[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 22 Jun 2010, Rob Beard wrote: > > One of my concerns though is securing the server as it's got a direct > connection to the internet. I wondered if anyone had any experiences of > packages like Rootkit Hunter or Chkrootkit with Portsentry (I've done a quick > search online and these came up as options). > I can wholeheartedly recommend rkhunter (RKH) :-) Actually, it seems that RKH tends more to pick up configuration issues than rootkits. In that respect it does help people harden their systems. It also picks up these changes (weakening the system) when someone else has changed the system, something that has happened a few times at work! Having said that, the guy dealing with the actual rootkit side of RKH, certainly knows his stuff. He used to work on chkrootkit. As for other things, I would again totally agree with using shared keys rather than passwords with SSH. Also configure no root access, and only allow specific accounts access to SSH. Remove (or disable) unneeded accounts, and services. Setup iptables (or whatever) to only allow specific IP addresses through. Run nmap locally to see what is present, and run either nmap or something like the 'Shields Up!' site remotely to see what ports are open. Ensure you keep the system patched bang up to date (can usually be done automatically), and run other tools like Aide, Samhain, nessus, tripwire etc. Personally I use swatch to monitor things like logs files dynamically, and then have it report back to a central monitoring system. All the checks above from RKH, Aide etc are also reported back on a regular basis. The idea is to keep an eye on the system, not to just let it run and hope RKH etc will detect something. As someone already mentioned, by then it is too late. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html