[CentOS] Unknown rootkit causes compromised servers

Tue Jan 29 03:36:03 UTC 2008
Jim Perrin <jperrin at gmail.com>

Along the lines of staying safe, now is probably a good time to check
your password policies.

1. Don't allow root access to ssh. (modify /etc/ssh/sshd_config)
2. restrict root logins to only the local machine. (modify /etc/securetty)
3. Limit users with access to 'su' to the wheel group (use visudo and
also modify /etc/pam.d/su)
4. Make sure root is the only one with a uid of 0. ( awk -F: '($3 ==
"0") {print}' /etc/passwd )
5. Use pam to require strong passwords. (install/use pam_passwdqc
which is part of the base distro, modify /etc/pam.d/system-auth )
6. Use denyhosts or pam.tally2 to restrict login attempts.
7. use ssh keys.

And above all, because I know many admins slack on this, and I'm
guilty of it as well if it's not forced... ROTATE your passwords
periodically

The recommended password requirements for root: at least 10 characters
with a mix of upper/lower case, special characters, and numbers.

Discussion, and alternate suggestions welcome.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell