RE: Securing Fedora Core 4
From: Charles Heselton (charles.heselton_at_gmail.com)
To: "'AragonX'" <firstname.lastname@example.org>, <email@example.com> Date: Thu, 22 Sep 2005 21:35:44 -0700
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: AragonX [mailto:firstname.lastname@example.org]
> Sent: Wednesday, September 21, 2005 6:29 AM
> To: email@example.com
> Subject: Securing Fedora Core 4
> I am trying develop a method to secure my servers. I'll list
> the steps I
> am going to take. Can you please review and make any additional
> suggestions. Thank you.
> Install & configure Tripwire
> Install & configure Snort http://www.snort.org/
> Install & configure Bastille http://www.bastille-linux.org/
> Install & configure LIDS http://www.lids.org/
> Install & configure modsecurity http://www.modsecurity.org/
> Install & configure chkrootkit http://www.chkrootkit.org/
> install dansguardian http://www.dansguardian.org
> install squid http://www.squid-cache.org/
> Install & configure DCC http://www.dcc-servers.net
> Install & configure Pyzor http://pyzor.sourceforge.net
> Install & configure Razor http://razor.sourceforge.net
> install & configure Clamav http://www.clamav.net
> Install & configure MailScanner
> Install & configure Ntop http://www.ntop.org/
> Install & configure Spamassassin http://spamassassin.apache.org/
> install root access email command
> create a seprate /tmp partition and mount noexec, nosuid
> Configure Apache
> configure for php safe mode
> configure /internal web directory w/ access from private network
> only configure /external web directory w/ password authentication
> Configure SSH
> respond on alternate port
> only allow me to logon
> Configure Fireall:
> only allow access to ssh from my domains
Looks pretty good. I'm not totally familiar with all of the
tools/products you listed there, but it seems like you have some
redundancies, which could cause configuration and management
That being said, I would change the order around a bit, but that
probably as much personal taste as anything. YMMV I would suggest
something like the following:
1. Disable all of your unnecessary services ((x)inetd, telnet, ftpd,
2. SSH should already be installed (you said FC4 right?), configure
it with your public keys/trusted hosts, whetever you like.
3. Set up tcp_wrappers. (This is redundant of the firewall, but is
nice to have, and easy to configure/maintain.)
4. Set up your firewall. I like firestarter (should come with FC4).
Other people like shorewall. Ultimately, it's the same outcome.
5. Install/configure Bastille (this sort of overlaps some things,
but can also affect installation of others, so it might be a good
idea to do it early. SELinux might be better here, but I think
SELinux depends on some of the kernel hooks and such. The two have
really meshed over time, and I haven't folowed it that closely.
6. Install/configure (I/c) chkrootkit.
7. If you have another mail host for external mail (adminitrative
messages and such), configure sendmail to only send mail internally
(local system). You can configure spam assassin if you want, but
unless you're actually transferring bulk mail, you don't really need
it, nor the other 3 spam filters you listed.
8. configure apache and modsecurity.
9. Now configure tripwire (or aide).
It's tough to try to generalize this into a concise format. If you
have a large enough environment to warrant specific purpose hosts,
you should do that. It will allow you to be much more specific about
your security measures, and will provide much less headache in
regards to management.
- - Charlie
5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
In memoriam: http://www.militarycity.com/valor/1029976.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
-----END PGP SIGNATURE-----