Educause Security Discussion mailing list archives
Re: Securing a public/open linux shell server
From: Will Froning <will.froning () GMAIL COM>
Date: Mon, 8 Jul 2013 23:05:53 +0400
Not trying to start a war, but does it HAVE to be a linux box? OpenBSD comes very hardened out of the box. Or if you really want it to be linux, debian is the best of the bunch for that kind of thing. The other reason I'm kinda voting for debian/OpenBSD is the default install is very minimal. This immediately limits the amount of things you have to worry about hardening. Then you selectively choose which programs the students need. It's MUCH easier going from a very basic OS up to something usable versus going from everything installed down to something hardened. Also install OSSEC and puppet/chef/salt/ansible to watch and fix when things go wrong. As for not installing compilers, I don't really see that as useful. It will limit you more than the users. If they want to abuse your system, they will just copy over a compiler or a prebuilt binary. HTH, Will On July 8, 2013 at 10:50:36 PM, Harry Hoffman (hhoffman () ip-solutions net) wrote: Hi Kevin, Depending upon what your goal is you may want to enable selinux. To go a step further you may want to switch from a targeted policy to mls. If you're not familiar with the different policies this will give you a overview: https://fedoraproject.org/wiki/SELinux/Policies Cheers, Harry On 07/08/2013 01:43 PM, Lisciotti, Kevin wrote:
Does anyone have experience in setting up and securing a public/open linux shell server? This would be like the free shell servers you see listed on the Internet, such as arbornet.org or cyberspace.org. It could also be shell servers that you have at your institution used by students, faculty, vendors etc. What I'm looking for is a checklist or how-to specifically geared towards a Red Hat / CentOS based linux system. I know a lot of the standard OS security stuff, but would like more advanced information from someone who may have done something like this. Also, could you elaborate on issues you may have run into, and how you remediated them if possible? At the moment, I don't have any specific services in mind that would be offered from the shell. I know it would be helpful to know what services would be offered, but I'm looking more for baseline security steps that I can take in securing the server. Some ideas of things I'm looking for… * Implementing disk quotas * Limiting number of user processes * Limiting suid binaries * Installing minimum number of packages * Limiting/blocking outbound connectivity * Network isolation * Chroot users to home directory * Restricting access to binaries * Updating the system as often as possible * Don't install compilers or development tools I know I'm asking for a lot, but hopefully this gives you some ideas as to what I'm looking to achieve. Thanks, [cid:11485124-2204-4E24-B37B-86ED3EB288EC] :: Kevin Lisciotti, Senior Systems Specialist, RHCE, RHCSA :: University Information Technology Services (UITS) :: University of Massachusetts President's Office :: 774-455-7761 Office :: 774-455-7733 Fax :: klisciotti () umassp edu<mailto:klisciotti () umassp edu> University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/>
-- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning
Current thread:
- Securing a public/open linux shell server Lisciotti, Kevin (Jul 08)
- Re: Securing a public/open linux shell server Jason Gates (Jul 08)
- Re: Securing a public/open linux shell server Valdis Kletnieks (Jul 08)
- Re: Securing a public/open linux shell server Harry Hoffman (Jul 08)
- Re: Securing a public/open linux shell server Will Froning (Jul 08)
- Re: Securing a public/open linux shell server Lisciotti, Kevin (Jul 08)
- Re: Securing a public/open linux shell server Will Froning (Jul 08)
- Re: Securing a public/open linux shell server Everett, Alex D (Jul 08)