On Sat, Jul 01, 2017 at 02:54:51PM -0400, Kevin Cozens via talk wrote:
> It works out well. I've been doing it for years. It seems some people
> somehow misread or misunderstood the chmod. I meant "chmod" and definitely
> not "chmod -R" as I think some people chose to interpret it.
>
> It will inc
On 2017-06-28 10:05 AM, Lennart Sorensen wrote:
On Tue, Jun 27, 2017 at 07:53:02PM -0400, Kevin Cozens via talk wrote:
You may also want to "chmod 711 /etc", FWIW.
How well does that work out? So regular users (and services not running
as root) can't resolve dns anymore (can't read nsswitch.c
UFW, fail2ban, and Ansible have all been mentioned, which gives me an
opportunity to mention a Hugh-like "war story" related to hardening.
It appears that Debian 9 (aka "stretch," which is now "stable")
included a stupid-ass version of fail2ban. Our cloud machines have
always included a kitchen-s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mr. Mohammed,
Thanks for sharing your thoughts.
At no time did you ever state that you refused to use IPv6. You
actually stated that you do, in fact, use IPv6. Neither did you ever
state that IPv4 is "good enough."
Aside from IPv4 vs IPv6, do you
On 06/30/2017 10:53 AM, Lennart Sorensen wrote:
> On Fri, Jun 30, 2017 at 09:34:06AM -0400, James Knott via talk wrote:
>> According to Vint Cerf, IPv4 was never intended to be released as a
>> public system. It was intended to demonstrate the concepts, and the
>> "official" version would have a m
On Fri, Jun 30, 2017 at 09:34:06AM -0400, James Knott via talk wrote:
> According to Vint Cerf, IPv4 was never intended to be released as a
> public system. It was intended to demonstrate the concepts, and the
> "official" version would have a much larger address space.
That's what happens when y
On 06/30/2017 08:45 AM, Russell wrote:
> "If you fail to plan, you are planning to fail!"
>
> This is the sort of reasoning which provided for IPV6's creation in the first
> place. The internet is running out of address space. Any networked system,
> currently hardened or otherwise, has to take t
On June 29, 2017 7:37:54 PM EDT, James Knott via talk wrote:
>On 06/29/2017 06:46 PM, Ansar Mohammed wrote:
>> Actually James, incompetence would be opening up a high security
>> system to additional attack vectors without a good business or
>> technical reason (which you really haven't provided).
On 06/29/2017 06:46 PM, Ansar Mohammed wrote:
> Actually James, incompetence would be opening up a high security
> system to additional attack vectors without a good business or
> technical reason (which you really haven't provided).
>
>
The business reason is the world is moving to IPv6. Failing
Actually James, incompetence would be opening up a high security system to
additional attack vectors without a good business or technical reason
(which you really haven't provided).
On Thu, Jun 29, 2017 at 6:33 PM James Knott via talk
wrote:
> I have worked with telecommunications and networks
On 06/29/2017 06:18 PM, Ansar Mohammed wrote:
> Oh, and that growing portion of the internet that's IPv6 only is
> primarily China.
>
Actually, Belgium is in the lead, at around 35%. However, in many parts
of the world including, but not limited to, China IPv6 is the only thing
available, becaus
I have worked with telecommunications and networks for many years (I
first worked on a computer network in 1978, before there was such a
thing as Ethernet or IPv4) and often see IPv6 in my work. I cannot say
I'm not going to work with it or the customer shouldn't use it. I have
to be prepared to
Again, please follow the thread, this is not about competency or capability
on IPv6.
This is a simple question on hardening a Linux system. My entire network
runs IPv6 also. But my home systems do not need to be hardened.
There have been many IPv6 only bugs and exploits including last years IPv6
On 06/29/2017 05:14 PM, Ansar Mohammed wrote:
> It's not a matter of being afraid of anything. Security 101 tells you
> to reduce your attack surface area.
> I would not increase my attack surface area just for the sake of being
> an early adopter of IPv6.
>
> To be clear the conversation is about
It's not a matter of being afraid of anything. Security 101 tells you to
reduce your attack surface area.
I would not increase my attack surface area just for the sake of being an
early adopter of IPv6.
To be clear the conversation is about hardening. This is the right thing to
do.
On Thu, Jun 2
On Thu, Jun 29, 2017 at 07:31:10PM +, Ansar Mohammed wrote:
> IMHO if you are looking for a hardened system you should not start with
> Ubuntu.
