In continuing with my series (started here)…
Then: #6: User Accounts and Strong Password Policy
Do I agree? Definitely. However, the concept of “strong password policy” has changed a lot. I’ve touched on it before, but I’ll say it again, I do not believe in “randomized” passwords. You know, the passwords that looked like you just mashed a bunch of keys together.
I had a debate with a friend not too long ago on this. Especially with the crackers (i.e.: hashcat) that bruteforce against bytes instead of ASCII character sets, even throwing in UTF-8 or other characters outside of the 0-127 decimal range will get notified. The easiest method to this is enforcing spaces to be used, and use phrases.
Brute forcers check against random strings. While phrases are just that, they’re not typically going to have weird characters like @ or $. Dictionary attacks assume the pass phrase only has one dictionary word in it typically, and even if not it has to run through the entire dictionary n times for however many phrases are in the password.
Then: #7: Disable root Login
If you’re using root for anything you’re not sysadmining properly. There is a reason sudo was created, which means there’s no reason for you to log in as administrator.
Then: #8: Physical Server Security
Let me explain. Yes, physical server security extremely important. However, going as far as “all production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server” is a little bit of a stretch. Call me silly but I don’t really know what an IDC is (same as a regular data center?), but to have all of your employees go through a security background check prior to working on the server should only be for the extreme cases (i.e.: medical record storage).
Then: #9: Disable Unwanted Services
This really seems to be redundant with #2 & #3, but at this stage you shouldn’t have to worry about unwanted services. Especially if you make your own images and/or repos.
Then: #10: Delete X Windows
Even though I have Back Track running on my home server, there’s really no reason to have Xorg running. Again this goes more in line with #2/#3/#9 but as I’m addressing each suggestion, making this a point to address.