RE: [fw-wiz] Custom Unix server installations -- to harden extensively ?
From: Keith A. Glass (salgak_at_speakeasy.net)
Date: 05/14/03
- Previous message: John Adams: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- In reply to: Julian Gomez: "[fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Next in thread: Ben Nagy: "RE: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Ben Nagy: "RE: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <kluivert@tm.net.my>, <firewall-wizards@honor.icsalabs.com> Date: Tue, 13 May 2003 22:01:14 -0400
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Julian
Gomez
Sent: Tuesday, May 13, 2003 10:21 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Custom Unix server installations -- to harden
extensively ?
>Hi,
>What is the relative opinion of hardening general purpose Unix servers
>(general == mail, web, db hosts). Obviously, wherever possible, I'd like to
>get most of the unwanted packages stripped and removed; but very frequently
>-- this is extremely time consuming and is alot of documentation work
>(which btw, no one ever bothers to read).
>Alas, this usually conflicts in the future when there is a need for
>additional software to be implemented, the whole compiling + installation
>steps, but the relevant packages have been removed as per the hardening
>work done in the above paragraph.
>So, what do most of you all do :
> a) Leave the possibly-relevant future packages, intact on the
> system, and just perform permission tweaks ?
Actually (in Solaris), I comment out most of /etc/inet.d, and disable
most rc2 and rc3 scripts. . .
> b) Remove the packages, and when the need arises, reinstall the
> packages -- I have to note here that alot of cross-dependencies
> make this hell. At least on RH, if there is opinion on different
> distributions which make this somewhat painless, closest thing
> which might be relevant, I think is FBSD's ports system (though
> I haven't used it myself) ?
We're starting to talk about playing with saferm
http://www.cert.org/security-improvement/implementations/i027.02.html#saferm
> c) Leave the server, its screwed anyway because local users have
> access :-)
Well, not the FIREWALLS. . .
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: John Adams: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- In reply to: Julian Gomez: "[fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Next in thread: Ben Nagy: "RE: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Ben Nagy: "RE: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
