Re: Securing a public/open linux shell server

[Will Froning <will.froning () GMAIL COM>]

Not trying to start a war, but does it HAVE to be a linux box? OpenBSD comes very hardened out of the box. Or if you 
really want it to be linux, debian is the best of the bunch for that kind of thing.

The other reason I'm kinda voting for debian/OpenBSD is the default install is very minimal. This immediately limits 
the amount of things you have to worry about hardening. Then you selectively choose which programs the students need. 
It's MUCH easier going from a very basic OS up to something usable versus going from everything installed down to 
something hardened.

Also install OSSEC and puppet/chef/salt/ansible to watch and fix when things go wrong.

As for not installing compilers, I don't really see that as useful. It will limit you more than the users. If they want 
to abuse your system, they will just copy over a compiler or a prebuilt binary. 

HTH,
Will
On July 8, 2013 at 10:50:36 PM, Harry Hoffman (hhoffman () ip-solutions net) wrote:

Hi Kevin,  

Depending upon what your goal is you may want to enable selinux. To go a  
step further you may want to switch from a targeted policy to mls.  

If you're not familiar with the different policies this will give you a  
overview:  

https://fedoraproject.org/wiki/SELinux/Policies  

Cheers,  
Harry  


On 07/08/2013 01:43 PM, Lisciotti, Kevin wrote:  
> Does anyone have experience in setting up and securing a public/open linux shell server? This would be like the free 
> shell servers you see listed on the Internet, such as arbornet.org or cyberspace.org. It could also be shell servers 
> that you have at your institution used by students, faculty, vendors etc.  
>  
> What I'm looking for is a checklist or how-to specifically geared towards a Red Hat / CentOS based linux system. I 
> know a lot of the standard OS security stuff, but would like more advanced information from someone who may have done 
> something like this. Also, could you elaborate on issues you may have run into, and how you remediated them if 
> possible?  
>  
> At the moment, I don't have any specific services in mind that would be offered from the shell. I know it would be 
> helpful to know what services would be offered, but I'm looking more for baseline security steps that I can take in 
> securing the server.  
>  
> Some ideas of things I'm looking for…  
>  
> * Implementing disk quotas  
> * Limiting number of user processes  
> * Limiting suid binaries  
> * Installing minimum number of packages  
> * Limiting/blocking outbound connectivity  
> * Network isolation  
> * Chroot users to home directory  
> * Restricting access to binaries  
> * Updating the system as often as possible  
> * Don't install compilers or development tools  
>  
> I know I'm asking for a lot, but hopefully this gives you some ideas as to what I'm looking to achieve.  
>  
> Thanks,  
>  
> [cid:11485124-2204-4E24-B37B-86ED3EB288EC]  
>  
> :: Kevin Lisciotti, Senior Systems Specialist, RHCE, RHCSA  
> :: University Information Technology Services (UITS)  
> :: University of Massachusetts President's Office  
>  
> :: 774-455-7761 Office  
> :: 774-455-7733 Fax  
> :: klisciotti () umassp edu<mailto:klisciotti () umassp edu>  
>  
> University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA 01545 : 
> www.massachusetts.edu<http://www.massachusetts.edu/>  
>  
>  
>  
-- 
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning