[CentOS-docs] Wiki Edits: HowTos/OS_Protection

Fri Aug 21 20:41:29 UTC 2009
Voyek, William <wvoyek at edmc.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jim,

Under Pam modifications:

auth        required      pam_tally2.so onerr=fail unlock_time=60 no_magic_root

account     required      pam_tally2.so deny=3  no_magic_root per_user

deny=3 should be in auth. It's not allowed in account.
no_magic_root is not a valid option for pam_tally2, only for pam_tally. The default behavior for pam_tally2 is no_magic_root. You need to supply the magic_root flag to enable the magic_root behavior.

Under Sysctl Security:

The "net.ipv4.icmp_ignore_bogus_error_messages = 1" doesn't appear to be valid, but it's included in the NSA guide, as well as other reputable sources. It's probably best to not include this

While this is technically correct, there is no net.ipv4.icmp_ignore_bogus_error_messages. However there is net.ipv4.icmp_ignore_bogus_error_responses. That should be the the entry in /etc/sysctl.conf


Thanks,

William

- -----Original Message-----
From: centos-docs-bounces at centos.org [mailto:centos-docs-bounces at centos.org] On Behalf Of Jim Perrin
Sent: Friday, August 21, 2009 1:21 PM
To: Mail list for wiki articles
Subject: Re: [CentOS-docs] Wiki Edits: HowTos/OS_Protection

On Fri, Aug 21, 2009 at 12:57 PM, Voyek, William<wvoyek at edmc.edu> wrote:
> Hello,
>
>
>
> There are some errors on the HowTos/OS_Protection page on the CentOS wiki. I
> would like to correct the errors.

Sure. What are you seeing as errors though?

- -- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS-docs mailing list
CentOS-docs at centos.org
http://lists.centos.org/mailman/listinfo/centos-docs

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0 (Build 500)
Charset: utf-8

wsBVAwUBSo8GedBiDE1p8+k6AQiSXgf/QAzVkFAALI4pW9mfAZbCdJCUz7RFY4Hq
o7KwOdvARlHPPzoxDt/pMO9jnPtefbRpm2uTBr0KygYLHZlT6bGCljefIkKNtCR0
rd+lShQIlDFpQB1xpwMMtYqiAdLwumv0GSXcliNBp1X6IAFryPTh2emmWwgYhG3H
7rqUEm+h9nih+5hII+Y+CeRN9JyPC9dXJYy3U4Xp5vZiK9H+MjdoUm3I0CwJv2ib
KLhkcNwkgXYocwbomv2+KXrgjbxWye3RqLeJFlNga+QDO4JlZv+uxEUfzQ/7Y+Og
ytkcfwZLeUgPum3bNU93IUeb2mqlgRsF+gkGxmm4Bpw3K+AnQlQvNA==
=zCOm
-----END PGP SIGNATURE-----