What can be done with limited time to secure Unix systems?

The following is a list of suggested things to do, ordered by their time costs and benefit. To best use this list, you should:

Prepare now for how you will deal with security incidents - See Incident response cycle in a nutshell (from another talk)
Take time each week/month to do one "High" or "Medium" initial expense item that results in a "High" payoff
Dedicate some time to regularly do the "Low" ongoing expense items
If you find you don't have enough time, ask for more resources

Task
Initial Expense
Ongoing Expense
Payoff
Benefit

Only use SSH for remote administration of Unix systems Low Low High Best way to prevent direct attack on remote root sessions. (See benefits of: Install SSH... )

"TCP wrapper" everything (see also: Run "swatch" ...) Low - Medium Low High You limit access and get logging to alert you to attempts

Regularly read CERT, CIAC, and other advisories (netsys/lanadmin) Low Medium High You know what to expect from attackers & learn about patches from vendors

Regularly check/apply security patches to all systems.
(For Red Hat Linux, automate with autorpm) Low Medium High You minimize your exposure to exploits

Install SSH & its PC/Mac clients Medium Low High Minimizes exposure of passwords in "clear text" form to sniffers and prevents session hijacking, DNS/IP spoofing, etc. (e.g., "hunt")

Run "swatch" or "logwatch" to monitor log files automatically and report via email Medium Low High Early warning of attacks, preseved evidence in case logs are cleaned out

Prioritize the services you provide and eliminate all unnecessary services/accounts (e.g., do you really need to get mail on workstations, or have the "test1" account lying around from 1996?) Medium Low High You minimize potential points of intrusion and leaked information

Do backups (i.e., be prepared to get full image snapshots of any system) Medium Medium High You are able to recover faster and assist investigation/prosecution

Learn how to use trinux High Low High Easy to use network monitoring / audit / penetration testing toolkit - very handy for investigating incidents and gathering evidence

Run "tripwire", or other file system integrity checkers
(Red Hat Linux use rpm -Vp against original packages, not local RPM database) High Low High Gives you "heads up" when root is compromised

Runs scripts to check for IRC bots, "+" in .rhosts, etc. Medium Low Medium Gives you "heads up" when accounts are compromised

Audit your network (e.g., with "nmap") to see what new systems/services show up Medium Medium Medium Better knowledge of potential threats from neighbors

Task	Initial Expense	Ongoing Expense	Payoff	Benefit
Only use SSH for remote administration of Unix systems	Low	Low	High	Best way to prevent direct attack on remote root sessions. (See benefits of: Install SSH... )
"TCP wrapper" everything (see also: Run "swatch" ...)	Low - Medium	Low	High	You limit access and get logging to alert you to attempts
Regularly read CERT, CIAC, and other advisories (netsys/lanadmin)	Low	Medium	High	You know what to expect from attackers & learn about patches from vendors
Regularly check/apply security patches to all systems. (For Red Hat Linux, automate with autorpm)	Low	Medium	High	You minimize your exposure to exploits
Install SSH & its PC/Mac clients	Medium	Low	High	Minimizes exposure of passwords in "clear text" form to sniffers and prevents session hijacking, DNS/IP spoofing, etc. (e.g., "hunt")
Run "swatch" or "logwatch" to monitor log files automatically and report via email	Medium	Low	High	Early warning of attacks, preseved evidence in case logs are cleaned out
Prioritize the services you provide and eliminate all unnecessary services/accounts (e.g., do you really need to get mail on workstations, or have the "test1" account lying around from 1996?)	Medium	Low	High	You minimize potential points of intrusion and leaked information
Do backups (i.e., be prepared to get full image snapshots of any system)	Medium	Medium	High	You are able to recover faster and assist investigation/prosecution
Learn how to use trinux	High	Low	High	Easy to use network monitoring / audit / penetration testing toolkit - very handy for investigating incidents and gathering evidence
Run "tripwire", or other file system integrity checkers (Red Hat Linux use `rpm -Vp` against original packages, not local RPM database)	High	Low	High	Gives you "heads up" when root is compromised
Runs scripts to check for IRC bots, "+" in `.rhosts`, etc.	Medium	Low	Medium	Gives you "heads up" when accounts are compromised
Audit your network (e.g., with "nmap") to see what new systems/services show up	Medium	Medium	Medium	Better knowledge of potential threats from neighbors

Many of these tasks and tools are covered in:

Steps to take to improve your network's security (from another talk)
Unix System Security Checklist
CERT's UNIX Configuration Guidelines
RFC 2196 - Site Security Handbook

[Next] | [Prev] | [Top]

Dave Dittrich <dittrich@cac.washington.edu>

Last modified: Thu Apr 8 11:50:05 1999