can't find your donut ?? lets search

for msbte curriculams first please see this page carefully http://www.msbte.com/website/curriculum/

IMPORTANT

If you are MSBTE diploma third year student of computer branch co,cm,if,cd plesae subscribe to my blog by email.. by link given below

unix os hardening notes

Posted on 8:29 PM No Comments
Labels:

Operating System Hardening is an essential security strategy positioned between the network and application. One of popular server OS - Unix is a multi-user system, which could support over hundreds of users with different directories and database applications. Unix is less secure than other proprietary operating systems as its public-domain variants are particularly vulnerable. That's is why hardening Unix is becoming essential parts of each organization. HiTRUST provides UNIX Hardening service to minimize servers' exposure to current and future threats on this computer platform by fully configuring the operating system, removing unnecessary applications and apply security-related patches offered by your vendor.

Hardening Unix server raises the bar on the level of skill and effort needed to crack into system, thus discourages joyride attackers looking for an easy target. HiTRUST also helps to log all network-access hacking attempts to the Unix server, both successful and unsuccessful. By logging suspicious network activity, an organization can stop would-be attackers from breaking into the system; more importantly, the organization can trace (and sometimes identify) successful attackers.

Common hardening task aims to protect system against:


Denial-of-service attacks


Brute-force attacks

Social-engineering attacks

Passive attacks

Malicious local users

Legitimate users' clumsiness

Software bugs, etc.


How to make your machine more secure
(And easier to keep up to date on patches because there'll be fewer patches you need to apply)

  1. Most of what we'll be doing involves turning off unneeded services in /etc/inetd.conf.
    • Go ahead and edit /etc/inetd.conf. Entries that have a "#" are a comment. All those lines that aren't commented out, are services that are launched by inetd. The odds that any given one of these services will develop a (known) security hole isn't that high, but the odds that any one of them will is noticeably higher. So we want to turn off all the unneeded ones.
    • Services we recommend always turning off include: echo, daytime, chargen, time.
    • Services we recommend turning off if you can include... everything else. If this isn't a mission critical machine, we'd actually recommend that you turn off everything, and then add back services you later discover you needed. Of course, on a machine that must be available, it's better to only turn off services you know you won't need.
    • For specifics of how to turn off a service that's launched by inetd, see Turning off an inetd-launched service.
  2. Not all network services on UNIX are launched by inetd. Some run as standalone daemons. Sendmail and Samba are both packages that have the option of either running off of inetd, OR running as standalone daemons.
    • If you don't need to process e-mail on this machine (including local e-mail), we recommend turning off sendmail. See turning off sendmail for specifics.
    • If you don't need to share files or printers from your UNIX machine to machines running Microsoft operating systems, we recommend turning off samba. See turning off sambafor specifics.
    • Note that you may have other network services that are not launched by inetd. These are only two of the most common.
    You're done. For now.

0 comments:

Post a Comment



Subscribe to: Post Comments (Atom)
 

ana