Server Hardening
================
The outline below is for a presentation on server hardening which
will focus specifically on the initial configuration.  Server
hardening is one part of a larger security program.  My goal in the
presentation is to introduce the concepts involved in server
hardening along with some practical tips on how to harden a server.

Since hardening is part of a larger security process, I'll allude to
other security matters that are not strictly related to server
hardening in the course of the presentation.

I'll conclude by introducing the idea of file integrity checking and
other host-level intrusion detection concepts.  This will lead very
naturally into Marcin Antkiewicz's presentation on snort.


I.  Security goals during the configuration process

  A. security mindset
     - confidentiality, integrity, availability (CIA)
     - minimum privilege, access and exposure 
  B. build a layered security model (firewall, NIDS, HIDS)
  C. think about availability issues
  D. reduce complexity for simplicity

II.  What layers should I be hardening?

  A. partitioning (let the warring begin) (consider LVM)
  B. software load and update (OS + apps); minimal install
  C. stop all unnecessary services
  D. network choices, connections and routes
  E. run a local packet filter (egress filter; iptables user match)
  F. start with minimum configuration on running services
     A. Apache config (alternate HTTP servers?)
     B. MySQL config (changing passwords ...)
     C. sshd, non-root only, turn off SSHv1
     D. offer SSL-protected services
  G. run services from a chroot

III.  Ongoing security/hardening work

  A. Rootkit checker
  B. Log reading
  C. Version control
  D. Run private DNS cache
  E. File integrity checking (Aide, tripwire, yafic)