[CentOS] Another Fedora decision

Tue Feb 3 01:58:54 UTC 2015
Always Learning <centos at u64.u22.net>

On Tue, 2015-02-03 at 11:57 +1100, Kahlil Hodgson wrote:

> One important group is new
> users with limited experience and knowledge about security.  This is
> an important group to protect.

> It is important for all of us to encourage (and discuss)
> good security practices, as well as discourage (and refute) poor
> practices. Ultimately, this make our community a safer place.

Perhaps a topic for the Centos Wiki entitled Basic Security on Your New
Machine ?

> The root password is close to, if not actually, our last line of
> defense (SELinux helps us here by the way).

Surely the whole idea is to prevent nasty things getting in. 

Disable FTP.  Change SSH ports.  Restrict access to sensitive parts from
known IPs.  Run Logwatch or similar (and amend the reports
using /etc/logwatch ...).  Read the logs.  Allocate file and directory
permissions to users lacking any log-on ability.

There is a lot that can be done. 

>  Using a one character
> password is problematic if you are connected to the internet, for
> example, if you are _testing_ the OS and want to run updates after the
> install.

But if one is doing things on a isolated machine unconnected to anything
why the password aggro ?  Best never to speculate when attempting to
justify a hash and arrogant policy of DO WHAT RHEL DEMANDS.  I prefer a
clear warning and then let the user make an informed choice. After their
first hacking they will not make a similar mistake again.

>  This is problematic since, by default, new installs typically
> allows SSH access and root logins over SSH.

Then block it as part of the installation process and let the user open
what they think they need.  Not use if you are correct about SSH. Root
usually (if I remember correctly) needs to be permitted.

>  Yes, firewalls help, but
> they need to be configured correctly, and there are subtle tricks that
> sophisticated attackers can exploit to subvert poorly configured
> firewalls.

Again another opportunity for a good Centos Wiki article. A basic
firewall setup. Then a series of examples: to achieve this, do that.
Obviously good and clear explanations are needed to enable impeccable
understanding of the firewall logic.

Yes help the new users. Perhaps even a Centos NewUsers list devoid of
all the more technical things. It could cater for single machine users.

>  If you really want to do this, I'd suggest running your
> test system in some kind of DMZ to prevent any exploit cascading into
> the rest of your network.

Not really sure what a (USA military) DMZ looks like.  Security has
always been my highest priority. "When in doubt, lock 'em out" is my
motto. 

>   It may just be easier to pick a "good" but
> easy to type root password that you use for all your test machines.
> Also, its a good idea to make sure you always turn off your test
> machines when not in use, and to disable them once you are finished
> testing (so they can't be accidentally turned on in the future).

Unnecessary in my working environment. I write and test virtually even
day, 7 days a week. No machine, test or production, has unrestricted
access to/from the Internet. Unused ports are blocked. Unused
applications are removed or disabled. SSH is allowed from only 3 IPs.
Instant IP blocking for suspicious activity has been a basic component
for the last 3 or 4 years, or longer. It was the first security
enhancement I programmed.

To save electricity equipment is turned-off when not in use. 

-- 
Regards,

Paul.
England, EU.      Je suis Charlie.