue, 30 May 2000 19:16:01 +0200
At 09:55 2000-05-30 -0700, Spunk S. Spunk III wrote:
>I'm curious as to what some of the more experienced Linux gurus consider to
>be their top 5 favorite or most important duties when setting up a machine.
I'm not a guru, but I generally configure TCP-Wrappers and restrictions on
Sendmail first. Then I add other applications, user accounts, etc.
>They might be tricks or time-savers or security issues or whatever. For
>instance, when setting up a regular user for yourselves, what group and how
>high of a level do you make it?
I make myself a normal user. I don't grant myself special privileges. It's
so easy to "su -l" that it's hard to justify granting special privileges to
my normal account.
>What do you always turn on/off? Most used
>admin tool? etc...
I turn off anything that's not going to be used. I run ntsysv in runlevels
3 and 5 and turn off anything that's not needed. I edit inetd.conf to
comment out unneeded services. Anything (except SSH) that enables remote
admin is the first to go. Other services are disabled unless specifically
needed for the machine.
My most used admin tools are vi and cron ;-)
===
Subject: Re: Top 5 admin chores
From: Eric Sisler <esisler@westminster.lib.co.us>
Date: Tue, 30 May 2000 11:43:15 -0600
"Spunk S. Spunk III" <spunk@mac.com>
>I'm curious as to what some of the more experienced Linux gurus consider to
>be their top 5 favorite or most important duties when setting up a machine.
>They might be tricks or time-savers or security issues or whatever.
My top 5 most important duties when setting up a new server (in no
particular order):
1) Disable and/or remove unused packages/services. They can always be
re-installed later if the need arises.
2) Apply updates from errata website. *Keep up* with the errata after the
server's in place.
3) Configure /etc/inetd.conf, tcp_wrappers & ssh. Configure & *test* UPS
monitoring daemon if the server is so equipped.
4) Perform a full backup and have a backup strategy.
5) Compile a custom kernel to remove unnecessary services/modules. Also
compile in support for SCSI adapters/devices, if the server is so equipped
- if only because I frequently forget to run 'mkinitrd' and there's not
much point in modular SCSI drivers on a server that has an embedded SCSI card.
> For
>instance, when setting up a regular user for yourselves, what group and how
>high of a level do you make it?
My regular user account is pretty much just a regular user account. I do
have access to the login scripts for samba clients, but only to make
editing them easier.
> What do you always turn on/off?
Always turn on: ssh/sshd, tcp_wrappers and some type of UPS monitoring
daemon, if the server is so equipped.
Always turn off: most of the services in /etc/inetd.conf and any other
services that aren't in use.
> Most used
>admin tool? etc...
vi, cron & shell scripts (bash & expect)
===