SlideShare une entreprise Scribd logo

Server hardening

Télécharger en tant que PPTX, PDF
Teja Babu
Teja Babu

server hardening

Technologie
1  sur  31
Linux Hardening
Roadmap Securing from physical access. Securing from remote access Power of open-source ???????????????
Top Vulnerabilities  Default installations of operating system and applications  Accounts with no password or weak password  Non-existent or incomplete backup  A large number of open ports  Not filtering packets for correct incoming and outgoing addresses  Non-existent or incomplete logging  Vulnerable CGI programs
Security as a Policy It is important to point out that you cannot implement security if you have not decided what needs to be protected, and from whom.  How do you classify confidential or sensitive information? Does the system contain confidential or sensitive information?  Exactly whom do you want to guard against? Do remote users really need access to your system? Do passwords or encryption provide enough protection?  Do you need access to the Internet? How much access do you want to allow to your system from the Internet?  What action will you take if you discover a breach in your security?
BIOS  It is recommended that you set a Boot password to disallow booting from disk drives , mass storages and set passwords on BIOS features.  This will block undesired people from trying to boot your Linux system with a special boot disk and will protect you from people trying to change BIOS feature like allowing boot from usb drive or booting the server without prompt password.
Password Protecting GRUB  To do this, first choose a strong password, open a shell, log in as root, and then type the following command: /sbin/grub-md5-crypt After the password is generated copy the text and add it to following file. /boot/grub/grub.conf Add an entry in the file “password --md5 <password-hash>”
Choose a right Password  Also, a password checking mechanism should be present to reject a weak password when first choosing a password or changing an old one  Edit the login.defs file vi /etc/login.defs and change the line that read: ” PASS_MIN_LEN 5 >>>>> PASS_MIN_LEN 8”  The login.defs is the configuration file for the login program. You should review or make changes to this file for your particular system. This is where you set other security policy settings like password expiration defaults or minimum acceptable password length.
The root account  The root account is the most privileged account on a Unix system  For security reasons, never log in on your server as root unless it is absolutely an instance that necessitates root access “TMOUT=7200” The value we enter for the variable TMOUT= is in second and represent 2 hours (60 * 60 = 3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your /etc/profile file, then the automatic logout after two hours of inactivity will apply for all users on the system  Edit the file : “/etc/profile”
Disable console program access “/etc/security/console.apps”
TCP_WRAPPERS  By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless then you would expect  TCP_WRAPPERS is controlled from two files and the search stops at the first match. “/etc/hosts.allow” “/etc/hosts.deny”
SYN denial of service attacks  SYN cookie is a technique used to resist SYN flood attacks and we call it as SynAttackProtect.  In order to initiate a TCP connection, the client sends a TCP SYN packet to the server. In response, the server sends a TCP SYN+ACK packet back to the client “echo 1 > /proc/sys/net/ipv4/tcp_syncookie” /etc/rc.d/rc.local – not have to type it again the next time you reboot your system. Add /etc/sysctl.conf # Enable TCP SYN Cookie Protection
SYN flood attack
SSH
Default Config Files and SSH Port /etc/ssh/sshd_config - OpenSSH server configuration file. /etc/ssh/ssh_config - OpenSSH client configuration file. ~/.ssh/ - Users ssh configuration directory. ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account /etc/nologin - If this file exists, sshd refuses to let anyone except root log in. /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
Only Use SSH Protocol 2 SSH protocol version 1 (SSH-1) has man-in-the- middle attacks problems and security vulnerabilities. Limit Users' SSH Access  Only allow <user1> and <user2> user to use the system via SSH, add the following to sshd_config: “PermitRootLogin no ” ” AllowUsers <user1>”  Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line: “DenyUsers <user2>”
Change SSH Port and Limit IP Binding  By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line: Port 300 ListenAddress 192.168.1.5 ListenAddress 202.54.1.5  Disable Empty Passwords  You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line: “PermitEmptyPasswords no”
sysctl.conf
sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:  Limit network-transmitted configuration for IPv4  Limit network-transmitted configuration for IPv6  Turn on execshield protection  Prevent against the common 'syn flood attack‘  Turn on source IP address verification  Prevents a cracker from using a spoofing attack against the IP address of the server.  Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
 # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1  # Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1  # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1  # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1  # No source routed packets here net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0
 # Turn on execshild kernel.exec-shield = 1 kernel.randomize_va_space = 1  # Tune IPv6 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1
Power of Open source Mod_Dosevasive in Apache Fail2ban Shorewall  Observium
Mod_Dosevasive in Apache  Mod_Dosevasive is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and/or Brute Force attacks.  An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address.  Mod_Dosevasive performs well in both single-server attacks, as well as distributed attacks; however, as with any DoS attack, the real concern is network bandwidth and processor/ RAM usage.
The IP address of the client is checked in the temporary blacklist of the hash table. If the IP address is listed, then the client is denied access with a 403 Forbidden. LoadModule dosevasive20_module modules/mod_dosevasive20.so ------------------------------------------------------- | IfModule mod_dosevasive20.c | | DOSHashTableSize 3097 | | DOSPageCount 2 | | DOSSiteCount 50 | | DOSPageInterval 1 | | DOSSiteInterval 1 | | DOSBlockingPeriod 10 | | -/IfModule | ------------------------------------------------------------------------
fail2ban  Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.  Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).  Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents.
bantime = 3600 ignoreip = 127.0.0.1/8 maxretry = 3 # A host is banned if it has generated "maxretry" during the last "findtime" findtime = 600 # seconds [ssh-iptables] enabled = true Filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5
Shorewall  Shorewall (more appropriately the Shoreline Firewall) is an open source firewall tool for Linux that builds upon the Netfilter(iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.stromwall
Shorewall uses the concept of zones. You need to define the network using a set of zones as follows for the two network-interface configuration #NAME DESCRIPTION fw The firewall itself wan The Internet lan Your Local Network
 routefilter - Turn on kernel route filtering for this interface i.e. turn on anti-spoofing measurements.  blacklist - Check packets arriving on this interface against the /etc/shorewall/blacklist file. The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application.  tcpflags - Packets arriving on this interface are checked for certain illegal combinations of TCP flags such as x mas or null or invalid packets. Packets found to have such a combination of flags are dropped (see the settings of TCP_FLAGS_DISPOSITION option in shorewall.conf) after having been logged in /var/log/messages file (see the setting ofTCP_FLAGS_LOG_LEVEL in shorewall.conf).  logmartians - Turn on kernel martian logging (logging of packets with impossible source addresses). It is strongly suggested that if you set routefilter on an interface that you also set logmartians.  nosmurfs - Filter packets for smurfs (packets with a broadcast address as the source) i.e. turn on anti-smurf protection.
“etc/shorewall/policy”  You express your default policy for connections from one zone to another zone in the/etc/shorewall/policy. file. The basic choices for policy are: ACCEPT - Accept the connection. DROP - Ignore the connection request. REJECT - Return an appropriate error to the connection request.  Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.
Thank You A secure Linux server depends on how the administrator configures it to be.

Recommandé

CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 

Recommandé

CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
Idps
IdpsIdps
IdpsGNANARAJA R
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic toolsCAS
 
Security monitoring and auditing
Security monitoring and auditingSecurity monitoring and auditing
Security monitoring and auditingbalamurugan.k Kalibalamurugan
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacksprimeteacher32
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
role of students in developing Nation
role of students in developing Nation role of students in developing Nation
role of students in developing Nation Teja Babu
 

Contenu connexe

Tendances

Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic toolsCAS
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 

Tendances (20)

Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Suricata
SuricataSuricata
Suricata
 
Idps
IdpsIdps
Idps
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based Cryptography
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Security monitoring and auditing
Security monitoring and auditingSecurity monitoring and auditing
Security monitoring and auditing
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
S/MIME
S/MIMES/MIME
S/MIME
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 

En vedette

Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
role of students in developing Nation
role of students in developing Nation role of students in developing Nation
role of students in developing Nation Teja Babu
 
Rights, Duties, and Responsibilities of the Youth
Rights, Duties, and Responsibilities of the YouthRights, Duties, and Responsibilities of the Youth
Rights, Duties, and Responsibilities of the Youthsameng
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlJames Morris
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
Essay: Role of Youth in Nation building and progress.
Essay: Role of Youth in Nation building and progress.Essay: Role of Youth in Nation building and progress.
Essay: Role of Youth in Nation building and progress.Samia Khan
 
Youth as the driver of change
Youth as the driver of changeYouth as the driver of change
Youth as the driver of changeZahid Anjum
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
The Youth of Today
The Youth of TodayThe Youth of Today
The Youth of TodayZoe Lorenz
 
Today’s youth tomorrow’s future
Today’s youth tomorrow’s futureToday’s youth tomorrow’s future
Today’s youth tomorrow’s futureanithagrahalakshmi
 

En vedette (14)

Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
role of students in developing Nation
role of students in developing Nation role of students in developing Nation
role of students in developing Nation
 
Rights, Duties, and Responsibilities of the Youth
Rights, Duties, and Responsibilities of the YouthRights, Duties, and Responsibilities of the Youth
Rights, Duties, and Responsibilities of the Youth
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
When ACLs Attack
When ACLs AttackWhen ACLs Attack
When ACLs Attack
 
Fail2 ban
Fail2 banFail2 ban
Fail2 ban
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server Security
 
Essay: Role of Youth in Nation building and progress.
Essay: Role of Youth in Nation building and progress.Essay: Role of Youth in Nation building and progress.
Essay: Role of Youth in Nation building and progress.
 
Youth as the driver of change
Youth as the driver of changeYouth as the driver of change
Youth as the driver of change
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
Power of youth
Power of youthPower of youth
Power of youth
 
The Youth of Today
The Youth of TodayThe Youth of Today
The Youth of Today
 
Today’s youth tomorrow’s future
Today’s youth tomorrow’s futureToday’s youth tomorrow’s future
Today’s youth tomorrow’s future
 

Similaire à Server hardening

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
EMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailEMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailMohomed Shehan
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxcarliotwaycave
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guideMDEMARCOCCIE
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsManuel Vega
 
Nat mikrotik
Nat mikrotikNat mikrotik
Nat mikrotiklouisraj
 

Similaire à Server hardening (20)

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Download It
Download ItDownload It
Download It
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
EMSC1515104 Shehansuhail
EMSC1515104 ShehansuhailEMSC1515104 Shehansuhail
EMSC1515104 Shehansuhail
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Fail2ban
Fail2banFail2ban
Fail2ban
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guide
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bits
 
Squid server
Squid serverSquid server
Squid server
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approach
 
Nat mikrotik
Nat mikrotikNat mikrotik
Nat mikrotik
 

Plus de Teja Babu

Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
introduction to computer
introduction to computerintroduction to computer
introduction to computerTeja Babu
 
french wines
french wines french wines
french wines Teja Babu
 
Cloud computing security
Cloud computing security Cloud computing security
Cloud computing security Teja Babu
 

Plus de Teja Babu (8)

Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Linux
Linux Linux
Linux
 
introduction to computer
introduction to computerintroduction to computer
introduction to computer
 
french wines
french wines french wines
french wines
 
Cloud computing security
Cloud computing security Cloud computing security
Cloud computing security
 
Cisco ios
Cisco iosCisco ios
Cisco ios
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
MANET
MANETMANET
MANET
 

Dernier

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Server hardening

  • 2. Roadmap Securing from physical access. Securing from remote access Power of open-source ???????????????
  • 3. Top Vulnerabilities  Default installations of operating system and applications  Accounts with no password or weak password  Non-existent or incomplete backup  A large number of open ports  Not filtering packets for correct incoming and outgoing addresses  Non-existent or incomplete logging  Vulnerable CGI programs
  • 4. Security as a Policy It is important to point out that you cannot implement security if you have not decided what needs to be protected, and from whom.  How do you classify confidential or sensitive information? Does the system contain confidential or sensitive information?  Exactly whom do you want to guard against? Do remote users really need access to your system? Do passwords or encryption provide enough protection?  Do you need access to the Internet? How much access do you want to allow to your system from the Internet?  What action will you take if you discover a breach in your security?
  • 5. BIOS  It is recommended that you set a Boot password to disallow booting from disk drives , mass storages and set passwords on BIOS features.  This will block undesired people from trying to boot your Linux system with a special boot disk and will protect you from people trying to change BIOS feature like allowing boot from usb drive or booting the server without prompt password.
  • 6. Password Protecting GRUB  To do this, first choose a strong password, open a shell, log in as root, and then type the following command: /sbin/grub-md5-crypt After the password is generated copy the text and add it to following file. /boot/grub/grub.conf Add an entry in the file “password --md5 <password-hash>”
  • 7. Choose a right Password  Also, a password checking mechanism should be present to reject a weak password when first choosing a password or changing an old one  Edit the login.defs file vi /etc/login.defs and change the line that read: ” PASS_MIN_LEN 5 >>>>> PASS_MIN_LEN 8”  The login.defs is the configuration file for the login program. You should review or make changes to this file for your particular system. This is where you set other security policy settings like password expiration defaults or minimum acceptable password length.
  • 8. The root account  The root account is the most privileged account on a Unix system  For security reasons, never log in on your server as root unless it is absolutely an instance that necessitates root access “TMOUT=7200” The value we enter for the variable TMOUT= is in second and represent 2 hours (60 * 60 = 3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your /etc/profile file, then the automatic logout after two hours of inactivity will apply for all users on the system  Edit the file : “/etc/profile”
  • 9. Disable console program access “/etc/security/console.apps”
  • 10. TCP_WRAPPERS  By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless then you would expect  TCP_WRAPPERS is controlled from two files and the search stops at the first match. “/etc/hosts.allow” “/etc/hosts.deny”
  • 11. SYN denial of service attacks  SYN cookie is a technique used to resist SYN flood attacks and we call it as SynAttackProtect.  In order to initiate a TCP connection, the client sends a TCP SYN packet to the server. In response, the server sends a TCP SYN+ACK packet back to the client “echo 1 > /proc/sys/net/ipv4/tcp_syncookie” /etc/rc.d/rc.local – not have to type it again the next time you reboot your system. Add /etc/sysctl.conf # Enable TCP SYN Cookie Protection
  • 13. SSH
  • 14. Default Config Files and SSH Port /etc/ssh/sshd_config - OpenSSH server configuration file. /etc/ssh/ssh_config - OpenSSH client configuration file. ~/.ssh/ - Users ssh configuration directory. ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account /etc/nologin - If this file exists, sshd refuses to let anyone except root log in. /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
  • 15. Only Use SSH Protocol 2 SSH protocol version 1 (SSH-1) has man-in-the- middle attacks problems and security vulnerabilities. Limit Users' SSH Access  Only allow <user1> and <user2> user to use the system via SSH, add the following to sshd_config: “PermitRootLogin no ” ” AllowUsers <user1>”  Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line: “DenyUsers <user2>”
  • 16. Change SSH Port and Limit IP Binding  By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line: Port 300 ListenAddress 192.168.1.5 ListenAddress 202.54.1.5  Disable Empty Passwords  You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line: “PermitEmptyPasswords no”
  • 18. sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:  Limit network-transmitted configuration for IPv4  Limit network-transmitted configuration for IPv6  Turn on execshield protection  Prevent against the common 'syn flood attack‘  Turn on source IP address verification  Prevents a cracker from using a spoofing attack against the IP address of the server.  Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
  • 19.  # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1  # Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1  # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1  # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1  # No source routed packets here net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0
  • 20.  # Turn on execshild kernel.exec-shield = 1 kernel.randomize_va_space = 1  # Tune IPv6 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1
  • 21. Power of Open source Mod_Dosevasive in Apache Fail2ban Shorewall  Observium
  • 22. Mod_Dosevasive in Apache  Mod_Dosevasive is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and/or Brute Force attacks.  An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address.  Mod_Dosevasive performs well in both single-server attacks, as well as distributed attacks; however, as with any DoS attack, the real concern is network bandwidth and processor/ RAM usage.
  • 23. The IP address of the client is checked in the temporary blacklist of the hash table. If the IP address is listed, then the client is denied access with a 403 Forbidden. LoadModule dosevasive20_module modules/mod_dosevasive20.so ------------------------------------------------------- | IfModule mod_dosevasive20.c | | DOSHashTableSize 3097 | | DOSPageCount 2 | | DOSSiteCount 50 | | DOSPageInterval 1 | | DOSSiteInterval 1 | | DOSBlockingPeriod 10 | | -/IfModule | ------------------------------------------------------------------------
  • 24. fail2ban  Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.  Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).  Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents.
  • 25. bantime = 3600 ignoreip = 127.0.0.1/8 maxretry = 3 # A host is banned if it has generated "maxretry" during the last "findtime" findtime = 600 # seconds [ssh-iptables] enabled = true Filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5
  • 26. Shorewall  Shorewall (more appropriately the Shoreline Firewall) is an open source firewall tool for Linux that builds upon the Netfilter(iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.stromwall
  • 27. Shorewall uses the concept of zones. You need to define the network using a set of zones as follows for the two network-interface configuration #NAME DESCRIPTION fw The firewall itself wan The Internet lan Your Local Network
  • 28.  routefilter - Turn on kernel route filtering for this interface i.e. turn on anti-spoofing measurements.  blacklist - Check packets arriving on this interface against the /etc/shorewall/blacklist file. The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application.  tcpflags - Packets arriving on this interface are checked for certain illegal combinations of TCP flags such as x mas or null or invalid packets. Packets found to have such a combination of flags are dropped (see the settings of TCP_FLAGS_DISPOSITION option in shorewall.conf) after having been logged in /var/log/messages file (see the setting ofTCP_FLAGS_LOG_LEVEL in shorewall.conf).  logmartians - Turn on kernel martian logging (logging of packets with impossible source addresses). It is strongly suggested that if you set routefilter on an interface that you also set logmartians.  nosmurfs - Filter packets for smurfs (packets with a broadcast address as the source) i.e. turn on anti-smurf protection.
  • 29. “etc/shorewall/policy”  You express your default policy for connections from one zone to another zone in the/etc/shorewall/policy. file. The basic choices for policy are: ACCEPT - Accept the connection. DROP - Ignore the connection request. REJECT - Return an appropriate error to the connection request.  Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.
  • 30.
  • 31. Thank You A secure Linux server depends on how the administrator configures it to be.