Linux Server Build Checklist: Difference between revisions

Latest revision as of 20:25, 9 January 2019

The purpose of the server is clear
- Who will use the server / via what ports? What services?
- What software will be installed
interface configuration is correct
routing table is correct
minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
Time services ( Ntp | PTP )
Logging services - kern.* /var/log/kernel.log + logrotate
ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
open ssl updated
kernel updated
Password policy updated.
update system working: yum , checking in , registered.
users defined and locked down.
service list defined and locked down.
selinux setup as needed
iptables / firewall.

Basic default allow + logging iptables:

/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example 
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example
/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "

also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/

server is monitored properly.
timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf )
check list: ( http://security.utexas.edu/admin/redhat-linux.html )

Also See

XXX Linux Build Process 0.9 - removed

@@ Line 1: / Line 1: @@
-* THe purpose of the ser ver is clear
+* The purpose of the server is clear
-* Who will use the server / via what ports? What services?
+** Who will use the server / via what ports? What services?
-* What software will be installed
+** What software will be installed
+* interface configuration is correct
+* routing table is correct
 * minimal software stack is installed. unneeded stuff removed ( bluetooth, gnome )
 * Time services ( [[Ntp]] | [[PTP]] )
-* Logging services
+* Logging services - kern.* /var/log/kernel.log + logrotate
 * ssh updated, and locked down ( no remore root, no version 1 protocol , keys only )
 * open ssl updated
 * kernel updated
 * Password policy updated.
-* update system working
+* update system working: yum , checking in , registered.
 * users defined and locked down.
-* service list defined and locked done
+* service list defined and locked down.
 * selinux setup as needed
 * iptables / firewall.
-* server is monitored properly
+Basic default allow + logging iptables:
+<pre>
+/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT # example
+/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,80,443:3000 -j ACCEPT # example
+/sbin/iptables -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
+/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
+</pre>
+also see some common things you should block: http://newartisans.com/2007/09/neat-tricks-with-iptables/
+* server is monitored properly.
 * timestamp in bash history: "export HISTTIMEFORMAT='%F %T '"
 * Hardened ( http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf )
 * check list: ( http://security.utexas.edu/admin/redhat-linux.html )
+== Also See ==
+XXX Linux Build Process 0.9 - removed
 [[Category:Checklist]]

Linux Server Build Checklist: Difference between revisions

Latest revision as of 20:25, 9 January 2019

Also See

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools