patches?

Hey list,
I am working on a secure system.
I have a quick question. What kinds of things besides a firewall, and not
granting ssh to anyone can I do to secure linux? I am currently using
debian. Also, I have read about patches. How do I know which ones to
install, and where would I find them?
Thanks,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: patches?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tyler,

Your questions would be more appropriately answered by a couple of books
than a simple e-mail. However, some things that come to mind:

1. Turn off unused services. Services that aren't enabled can't be
attacked. That greatly simplifies the issues, including patch
management, since it doesn't really matter if a daemon (say, httpd the
web server) becomes vulnerable when you're not running that daemon.
Therefore, if your system is a web server there's little reason to run
anything other than Apache or similar and the minimum set of things for
Unix/linux to still work.

2. It is never enough to just run a firewall, especially some default
configuration that comes with your distro or something you find on the
web. If you're serious about security you need to learn IPtables,
understand the issues and develop your own rules and policies.

3. You do NOT want to deny ssh to everyone, unless you're certain that
you will never ever need to do remote administration. If that's the
case, don't just deny access - disable sshd altogether. But despite what
you may have heard ssh is still very safe and it beats every other
option for remote admin - as long as you pick good passwords and keep
your system up to date.

4. Use the tcp wrapper.

5. Keep your system up-to-date.

There are lots and lots of other things to think about depending on your
environment. Note that the issues are basically the same no matter the
operating system. Although Windows is intrinsically more vulnerable,
there is still a lot you can and should do to make it more secure and no
matter how secure you've heard Unix/Linux is, if you don't be careful
it's very easy to render it vulnerable. I would recommend you get the
O'Reilly "Essential System Administration" book and start from there.

About Debian patching, the short of it is that it's very easy to know
which patches you need. Get yourself familiarized with tools like apt,
synaptic and aptitude. Also, have a look at www.debian.org/security and
the links you will find there, especially the manual called "Securing
Debian".

Hope this helps!

Yuri

Tyler Littlefield wrote:
> Hey list,
> I am working on a secure system.
> I have a quick question. What kinds of things besides a firewall, and not
> granting ssh to anyone can I do to secure linux? I am currently using
> debian. Also, I have read about patches. How do I know which ones to
> install, and where would I find them?
> Thanks,
> ~~TheCreator~~
> website:
> http://tysplace.shaned.net
> msn:
> compgeek134@hotmail.com
> aim:
> st8amnd2005
> skype:
> st8amnd127
> moo coder/wizard and administrator
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html



- --
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
Green Center Rm 249
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
- --Peter J. Schoenster
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEkxmH+RvQxW88fq4RAiMKAKCMDmO87U569tryoffiuPJEV0H79QCd GzHX
sxsg3tRx+f5WUYfRXb0F4xo=
=QCYi
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html