Linux Server Build Checklist: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
No edit summary
No edit summary
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:


* THe purpose of the ser ver is clear
* The purpose of the server is clear
* Who will use the server / via what ports? What services?
** Who will use the server / via what ports? What services?
* What software will be installed
** What software will be installed
* interface configuration is correct
* routing table is correct
* minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
* minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
* Time services ( [[Ntp]] | [[PTP]] )
* Time services ( [[Ntp]] | [[PTP]] )
* Logging services
* Logging services - kern.* /var/log/kernel.log + logrotate
* ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
* ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
* open ssl updated
* open ssl updated
* kernel updated
* kernel updated
* Password policy updated.
* Password policy updated.
* update system working
* update system working: yum , checking in , registered.
* users defined and locked down.
* users defined and locked down.
* service list defined and locked done
* service list defined and locked down.
* selinux setup as needed
* selinux setup as needed
* iptables / firewall.
* iptables / firewall.
* server is monitored properly
 
Basic default allow + logging iptables:
<pre>
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example
/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
</pre>
 
also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/
 
* server is monitored properly.
* timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
* timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
* Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf )
* Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf )
* check list: ( http://security.utexas.edu/admin/redhat-linux.html )
* check list: ( http://security.utexas.edu/admin/redhat-linux.html )


== Also See ==
XXX Linux Build Process 0.9 - removed




[[Category:Checklist]]
[[Category:Checklist]]

Latest revision as of 20:25, 9 January 2019

  • The purpose of the server is clear
    • Who will use the server / via what ports? What services?
    • What software will be installed
  • interface configuration is correct
  • routing table is correct
  • minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
  • Time services ( Ntp | PTP )
  • Logging services - kern.* /var/log/kernel.log + logrotate
  • ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
  • open ssl updated
  • kernel updated
  • Password policy updated.
  • update system working: yum , checking in , registered.
  • users defined and locked down.
  • service list defined and locked down.
  • selinux setup as needed
  • iptables / firewall.

Basic default allow + logging iptables:

/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example 
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example
/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "

also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/

Also See

XXX Linux Build Process 0.9 - removed