> Ubuntu is what l like to call 'kitchen sink Linux'
Yeah I wouldn't start with that either.
> Start with a minimal Debian install, then add the pack
On 06/29/2017 04:06 PM, Ansar Mohammed wrote:
> Not really. We have a 12% adoption of IPv6 in Canada.
And growing. Rogers started offering IPv6 a bit over a year ago. It's
now available to every cable and cell customer (some cable customers may
need a new modem). Telus has also had it for a wh
Not really. We have a 12% adoption of IPv6 in Canada.
On Thu, Jun 29, 2017 at 3:42 PM James Knott wrote:
> On 06/29/2017 03:31 PM, Ansar Mohammed via talk wrote:
> > Disable IPv6.
> Why? That's the way the Internet is moving.
>
> Perhaps something like this would be useful:
>
> https://www.suse
On 06/29/2017 03:31 PM, Ansar Mohammed via talk wrote:
> Disable IPv6.
Why? That's the way the Internet is moving.
Perhaps something like this would be useful:
https://www.suse.com/documentation/sles11/book_hardening/data/book_hardening.html
---
Talk Mailing List
talk@gtalug.org
https://gtalug.or
On Jun 29, 2017 3:20 PM, Lennart Sorensen via talkĀ
I find accidentally changing permissions on /tmp a much better way to
get people confused and annoyed at you.LOL! Lennart, once in a while you give us a glimpse of your true sense of humour.John.---
Talk Mailing List
talk@gtalug.org
https://gtalug
IMHO if you are looking for a hardened system you should not start with
Ubuntu.
Ubuntu is what l like to call 'kitchen sink Linux'
Start with a minimal Debian install, then add the packages you need
incrementally.
Package removal is never an exact rollback of package installation.
Then add your I
On Thu, Jun 29, 2017 at 10:18:26AM -0400, Anthony de Boer via talk wrote:
> Lennart Sorensen wrote:
> > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > > many key files, the upshot of which
Lennart Sorensen wrote:
> On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > many key files, the upshot of which was that everything on the "secured"
> > firewall had to run as root and it ended
I think OP will be the only user on the server, so chmod /etc is not that
important. If someone exploits any service and gets a shell on the box,
chmod will not help too much.
Jailing the accessible servers on a container, or a old school chroot would
be nice.
On Jun 29, 2017 10:24, "Lennart Sore
On 27/06/17 07:37 PM, Truth Hacker via talk wrote:
> Hi All,
>
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff is a bit dated. So I was wo
On Thu, Jun 29, 2017 at 09:24:09AM -0400, Lennart Sorensen via talk wrote:
> On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > Christopher Browne via talk wrote:
> > > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> > > > You may also want to "chmod 711 /etc",
On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> Christopher Browne via talk wrote:
> > On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> > > You may also want to "chmod 711 /etc", FWIW.
> >
> > That means that non-root-space applications will have no access to t
Christopher Browne via talk wrote:
> On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> > You may also want to "chmod 711 /etc", FWIW.
>
> That means that non-root-space applications will have no access to their
> configuration in /etc, thereby breaking services.
Umm, no. The x-bit is wha
On 27 June 2017 at 19:53, Kevin Cozens via talk wrote:
> On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
>>
>> I am starting to go down the road to harden a Linux server, I am using
>> the Ubuntu server image as my starting point.
>
> [snip]
>>
>> Q: What service should I consider disabling f
On Tue, Jun 27, 2017 at 7:37 PM, Truth Hacker via talk wrote:
> Hi All,
>
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff is a bit dated. S
On Tue, Jun 27, 2017 at 07:53:02PM -0400, Kevin Cozens via talk wrote:
> On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
> >I am starting to go down the road to harden a Linux server, I am using
> >the Ubuntu server image as my starting point.
> [snip]
> >Q: What service should I consider disa
On Tue, Jun 27, 2017 at 07:37:29PM -0400, Truth Hacker via talk wrote:
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff is a bit dated. So I
On 2017-06-27 07:37 PM, Truth Hacker via talk wrote:
I am starting to go down the road to harden a Linux server, I am using
the Ubuntu server image as my starting point.
[snip]
Q: What service should I consider disabling from starting automatically.
Disable any service you won't need for what
Hi All,
I am starting to go down the road to harden a Linux server, I am using
the Ubuntu server image as my starting point.
I searched a few articles and compiled a list of things to do, so far
the stuff is a bit dated. So I was wondering if anyone has stuff ideas
to help me harden my system whi
34 matches
Mail list logo