Re: Securing a public/open linux shell server

["Lisciotti, Kevin" <klisciotti () UMASSP EDU>]

Thanks to those who have already responded with their ideas, good things
to look into implementing.

Will, to answer your question I'm certified on RHEL and most comfortable
in that environment. I have used Debian/Ubuntu in the past but just can't
get used to the Debian way of doing things :) As for a BSD, never used
them and not familiar with the OS.

Anyway, you can do a pretty minimal install with RHEL nowadays so that's
not really an issue. I'm just looking for real world experience in
securing an open linux shell server. There's plenty of them on the
Internet (linux, and 'BSD based), so people obviously make this work :)

Thanks,


:: Kevin Lisciotti, Senior Systems Specialist, RHCE, RHCSA
:: University Information Technology Services (UITS)
:: University of Massachusetts President's Office
:: 774-455-7761 Office
:: 774-455-7733 Fax
:: klisciotti () umassp edu

University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>






On 7/8/13 3:05 PM, "Will Froning" <will.froning () gmail com> wrote:

> Not trying to start a war, but does it HAVE to be a linux box? OpenBSD
> comes very hardened out of the box. Or if you really want it to be linux,
> debian is the best of the bunch for that kind of thing.
>
> The other reason I'm kinda voting for debian/OpenBSD is the default
> install is very minimal. This immediately limits the amount of things you
> have to worry about hardening. Then you selectively choose which programs
> the students need. It's MUCH easier going from a very basic OS up to
> something usable versus going from everything installed down to something
> hardened.
>
> Also install OSSEC and puppet/chef/salt/ansible to watch and fix when
> things go wrong.
>
> As for not installing compilers, I don't really see that as useful. It
> will limit you more than the users. If they want to abuse your system,
> they will just copy over a compiler or a prebuilt binary.
>
> HTH,
> Will
> On July 8, 2013 at 10:50:36 PM, Harry Hoffman (hhoffman () ip-solutions net)
> wrote:
>
> Hi Kevin,  
>
> Depending upon what your goal is you may want to enable selinux. To go a
> step further you may want to switch from a targeted policy to mls.
>
> If you're not familiar with the different policies this will give you a
> overview:  
>
> https://fedoraproject.org/wiki/SELinux/Policies
>
> Cheers,  
> Harry  
>
>
> On 07/08/2013 01:43 PM, Lisciotti, Kevin wrote:
> > Does anyone have experience in setting up and securing a public/open
> > linux shell server? This would be like the free shell servers you see
> > listed on the Internet, such as arbornet.org or cyberspace.org. It could
> > also be shell servers that you have at your institution used by
> > students, faculty, vendors etc.
> >  
> > What I'm looking for is a checklist or how-to specifically geared
> > towards a Red Hat / CentOS based linux system. I know a lot of the
> > standard OS security stuff, but would like more advanced information
> > from someone who may have done something like this. Also, could you
> > elaborate on issues you may have run into, and how you remediated them
> > if possible?  
> >  
> > At the moment, I don't have any specific services in mind that would be
> > offered from the shell. I know it would be helpful to know what services
> > would be offered, but I'm looking more for baseline security steps that
> > I can take in securing the server.
> >  
> > Some ideas of things I'm looking forŠ
> >  
> > * Implementing disk quotas
> > * Limiting number of user processes
> > * Limiting suid binaries
> > * Installing minimum number of packages
> > * Limiting/blocking outbound connectivity
> > * Network isolation
> > * Chroot users to home directory
> > * Restricting access to binaries
> > * Updating the system as often as possible
> > * Don't install compilers or development tools
> >  
> > I know I'm asking for a lot, but hopefully this gives you some ideas as
> > to what I'm looking to achieve.
> >  
> > Thanks,  
> >  
> > [cid:11485124-2204-4E24-B37B-86ED3EB288EC]
> >  
> > :: Kevin Lisciotti, Senior Systems Specialist, RHCE, RHCSA
> > :: University Information Technology Services (UITS)
> > :: University of Massachusetts President's Office
> >  
> > :: 774-455-7761 Office
> > :: 774-455-7733 Fax
> > :: klisciotti () umassp edu<mailto:klisciotti () umassp edu>
> >  
> > University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury,
> > MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/>
> >  
> >  
> >  
> -- 
> Will Froning
> Unix SysAdmin
> Will.Froning () GMail com
> MSN: wfroning () angui sh
> YIM: will_froning
> AIM: willfroning