Re: hardening checkpoints

[tomasz abramowicz <tomasz@computerway.it>]

kevin bailey wrote:
> hi,
>
> was recently rootkitted on a debian machine because i'd left an obscure
> service running.

which one?

> 2. firewall
> not i'm not sure about the need for a firewall - i may need to access the
> server over ssh from anywhere.  also, to run FTP doesn't the server need to
> be able to open up a varying number of ports.

hmm. you could look into port knocking for your ssh problem.
ftp server can be configured to use only 21tcp and 20tcp (ftp,ftp-data)
(requires configuring clients active/passive mode)

> BTW - FTP *has* to be available - many of the users only know how to use
> FTP.
hmm, a wide range of clients on all systems is begining to implement 
scp/sftp, its worth *forcing* on users, in some sceanario's its not as
scary as it might seem.

> currently - i see no compelling need to set up a firewall - especially since
> if i get it wrong i could lose access to the machine.

no right attitude.
your compelling need is established by:
1. you just got rootkited onto a port which couldve been closed.
2. your going to be hooked up to internet.

> so, use something like nmap to test for open ports on a remote machine. 
> make sure only required services are running.

absolutely. with and without the firewall running, scan everything.

> run snort to check for attacks.

this can get really annoying=not useful, especially when you decide
snort should also send you alerts via email or sms.
i would suggest you leave this to very last.
and if you do set it up, make sure to check out the 'acid' interface..

hth,
t.