I.T. Security and Linux Administration

Jan 31 2013   3:40PM GMT

How Have Security Practices Changed (2009-now)? Part 3

Eric Hansen Eric Hansen Profile: Eric Hansen

Continuations are fun! Part 2 is here: https://itknowledgeexchange.techtarget.com/security-admin/how-have-security-practices-changed-2009-now-part-2/

Then: #11: Configure Iptables and TCPWrappers

Now: Same

Having a firewall properly configured will help both the network and the server be secure. You can perform better load balancing on the server as well as make sure requests going to/from the server are what it expects. This should be done once the server is set up properly, however, as it can cause major headaches if not.

Then: #12: Linux Kernel /etc/sysctl.conf Hardening

Now: Unsure

I’m not an RPM-system person, I prefer deb and I use Arch Linux at times. But, I know on my installs /etc/sysctl.conf never exists.

Then: #13: Separate Disk Partitions

Now: Same

Unless there’s some dire reason not to, this is always a good idea. Being lazy isn’t dire, by the way.

This helps in a few ways. One, it makes backing up information easier (instead of backing up folders on the same partition, you can just back up the entire partition). If you’re wanting to set up RAID for /home and /var but not /tmp, this is about the only way I know of to do it safely.

It also makes disk management easier. Need to resize /home without worrying about corrupting data on the / partition? This will let you do it!

Then: #14: Turn Off IPv6

Now: Same

As much as I hate it, and as much as I enjoy using it, IPv6 has no benefits.

There have been reports that disabling IPv6 improves network performance due to lowering the overhead on the networking drivers, but not sure if that’s true now. Whenever I did it, I noticed very little difference anyways.

IPv6 is really like 64-bit processors…unless you have a hardware requirement for it, it’s not going to benefit you any.

The transition to IPv6 is taking forever and is safe to say almost nullified. There’s nothing natively supporting it that would make it beneficial and tools like ping6 are there for testing purposes more than “this is why you should have IPv6!”

Then: #15: Disable Unwanted SUID and SGID Binaries

Now: Unsure

I’m not knowledgeable enough about the sticky bits to make a judgement. However, I rarely seem to find an exploit that utilizes these.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: