Harden a Linux Machine
harden-your-boxen.txt
Scrappy Notes for Newbs trying to Harden a Linux Machine
- (this is a work in progress)
Tell MySQL server not to listen for outside connections if you are only using it for the localhost. Add the following parameter to the /etc/mysql/my.cnf file under [mysqld]
skip-networking
If you are not using the machine as a pop mail server, disable the pop3 xinetd service
vi /etc/xinetd.d/ipop3
Disable portmapper
/etc/rc.d/rc3.d
If you are running Samba tell it not to listen on the public interface. Under the [Global] section of /etc/samba/smb.conf add:
interfaces = ethX
Where X is the interface of your internal NIC.
If LDAP is running and you are not using directory services then disable it
S61ldap
Check your box to see what all ports are listening (check it from another machine by scanning it with nmap)
nmap -v -sS -p0- 10.10.0.1
You might have to specify the port range depending on your version.
nmap -v -sS -p 1-65535 10.10.0.1
The -p is for 'prots' and 0- means starting at zero scan all 65536
If you are using mod_php with Apache, you should disable php register_globals which was enabled by default on many version of PHP.
vi php.ini register_globals = Off