[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [linux-security] Checking remote servers

From: bryan redhat com (Bryan C. Andregg)
To: linux-security redhat com
Subject: Re: [linux-security] Checking remote servers
Date: Wed, 13 May 1998 16:36:42 +0000 (GMT)

On Tue, 12 May 1998 16:54:32 -0400 (EDT), <akuchlin cnri reston va us> wrote:
> I'd like to hear some suggestions about securely administering a
> system remotely.  Here's the application: a project is going to
> scatter some server machines around the US.  The server machines will
> be running Linux, with the only network servers being a custom
> application.

So you start with a machine that has only the basic installed users:
[ from /etc/passwd on a shadow system ]

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/ftp:
nobody:x:99:99:Nobody:/:

This machine should only be running the following applications:

init
update
crond
kerneld
kflushd
kswapd
syslogd
klogd
CUSTOM APPLICATION

At this point (forgetting about physical access) you have to assume that your
custom application is secure.

So how do you access the machine, your choices include ssh, kerberose, OTP.
Installing one of these methods and logging in as root should be secure.

Adding users to this machine that are not you bring to light an entirely new
discussion and you'll need to weight what programs they need run, how much
privelege they need, etc.

[mod: I'd cut down on the "default users" even more if I'd go this
route.  (check if you need "nobody". If not, just leave "root"!). I'd
add one account for the system administrator. Scan for setuid programs
on the system. Most of them aren't needed. Remove the setuid bit. --REW]

-- 
                Bryan C. Andregg * <bandregg redhat com> * Red Hat Software

"Hey, wait a minute, you clowns are on dope!"
	-- Owen Cheese in 'Shakes the Clown'

Follow-Ups:
- Re: [linux-security] Re: Checking remote servers
  - From: Przemek Klosowski

References:
- Checking remote servers
  - From: Andrew Kuchling

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]