<snipping everything> Okay, here's my personal take on the matter, for the $0.000002 that it's worth. For production machines, sometimes control panels are required for the job. I'll preach against them, but that doesn't do much. If you install something like Cpanel to a system, you're adding a level of complexity. You're stepping over what's provided in the base, and adding to it. This means you need to not only know the base inside and out, but you need to know Cpanel inside and out as well. So, lets go through the admin checklist: 1. Minimal packageset. Go through the rpms installed on your system and clean out ones that you don't need or don't use. window managers, compilers, etc have no business on a production box. If you need a compiler to install/update cpanel, you might want to look at the possibility of removing them after the install/update. If they stay on the system, you're only giving the attacker something else to use that he doesn't have to provide himself. 2. Regular updates and backups. Duh, but still needs to be said. Too many people don't do this. 3. Config changes. Many default application settings are wide open. Make sure that you lock down or disable what you don't need. For example in php things like allow_url_fopen, globals, etc should be off. Safe Mode should be on if you can manage it within your application. 4. Permissions: Unix permissions by default are DAC style, where the user has the power to change permissions. Make sure that you stay on top of this and keep permissions in places like your webroot to a minimum to do the job. If you can, enable SELinux, which is MAC style based permission, which enforces restrictions no matter what the user does. 5. Data input checking: SQL injections and other such annoyances can be avoided with proper input checking. Utilities like mod_security for apache are a must in my book. If you're able, go through the code for whichever app you're using and see if they're checking input properly. Invest some time in mod_security and learning the rulesets. It's archaic, but the defaults are good, and they stay updated. If you're using a common app (phpbb or some such) you shouldn't have to tweak much to enjoy the protection of mod_security. (it's at centos.karan.org all packaged up for you. Thank karanbir for it) 6. Log checking use logwatch other other such utilities and keep up on your logs. If someone's been poking at your site for a few days, and they've gone from getting loads of 40(3,4)'s to 302s or 200's.. you'll want to know about it. Yes this is tailored mostly to web services. There are loads of other things to do.. but these are the basics, and most people who get bitten aren't staying on top of them. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos