Meningkatkan kemanan ClearOS Server

Meningkatkan kemanan ClearOS Server

Beberapa saran dari Tim Burgess untuk meningkatkan keamanan ClearOS Server anda :

 

1) Create an administration user account so that you rarely use 'root'. Assign it associated permissions for that level

2) Create a strong password policy, expiry time, minimum length

3) Only open incoming ports for the absolute minimum of services, if you want to refine it further only open a port for traffic originating from a single source IP or subnet using the advanced firewall

4) Disable SMTP authentication if your running a mail server to prevent brute force attacks, ensure that your trusted network ranges are only those on your network

5) Consider adding the Emerging threat rules for virus, trojan, dshield and bot net rules to Snort

6) Ensure all externally exposed web sites / CMS / forum systems are up to date - they are your weakest line of defence

7) Ensure that all folder permissions are correctly locked down on external facing services such as FTP / Web

8) Don't keep mission critical data on your server.

9) A good reliable backup (offsite) that has been tested I consider to be part of your security, so that you can be restored in the event of a hacking attempt.

10) Don't use typical user names such as 'admin', 'test', 'user', 'testuser', 'info'. Your system is only as strong as the weakest password on these types of account. You will limit your exposure to brute force attacks. If you need an email address say info@domain.com then setup an alias instead.

11) Monitor your prevention list from time to time, and make sure you understand the difference between a false positive, and be able to lookup an SID alert at snort.org

12) Enable automatic update, or remember to run 'yum clean all && yum upgrade' periodically to ensure your system is up to date.

13) Don't give your users shell logins unless you have to, restrict your user permissions to the services they only need, such as Proxy / Mail

14) Change SSH to anther port by editing /etc/ssh/sshd_config, add another line 'Port 1234' and restart the service 'service sshd restart'.

15) Use encrypted SSH or VPN tunnels to access services behind your ClearOS box - using non standard ports of course

16) Write some custom snort rules to stop people messing with your server! For example, one that blocks people who try and authenticate with restricted usernames on my anonymous FTP server...

17) For mail, enable the AntiMalware policy to quarantine spam above score of 6, so that back scatter spam is limited, and your users inbox is less full Spam with a score between 5-6 will go to your user

18) For the paranoid, consider changing the outgoing firewall policy to block, then allow specific desintation ports.

19) Only enable security rules on the Intrusion Detection page for services you actually run to improve performance

20) If your worried about people bypassing your proxy, then disable transparent mode, enable user authentication and use the WPAD automatic configuration to configure clients on your network.

21) Pay for the ClearSDN remote security audit subscription! not to mention the intrusion protection and antimalware updates

 

Dikutip dari sini : http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,25/func,view/id,24301/#24481

Meningkatkan kemanan ClearOS Server