skip to main |
skip to sidebar
UNIX Servers and Secure Access
- Nobody has access until explicitly granted.
- A UNIX firewall will be in place to limit traffic and to drop a possible mass attack.
- Port monitoring and IP blocking tool will be installed for suspected mis-use.
- All insecure or plain text tools are not available for use.
These include telnet, ftp, rsh, rexec etc.
- The open ports on any server are locked down to a bare minimum.
22 - ssh for remote access and data transfer
25 - mail server
80 - standard web server
443 - secure web server
3306 - data base access with ssl/ssh
other ports only on demand.
- Security on the open ports.
3306 - only open to other database and backup servers
443 - open to the world, but monitored
80 - open to the world, but monitored
25 - open only for outgoing mail as standard
if incoming mail is required (Jira) open, but monitored22 - open for approved staff and configured for certificate only (see below)
other ports will be added if opened.
- Where possible, http will be redirected to https.
- A virus filter to protect the Windows users will be in place for servers with mail and upload access.
- Servers with VNC access requirements will have this accessible via localhost and SSH certificate only.
- Root log-in is locked down and replaced with sudo access after SSH connection.
No user will have access to the ROOT password.
- User access is granted via a 2048bit SSH key.
No password log-in is available.
After 3 failed SSH handshake attempts the account will be locked and the IP blocked with the tool see 3.
The public key has to be registered on the server before access can happen.
The user cannot change the access credential or the protected SSH certificate.
- Every server access, successful or fail, will be logged in a audit file.
Every sudo command is audited.
- Every web site access will be logged and presented in a daily report.
- Server and data backup will be in place and stored in a secure location.
No comments:
Post a Comment