Linux Server Build Checklist: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
(Created page with " * THe purpose of the ser ver is clear * Who will use the server / via what ports? What services? * What software will be installed * minimal software stack is installed. unne...") |
No edit summary |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
* | * The purpose of the server is clear | ||
* Who will use the server / via what ports? What services? | ** Who will use the server / via what ports? What services? | ||
* What software will be installed | ** What software will be installed | ||
* interface configuration is correct | |||
* routing table is correct | |||
* minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome ) | * minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome ) | ||
* Time services ( [[Ntp]] | [[PTP]] ) | * Time services ( [[Ntp]] | [[PTP]] ) | ||
* Logging services | * Logging services - kern.* /var/log/kernel.log + logrotate | ||
* ssh updated, and locked down ( no remore root, no version 1 protocol , keys only ) | * ssh updated, and locked down ( no remore root, no version 1 protocol , keys only ) | ||
* open ssl updated | * open ssl updated | ||
* kernel updated | * kernel updated | ||
* Password policy updated. | * Password policy updated. | ||
* update system working | * update system working: yum , checking in , registered. | ||
* users defined and locked down. | * users defined and locked down. | ||
* service list defined and locked | * service list defined and locked down. | ||
* selinux setup as needed | * selinux setup as needed | ||
* iptables / firewall. | * iptables / firewall. | ||
* server is monitored properly | |||
Basic default allow + logging iptables: | |||
<pre> | |||
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example | |||
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example | |||
/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT " | |||
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT " | |||
</pre> | |||
also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/ | |||
* server is monitored properly. | |||
* timestamp in bash history: "export HISTTIMEFORMAT='%F %T '" | |||
* Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf ) | * Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf ) | ||
* check list: ( http://security.utexas.edu/admin/redhat-linux.html ) | * check list: ( http://security.utexas.edu/admin/redhat-linux.html ) | ||
== Also See == | |||
XXX Linux Build Process 0.9 - removed | |||
[[Category:Checklist]] | [[Category:Checklist]] |
Latest revision as of 20:25, 9 January 2019
- The purpose of the server is clear
- Who will use the server / via what ports? What services?
- What software will be installed
- interface configuration is correct
- routing table is correct
- minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
- Time services ( Ntp | PTP )
- Logging services - kern.* /var/log/kernel.log + logrotate
- ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
- open ssl updated
- kernel updated
- Password policy updated.
- update system working: yum , checking in , registered.
- users defined and locked down.
- service list defined and locked down.
- selinux setup as needed
- iptables / firewall.
Basic default allow + logging iptables:
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example /sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example /sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT " /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/
- server is monitored properly.
- timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
- Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf )
- check list: ( http://security.utexas.edu/admin/redhat-linux.html )
Also See
XXX Linux Build Process 0.9 - removed