# penetration testing, security audit - principles, attitude

## ddaas

I would like to start a discussion on penetration testing, security audit + hardening of a Linux Server: principles, attitude, steps to follow etc

What do you think? Lets suppose the server runs in an enterprise environment.

Here are my first thoughts:

0. Info about the environment (ps -ef, crontab -l, uname -a, netstat -tupan etc, check the logs, check if there is firewall etc)

1. Nmap TCP and UDP port scan

2. Nessus - write down the discovered vulnerabilities and different reported problems.

3. Take every service (ssh, httpd, mysqld, bind etc) and harden it. Find out if the latest stable version is installed, google for vulnerabilities for the installed version, specific actions for every service (ex: mod_security for apache)

4. Install, configure and send daily reports per email: chkrootkit (rkhunter), AIDE (tripwire)

5. After patching the applications run a vulnerability scanner (nessus) one more time and observe the differences from step 2

6. Other basic things (set up a firewall (iptables), close unneeded services, secure /tmp, audit the passwords (John the Ripper) etc).

7.Document everything

I am waiting for your tips.

----------

## juhah

I'd recommend that you would study different security guides. Like http://www.gentoo.org/doc/en/security/index.xml and http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/.

It is also very important to audit the security policy. Without it or if the policy is outdated/incomplete the hardening operation can nullify it self pretty fast (e.g. ssh accouts are given to whoever asks one, no password/useraccount expiration dates, etc.).

Otherwise your list seems to be a good start.

----------

## PaveQ

I think this should be sticky. Great tips   :Wink: 

----------

## ddaas

Here is my security checklist. I tried to make it as complete as possible. 

Anyway, I would like this discusion to be more on security audit and penetration testing from the point of view of the security specialist which performs this for other business (I mean not how to secure a linux in general).

 *Quote:*   

> Security Checklist
> 
> 1.Do not assume anything 
> 
> 2.Trust no-one, nothing 
> ...

 

----------

## think4urs11

 *ddaas wrote:*   

> 1.Do not assume anything 
> 
> 2.Trust no-one, nothing 
> 
> 3.Nothing is secure 
> ...

 

I know i've read those somewhere before ... ahh, yes, my signature *g*

 *ddaas wrote:*   

> 1.Use strong passwords (min. 7 chars, no dictionary words)

 

+ use digits and special characters, (non) capitalization

 *ddaas wrote:*   

> 19.Allow SSH access only from a pool of IPs, and from a group of users. Do not allow root login.

 

+ use public key authentication wherever possible, do *not* allow password authentication

----------

