Quote:
Originally posted by skoalman
Yea disable every service known and pray that your kernel is secure and your router and firewall is updated. I've gotten around many "secure" servers because they didn't keep their routers and firewalls updated.
|
Enable PaX with memory page segmentation and randomization, role based access control and some strong acl system (kernel and fs based) and then watch how funny is when someone becomes root on the server and then can do nothing
And don't forget to compile all your distro by hand and strip all the binaries.
Also if you want more security put all the services in chroot (best optoin is one service per server)... and don't just copy all the system into the chroot, only the needed libraries... apache does not need a bash shell in order to run into it's sandbox.
Of course, this will do nothing if you open every possible service around and set your root password to something easy to guess. So configure your firewall properly blocking all inbound SYN packets except for the ports where you will offer some service and all outbound packets (any traffic) except for the ports your services will use. You will get some headaches configuring FTP services using these firewall rules... but it's not very big problem.
This concept has been tested for over 5 years with IronBox Linux on an open for hacking shell access server (they were able to start a shell session on the box) and no one has been able to escalate privileges.
It's not only the firewall, it's the entire system. Usually firewalls are the most useless part in security because they could be always bypassed using one method or another. It's not easy and takes some time to bypass a firewall, but it's still possible nod not enough difficult to stop a not very novice hacker.