Linux Server Build Checklist: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
No edit summary
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 12: Line 12:
* kernel updated
* kernel updated
* Password policy updated.
* Password policy updated.
* update system working.
* update system working: yum , checking in , registered.
* users defined and locked down.
* users defined and locked down.
* service list defined and locked down.
* service list defined and locked down.
* selinux setup as needed
* selinux setup as needed
* iptables / firewall.
* iptables / firewall.
Basic default allow + logging iptables:
<pre>
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example
/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
</pre>
also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/
* server is monitored properly.
* server is monitored properly.
* timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
* timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
Line 22: Line 35:
* check list: ( http://security.utexas.edu/admin/redhat-linux.html )
* check list: ( http://security.utexas.edu/admin/redhat-linux.html )


== Also See ==
XXX Linux Build Process 0.9 - removed




[[Category:Checklist]]
[[Category:Checklist]]

Latest revision as of 20:25, 9 January 2019

  • The purpose of the server is clear
    • Who will use the server / via what ports? What services?
    • What software will be installed
  • interface configuration is correct
  • routing table is correct
  • minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
  • Time services ( Ntp | PTP )
  • Logging services - kern.* /var/log/kernel.log + logrotate
  • ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
  • open ssl updated
  • kernel updated
  • Password policy updated.
  • update system working: yum , checking in , registered.
  • users defined and locked down.
  • service list defined and locked down.
  • selinux setup as needed
  • iptables / firewall.

Basic default allow + logging iptables: 

/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example 
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example
/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "

also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/

Also See

XXX Linux Build Process 0.9 - removed

Retrieved from "https://wiki.quadratic.net/index.php?title=Linux_Server_Build_Checklist&oldid=4144"