Re: [cobalt-users] Security issues - how to patch up a RaQ?

["Marc Gear" <marcg@xxxxxxxxxxxxxx>]

> I wondered if anyone had compiled a step-by-step guide (for us beginners)
to
> help secure a RaQ (I have a RaQ4i myself). About the only one I know of at
> the moment is the need to replace Telnet with a secure shell login.

There are several steps you can take and several people have written guides
on securing a raq.
Here is a short list of what I personally recommmend

Change your root password to soemthign different to the admin password, bear
in mind that if you change the admin password throught the gui it will
change to root password too.

Edit /etc/inetd.conf to remove any thing you are not using - i recommend
disabling imap4 this way - although your active monitor will show that it is
not running (which it wont be) but you box will be more secure for it - imap
is a reasonably insecure protocol

Do all, yes all the updates from the cobalt website.  Download all the
packages at once and do it that way - its much quicker. Start from the
bottom up and do everything

Make sure root is in /etc/ftpusers

Install the latest version of OpenSSL and OpenSSH

create the wheel group and put admin in it if it isn't in there already -
and any users you want to have special privilages, then chgrp and chgrp
binaries on your system that could be a security risk to have them run by
everyone. (remember the sticky bit on /bin/su though) i recommend at least
/bin/su and /usr/bin/gcc.

Disable telnet access by commenting out the line in inetd.conf
Make sure all your inetd.conf programs run through TCPwrappers.
put any hosts you dont want access to the machine in /etc/hosts.deny

Install ipchains and configure a simple set of chains rules that will still
allow you to run your services, but still block unsolicted packets at a
kernel level.

If you dontr have time to go though you're logs yourself then install
something like logcheck from www.psionic.com and configure it to send you
the bits of information you need to an email address.
Set up a cron job to run this every hour or so.

Install tripwire (www.tripwire.org) and chkrootkit www.chkrootkit.org and do
a system integrity test. Set a cron job to run these programs and email you
the results every week (at least)

Setup some kind of passive port probe detection (www.snort.org) or run
portsentry with all its active elements turned off (www.psionic.com) make
sure this logs to somewhere you check your logs.

Confirgure the raq to use shadowed passwords and md5 hashes

Do not offer any kind of anonymous ftp to anyone on your raq. and make sure
that no one has a shell account that just doesn't need it.

Check cobalts site for any updates again (and do this at least once a week
too) also subscribe the cobalt-announce and cobalt-security mailing list and
even if you dont post anything lurk and read it as this is where you will
learn about raq specific security.

Check for updates on any 3rd party software you have installed regularly
too. If you can afford the mailbox space subscribe to the security mailing
list for these pieces of software too.

There is tons more you can do - but this list is long enough already.
--
/\/\ a R (