Re: Linux hardening

From: Daniel Cid (danielcid_at_yahoo.com.br)
Date: 08/22/05

  • Next message: AragonX: "Re: Linux hardening"
    Date: Mon, 22 Aug 2005 16:49:37 -0300 (ART)
    To: AragonX <aragonx@dcsnow.com>, focus-linux@securityfocus.com
    
    

    Hello,

    You are running too many services in just one box. It
    may lead to problems latter. To minimize that, I would
    suggest you to chroot apache and run it with a
    specific apache user (like apache or www). A good idea
    would be install it with the mininum number of
    features possible (look at
    http://www.securityfocus.com/infocus/1694).
    You didn't mention which mail server you are using.
    Run a good one (postfix or qmail). In addition to
    that, no matter the security measures you are using,
    keep your
    server updated. You could also use some Host-based IDS
    or log analysis tool to improve the detection
    capabilities there. I suggest OSSEC HIDS
    (www.ossec.net/hids/), because it does log analysis
    and integrity checking together (in addition to have a
    nice correlation engine and a nice notification tool),
    but I'm suspicious to talk about it :).

    Hope it helps..

    --
    Daniel B. Cid, CISSP
    daniel.cid @ (at) {gmail. com}
    --- AragonX <aragonx@dcsnow.com> escreveu:
    > I had an intrusion on one of my servers and am in
    > the process of hardening
    > it (after a reinstall).  I'm using Fedora Core 4. 
    > I've taken all the
    > basic steps (shutting down unused services etc) and
    > have done the
    > following:
    > 
    > Installed Smothwall on a separate box.
    > Installed & configured AIDE, Snort and chkrootkit
    > Ran Bastille
    > 
    > I am in the process of configuring LIDS.  I'm using
    > LIDS instead of
    > SELinux because it's easier for me to configure.
    > 
    > My next and final step will be to install
    > mod_security.
    > 
    > The server performs the following tasks:
    > 
    >    Web (Squirrelmail, eGroupWare, myPhpAdmin and
    > others) and email serving
    > to the internet.
    >    File, print and DHCP serving to my local network.
    > 
    > I'm looking for more preventative measures.  It
    > appears that LIDS and
    > mod_security are the only ones in that role now. 
    > Should I jail apache?
    > Would that give me any benefits over what LIDS
    > provides?
    > 
    > Thank you in advance.
    > 
    > 
    __________________________________________________
    Converse com seus amigos em tempo real com o Yahoo! Messenger 
    http://br.download.yahoo.com/messenger/ 
    

  • Next message: AragonX: "Re: Linux hardening"

    Relevant Pages

    • Re: PHP Tutorials
      ... >> In this tutorial we assume that your server has activated support for PHP ... install a web server locally (not just Apache). ...
      (comp.lang.php)
    • Re: Silicon Image SIL680 RAID Controller
      ... >> the exact procedures required to setup and configure a web server ... page "Quick Start Guide" for setting up and running a FreeBSD web ... That is, installing/configuring apache, installing/configuring ... regimin to more or less systematically install Linux on several ...
      (comp.unix.bsd.freebsd.misc)
    • Re: CSS Newbie - CSS Works With Invalid DOCTYPE. Fails With Valid DOCTYPE.
      ... The server is OpenSolaris running Apache 2.2.15 installed two years ... HTML and CSS validators were fine with the change. ... I know this is an HTML newsgroup, and Apache is not the topic. ... I prefer to install all utilities, like Apache, from source. ...
      (alt.html)
    • Re: Please Help A Newbie With 2 Issues
      ... I have 4 machines on the lan an and ... a 3rd issue I cant find apache even though I know I installed apache2 Is ... Running WinBlowz 2000 Advanced Server) 2 are running WinBlowz 2000 Pro ... Port1 and even install drivers for it. ...
      (alt.os.linux.suse)
    • RE: [PHP] Question before upgrading to 5
      ... We only use php for intranet applications I create, ... so the server is basically dead at nights, which is when I do most of my ... so your going to shut down apache on ... install of apache would allow you to do. ...
      (php.general)