U1.4 How to Protect against These Vulnerabilities Unnecessary Services
- Scan the server with a port scanner or vulnerability assessment tool to determine what unnecessary services are running on a system. Disable the services that are not required by any necessary applications.
- Install the latest vendor patches regularly to mitigate vulnerabilities in exposed services. Patch management is a critical part of the risk management process.
- Use The Center for Internet Security benchmarks from www.cisecurity.org for your OS and services you use. Also consider using Bastille to harden Linux and HP-UX based hosts from www.bastille-linux.org.
- Consider moving services from default ports where possible. Automated scanners tend to only scan default ports.
- Utilize a hardware or software firewall to protect required services.
- Ensure services are protected by vendor-supplied security mechanisms (for example SELinux or address space randomization).
Brute Force Attacks
- Don't use default passwords on any accounts.
- Enforce a strong password policy. Don't permit weak passwords or passwords based on dictionary words.
- Audit to ensure your password policy is being adhered to.
- Limit the number of failed login attempts to exposed services.
- Limit the accounts that can log in over the network; root should not be one of them.
- Employ firewall rules to limit the source of any remote logins.
- Prohibit shared accounts and don't use generic account names like tester, guest, sysadmin, admin, etc.
- Log failed login attempts. A large number of failed logins to a system may require a further check on the system to see if it has been compromised.
- Consider using certificate based authentication.
- If your UNIX system allows the use of PAM authentication modules, implement PAM modules that check for password's strength.
- Firewall services that do not require access to the Internet.
U1.5 References SSH Brute Force Attacks and Counter Measures
General UNIX Security Resources
