Educause Security Discussion mailing list archives

Re: Securing a public/open linux shell server

From: Jason Gates <jasongates () SOUTHERN EDU>
Date: Mon, 8 Jul 2013 18:19:40 +0000

Some ideas off the top of my head:
restricting tcp port forwarding in ssh (AllowTCPForwarding No)
restricting sftp? (bringing in their own binaries)
restricting daemons? (processes in bg)
information disclosures via cmds (last, w, etc)
restrict "write" cmd (spam messages from other users)
mount /tmp with noexec, nosuid etc..




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lisciotti, Kevin
Sent: Monday, July 08, 2013 1:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Securing a public/open linux shell server

Does anyone have experience in setting up and securing a public/open linux
shell server? This would be like the free shell servers you see listed on
the Internet, such as arbornet.org or cyberspace.org. It could also be shell
servers that you have at your institution used by students, faculty, vendors
etc.

What I'm looking for is a checklist or how-to specifically geared towards a
Red Hat / CentOS based linux system. I know a lot of the standard OS
security stuff, but would like more advanced information from someone who
may have done something like this. Also, could you elaborate on issues you
may have run into, and how you remediated them if possible?

At the moment, I don't have any specific services in mind that would be
offered from the shell. I know it would be helpful to know what services
would be offered, but I'm looking more for baseline security steps that I
can take in securing the server.

Some ideas of things I'm looking for.

*       Implementing disk quotas
*       Limiting number of user processes
*       Limiting suid binaries
*       Installing minimum number of packages
*       Limiting/blocking outbound connectivity
*       Network isolation
*       Chroot users to home directory
*       Restricting access to binaries
*       Updating the system as often as possible
*       Don't install compilers or development tools

I know I'm asking for a lot, but hopefully this gives you some ideas as to
what I'm looking to achieve.

Thanks,



:: Kevin Lisciotti, Senior Systems Specialist, RHCE, RHCSA
:: University Information Technology Services (UITS)
:: University of Massachusetts President's Office

:: 774-455-7761 Office
:: 774-455-7733 Fax
:: klisciotti () umassp edu <mailto:klisciotti () umassp edu> 

University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>

Attachment: smime.p7s
Description:

Current thread:

Securing a public/open linux shell server Lisciotti, Kevin (Jul 08)
- Re: Securing a public/open linux shell server Jason Gates (Jul 08)
- Re: Securing a public/open linux shell server Valdis Kletnieks (Jul 08)
- Re: Securing a public/open linux shell server Harry Hoffman (Jul 08)
  - Re: Securing a public/open linux shell server Will Froning (Jul 08)
    - Re: Securing a public/open linux shell server Lisciotti, Kevin (Jul 08)
- Re: Securing a public/open linux shell server Everett, Alex D (Jul 08)