[PLUG] [off topic security]

Ronald Chmara ron at Opus1.COM
Tue Oct 23 04:47:46 UTC 2007


On Oct 21, 2007, at 2:02 PM, drew wymore wrote:
> I was following the recent security thread and it got me wondering.  
> What do
> other pluggers do to secure their systems? Is just upgraded  
> packages as they
> come out enough for you? Do you have crazy IPTables rules, maybe  
> snort,
> Bastille or Tripwire?
>
> So Pluggers what do you do?

Aw, geez... it really depends on the box, but, well, here some of the  
requirements for the *really* secure (and yet, publicly networked)  
boxen I've worked on in the last few years.

Disable un-needed services.
Delete un-needed accounts and access (uh, "root"? logging in? from  
*anywhere* but console? hell no.).
Custom written IPtables, of course (Bastille? no thanks.)
All inbound and outbound traffic monitored on a switch's mirror port,  
by additional dedicated, no public access, policy monitoring boxen  
(think snort, if it was paranoid on meth... )
Write *all* disk changes locally, and to a remote (encrypted tunnels  
are good!) write-only logging device.
Audit *all* new code changes at the source level, as pre-built  
binaries are not to be trusted. (yes, this means source code auditing  
of every fricking package, every upgrade, yay.)
Web-cam at console, writing to a remote (encrypted tunnels are good!)  
write only device.
SELinux tuned to the gills, of course.
Oh, and drives are encrypted (again, of course)
At least two biometric measures (retina, hand) to get to console.
At least one physical measure (think rotating keys) to log in as root.
...and a few shelves worth of binders on policy, procedure, etc.,  
with dedicated staffers monitoring every logged action on the box.

For machines that *aren't* quite that delicate, (pretty much "most  
every machine on this planet that has hard drives worth less than a  
million dollars each"), I dial it down a notch. ;)
Minimize installed binaries, accounts and services.
Keep binaries up to date.
Custom iptables + SELinux.
no ssh root access, apf/bfd instead.
Nagios for service monitoring.
Perimeter/VPN firewall boxen as needed.

-Bop



More information about the PLUG mailing list