What can be done with limited time to secure Unix systems?

The following is a list of suggested things to do, ordered by their time costs and benefit. To best use this list, you should:

Task
Initial Expense
Ongoing Expense
Payoff
Benefit
Only use SSH for remote administration of Unix systems Low Low High Best way to prevent direct attack on remote root sessions. (See benefits of: Install SSH... )
"TCP wrapper" everything (see also: Run "swatch" ...) Low - Medium Low High You limit access and get logging to alert you to attempts
Regularly read CERT, CIAC, and other advisories (netsys/lanadmin) Low Medium High You know what to expect from attackers & learn about patches from vendors
Regularly check/apply security patches to all systems.
(For Red Hat Linux, automate with autorpm)
Low Medium High You minimize your exposure to exploits
Install SSH & its PC/Mac clients Medium Low High Minimizes exposure of passwords in "clear text" form to sniffers and prevents session hijacking, DNS/IP spoofing, etc. (e.g., "hunt")
Run "swatch" or "logwatch" to monitor log files automatically and report via email Medium Low High Early warning of attacks, preseved evidence in case logs are cleaned out
Prioritize the services you provide and eliminate all unnecessary services/accounts (e.g., do you really need to get mail on workstations, or have the "test1" account lying around from 1996?) Medium Low High You minimize potential points of intrusion and leaked information
Do backups (i.e., be prepared to get full image snapshots of any system) Medium Medium High You are able to recover faster and assist investigation/prosecution
Learn how to use trinux High Low High Easy to use network monitoring / audit / penetration testing toolkit - very handy for investigating incidents and gathering evidence
Run "tripwire", or other file system integrity checkers
(Red Hat Linux use rpm -Vp against original packages, not local RPM database)
High Low High Gives you "heads up" when root is compromised
Runs scripts to check for IRC bots, "+" in .rhosts, etc. Medium Low Medium Gives you "heads up" when accounts are compromised
Audit your network (e.g., with "nmap") to see what new systems/services show up Medium Medium Medium Better knowledge of potential threats from neighbors

Many of these tasks and tools are covered in:

[Next] | [Prev] | [Top]


Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Thu Apr 8 11:50:05 1999