Routinely examine your inetd configuration file
and startup files.
If your standard software does not offer this level of control,
consider installing the tcpwrapper program to
better regulate and log access to your servers. Then contact your
vendor and ask when equivalent functionality will be provided as a
standard feature in the vendor's systems.
Disable any unneeded network services.
Disable any services that provide nonessential information to
outsiders that might enable them to gather information about your
systems.
Run a host-based, packet-filtering firewall on every system.
Make sure that your version of the ftpd program
is up-to-date.
If you support anonymous FTP, don't have a copy of
your real /etc/passwd as an
~ftp/etc/passwd.
Make sure that /etc/ftpusers contains at least
the account names root,
uucp, and bin. The file
should also contain the name of any other account that does not
belong to an actual human being.
Frequently scan the files in your ftp account
and determine their usage.
Make sure that all directory permissions and ownership on your
ftp account are set correctly.
If your software allows, configure any
"incoming" directories so that
files dropped off cannot then be downloaded again without operator
intervention. (If your software doesn't allow this,
consider changing to software that does.)
Make sure that your sendmail program will not
deliver mail directly to a file.
Make sure that your sendmail program does not
have a wizard's password set in the configuration
file.
Limit the number of "trusted users"
in your sendmail.cf file.
Make sure that your version of the sendmail
program does not support the debug,
wiz, or kill
commands.
Delete the "decode" alias in your
aliases file. Examine carefully any other alias
that delivers to a program or file.
Make sure that your version of the sendmail
program is up to date, with all published patches in place.
Make sure that the aliases file cannot be
altered by unauthorized individuals.
Consider replacing sendmail with
smap, postfix, or another
more tractable network agent.
Have an alias for every non-user account so that mail to any valid
address is delivered to a person and not to an unmonitored mailbox.
Consider disabling SMTP commands such as VRFY
and EXPN with settings in your
sendmail configuration. Enable authentication
warnings.
Limit DNS zone transfers to authorized servers.
Configure your nameserver to refuse to perform recursive queries for
outsiders.
Make sure that you are running the latest version of the nameserver
software (e.g., bind) with all patches applied.
Make sure that all files used by the nameserver software are properly
protected against tampering, and perhaps against reading by
unauthorized users.
Run the nameserver daemon as a non-root user and
in a chroot jail environment.
Use IP addresses instead of domain names in places where this
practice makes sense.
Make sure that TFTP access, if enabled, is limited to a single
directory containing boot files.
Tell your users about the information that the
finger program makes available on the network.
Make sure that your finger program is more
recent than November 5, 1988.
Disable or replace the finger service with
something that provides less information.
Read a book on web server security.
If you are using POP or IMAP, configure your system to use APOP or
Kerberos for authentication. Provide POP and IMAP over SSL TLS.
Disable the RPC portmapper or restrict access to
it.
Consider running the
authd/identd daemon for all machines
in the local net. Use a version that returns encrypted identifiers.
Configure your NNTP server to restrict who can post articles or
transfer Usenet news. Make sure that you have the most recent version
of the software.
Consider establishing a (secure) NTP connection to keep your clocks
in synch.
Uninstall or disable SNMP. If you must use it, block SNMP connections
from outside your organization.
Disable rexec, rlogin, and
rsh. Use SSH instead.
Routinely scan your system for suspicious
.rhosts files. Make sure that all existing
.rhosts files are set to mode 600.
Consider not allowing users to have .rhosts
files on your system.
If you have a plus sign (+) in your
/etc/hosts.equiv file, remove it.
Do not place usernames in your /etc/hosts.equiv
file.
Restrict access to your printing software via the
/etc/hosts.lpd file.
Make your list of trusted hosts as small as possible.
"None" is an ideal size.
Block incoming RIP packets; use static routes where possible and
practical.
Set up your logindevperm or
fbtab files to restrict permissions on frame
buffers and devices, if this is possible on your system.
If your X11 Server blocks on null connections, get an updated
version.
Enable the best X11 authentication possible in your configuration
(e.g., Kerberos, Secure RPC, "magic
cookies") instead of using
xhost. Alternatively, tunnel X11 connections
through SSH.
Disable the rexd RPC service.
Be very cautious about installing MUDs, IRCs, or other servers.
Scan your network connections regularly with
netstat, lsof,
and nmap.
Scan your network with tools such as Nesuss and ISS to determine if
you have uncorrected vulnerabilities—before an attacker does
the same.
Re-evaluate why you are connected to the network at all, and
disconnect machines that do not really need to be
connected.
