Dallas/Ft. Worth Unix Users Group

SOHO Protect Strategy

The goal is to develop an Enterprise-like SOHO Protect Strategy that will help all the DFWUUG SOHO's. Enterprise-like means it includes non-*nix platforms, as all of our SOHOs do. The *nix platforms seem to be neglected in the SOHO Protect Strategies found so far. Mac is a *nix platform.

An example is "iptables". What is the basic "iptables" setup for good SOHO protection?

This would involve input from all DFWUUG members with additional input from the Linux SIG, Security SIG and Storage SIG. All help is appreciated.

Table of Contents

How to get Root Rights on Linux

*nix SOHO Protect Strategy

How do we know when the SOHO Protect Strategy is "As Good as it Gets"?

*nix SOHO Protect Strategy01 - A mostly Enterprise Roadmap - not much detail - Some features apply to the SOHO

Should We All Just Use Macs? - OSX is Unix

Enterprise-like SOHO Protect Strategy (includes PC 's or mostly PC based)

Begin Postings

How to get Root rights on Linux ?

LINUX Info diagram (linux.gif) goes here

To protect your Linux,
1. use only Linux
2. use shadow password (Run pwconv as root)
3. setup LILO password
4. keep your Linux up-to-date
5. subscribe to bugtrack mailling liste
6. read the Linux Administrator Security Guide LASG and #Securing-Optimizing-Linux-RH-Edition
7. Remove the services you don't use (don't forget inetd services in /etc/inetd.conf)
8. Replace inetd by xinetd
Convert your old information: itox -t /usr/sbin/ < /etc/inetd.conf > /etc/xinetd.conf
Update your /etc/hosts.allow to reflect service name and not binary name.
1. Your default policy must be deny (ALL:ALL in /etc/hosts.deny)
2. Setup a firewall with a default deny policy NetFilter
3. Use OpenSSH instead of telnet and configure it correctly (no X forwarding in client, limit simultaneous connection for your server)
If you use Winx, you can get PuTTY, free win32 telnet/ssh client
1. Configure your servers to run as non root (Squid,Mysql,Apache,IPLog,Bind,PostFix...)
2. If you run an X server with XDM/KDM/GDM, use the last version of XFree server with Xwrapper and deny XDMCP: XDM, KDM : /etc/X11/xdm/Xaccess
GDM : look for [security] and [xdmcp] in /etc/X11/gdm/gdm.conf
1. Chrooted BIND/DNS servers
2. IPLog: TCP/IP traffic logger
3. Nessus: Remote Security Scanner
Use the option "-a 127.0.0.1" to only listen to loopback interface
1. Use PostFix instead of Sendmail
Important parameters in main.cf are mydestination and relay_domains
1. smtpd_banner = $myhostname ESMTP $mail_name
2. Use ProFTPD instead of `Wu-FTPD
In /etc/proftpd.conf, set
1. SyslogFacility AUTH
2. ExtendedLog /var/log/ftp.log AUTH
3. ServerIdent Off
4. Restrict crontab users with /etc/cron.allow
5. NMAP port scanner
The password cracker John The Ripper is avaible at http://www.openwall.com/john/.
- Introduction to Awk
- The Unix Shell Guide
- HTML Reference

Return to Table of Contents

*nix SOHO Protect Strategy

Firewall - first line of defense
1. Does *nix need a hardware firewall?
  1. Even on dial-up?
2. What's a good "iptables" setup to start with?
  1. For Linux?
  2. For Unix?
  3. Are the Linux and Unix "iptables" the same?
  4. How are they different?
Identity Management
1. LDAP ?
2. NIS/NIS+ ?
3. Other ?
Trusted Network and Hosts
1. DHCP Configuration?
2. DNS Configuration?

Return to Table of Contents

How do we know when the SOHO Protect Strategy is "As Good as it Gets"?

Is my SOHO Protected? or Infected?
How to determine the level of protection?
How to test the protection level after changes to the SOHO?

Return to Table of Contents

*nix SOHO Protect Strategy01 - A mostly Enterprise Roadmap - not much detail - Some features apply to the SOHO

Return to Table of Contents

Should We All Just Use Macs? - OSX is Unix

Return to Table of Contents

Enterprise-like SOHO Protect Strategy

Return to Table of Contents