Page Comparison

Example of IP Tables configuration that will only allow UT campus networks to access a system remotely via SSH.  The networks listed below include various wired, wireless, and VPN networks.

Note: To access these systems from off-campus, users will need to utilize the UT VPN client available at https://vpn.utexas.edu

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 128.62.0.0/16 -j ACCEPT
-A INPUT -s 128.83.0.0/16 -j ACCEPT
-A INPUT -s 129.114.0.0/16 -j ACCEPT
-A INPUT -s 129.116.0.0/16 -j ACCEPT
-A INPUT -s 146.6.0.0/16 -j ACCEPT
-A INPUT -s 172.29.0.0/16 -j ACCEPT
-A INPUT -s 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT
-A INPUT -s 10.144.0.0/12 -j ACCEPT
-A INPUT -s 146.6.248.0/21 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT

Password Complexity

Anchor
passwordcomplexity passwordcomplexity

System Accounts

Anchor
systemaccounts systemaccounts

Files/Directory Permissions/Access

• Enable system accounting (install package sysstat).
• Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
  • Check in /etc/sudoers to see who has sudo rights
  • Check in /etc/groups to see what groups your users belong to
  • Check in /etc/passwd and/or /etc/shadow for blank passwords
• All administrator or root access must be logged.

System Access, Authentication, and Authorization

• Enable the terminal security file to restrict root logins to system console only.  Do not allow root logins via SSH.
• Ensure the following are set in /etc/pam.d/other:

     auth  required pam_deny.so
     auth   required pam_warn.so
     account  required pam_deny.so
     account  required pam_warn.so
     password  required pam_deny.so
     password  required pam_warn.so
     session  required pam_deny.so
     session  required pam_warn.so
     session  required pam_deny.so 
      Warn will report alerts to syslog.