[NTLUG:Discuss] RE: Securing your Box; NTLUG'er's experience.

[Steve Egbert]

I haven't any problems once I performed the following steps:

1.  Bastillized the damn thing (I use this mostly for:
      a) file permission settings
      b) attempted/successful connections
      c) trims off unneeded daemons

2.  Knock off more daemon that you don't need in /etc/inetd.conf

3.  Replace FTP, Telnet with OpenSSH and/or Telnet-SRP
    Telnet SRP is easy to setup without the key management and
    yet has 128 to 384 bits of crypto.

4.  Rebuild the following daemon with TCPWrapper compile option
      sendmail (modify conf.c/checkcompat() to screen out junk/spam)
                compile additionally with Real-time Black Hole list
      imap4d
      httpd
      Don't pop3 unless it has authenticate support (hard and rare in Linux)
    Test it with tcpdmatch and then test it from outside.

5.  Customized ident (if you use IRC inside the masquerade)

6.  Test sendmail for relay capability.  An NTLUG officer
    just handily poked holes in my mail server at my request.
    He manage to use my own mail server to send mail to
    myself (that is the only known extent of the damage one 
    can do).  Back to tweaking sendmail's conf.c/checkcompat()
    My sendmail.mc is:
    http://www.egbert.net/ntlug/security/mail/egbert.net.mc
    Obfuscation is the key here.

7a. chroot BIND (named)
7b. Dual-chroot BIND if you're running name server for your home network

8.  Use tripwire religiously.  Keep data file zipped and stored outside of
host

9.  Various syslog monitor is out there.  I still haven't 
    found the best yet so I rolled my own which dials up
    pager and sends cryptic message. 

10.  If you're a mini or private ISP (PPP server), use caller-id
     with mgetty+fax+voice! I can't stress this enough 
    (had a bad experience here).

11.  Burn your entire filesystem into CDROM.  If it is bigger than
     640M then, you're not using /usr/local religiously (like I am).

12.  Make liberal use of /etc/hosts.allow and /etc/hosts.deny.
     For most user, hosts.deny should have the last line as:
        ALL : ALL
     For @Home user, hosts.deny should contain:
        ftpd :  .tci.net, .tci.com, .home.net, .att.net
        httpd : .tci.net, .tci.com, .home.net, .att.net
        ALL : ALL
     Then you open it up to what you think you need.

13.  Most importantly, FIREWALL.  This nasty beast is the
     hardest to tailor.  My firewall script is available on
     http://www.egbert.net/ntlug/security/firewall/rc.net.masquerade 
     for your enjoyment.  Am I crazy? Yes, I'm strong enough 
     to show this to the public.

14.  Not for the faint of heart, you may want to tweak the Linux 
     kernel's TCP network stack so that random number is 
     given for TCP window initial size and some TCP bits 
     needlessly set during certain leg of the TCP protocol.
     I do this to throw off QUESO operating system identification
     tool.

Enjoy!

Steve