A procedure is always useful, since it allows you to see the entire process of hardening the system and enables you to take decisions. A possible approach for such a procedure Debian 2.2 GNU/Linux is shown below. This is a post-installation procedure, for a checklist of measures to be taken, step by step, during configuration see Configuration checklist, Appendix B. Also, this procedure is (for the moment) more oriented towards hardening of network services.
dselectand remove unneeded but selected packages before doing [I]nstall. Leave the bare minimum software in the server.
$ ps -aux $ netstat -pn -l -A inet $ /usr/sbin/lsof -i |grep LISTEN
You will need to install
lsof-2.2 for the second command to work
(run it as root).
#!/bin/sh # FIXME: this is quick and dirty; replace with a more robust script snippet for i in `sudo lsof -i | grep LISTEN | cut -d " " -f 1 |sort -u` ; do pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq` echo "Service $i is installed by $pack"; init=`dpkg -L $pack |grep init.d/ ` if [ ! -z "$init" ]; then echo "and is run by $init" fi done
dpkg --purge) or, if useful but should not be enabled on startup, use
update-rc.din order to remove them from the system startup.
$ grep -v "^#" /etc/inetd.conf | sort -u
and disable those not needed by commenting the line that includes them,
removing the package, or using
/usr/sbin/tcpd) check that the
/etc/hosts.denyare configured according to your service policy.
$ init 0 (....) $ init 2
$ for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d " " -f 1 |sort -u`; do user=`ps -ef |grep $i |grep -v grep |cut -f 1 -d " "` ; echo "Service $i is running as user $user"; done
and consider changing these services to a give user/group and maybe also
chrooting them for increased security. You can do this by changing the
/etc/init.d scripts, where the service starts. Most services in
start-stop-daemon so you can use the --change-uid
option and the --chroot option to setup those services. Chrooting services is
beyond the scope of this document but a word of warning is necessary: you might
need to put all the files installed by the service package using dpkg -L and
the packages it depends on in the chrooted environment.
nessus) in order to determine vulnerabilities in the system (misconfigurations, old services or unneeded services).
For the truly paranoid, consider also the following:
FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, setuid files and freezing changes in the system using the ext2 filesystem.