On 7/20/07, M. Fioretti <mfioretti@xxxxxxxxx> wrote:
Greetings, everybody
I've browsed around a bit, but there seems to be no single practical
list of this kind.
My first point is going over the long list
http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out
what meets the local environment.
What would you do to make a new Centos server which must run apache,
IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains
as secure from attacks as possible, using only standard RPM packages
as much as possible?
(Please note that choice of other IMAP and SMTP servers is not
possible in my case, for a lot of reasons really not pertinent on the
list, so let's not go there, please)
Here's a first absolutely uncomplete draft off the top of my head:
- remove as many unnecessary packages as possible (best way to find
them?)
- install dovecot (not included in centos, IIRC) and other extra
packages you do need
- run yum update
- enable long passwords
- set up only ssh2 on a non standard port
Depending on the environment, I have found that this is not a useful
tool. The problems I have encountered is that it just turns off some
of the attacks. But if the target is considered worthwhile it does
nothing as a slow nmap will point out that SSH is running on another
port.
The problems I have with security through obscurity is that too many
people rely on it too much. [Oh I will put ssh on the telnet port as
no one would explain that.. and that way I can use a 5 letter
password.]
Other issues are that it can flag other security tools that might be
used in an environment looking for non-standard traffic.
- set up Single Packet Authorization?
I do not know enough about this to answer, but its name does not imbue
trust in me :). [E.G. I would believe more in a 3-5 packet approach.
Query, ReverseQuery, Answer-To-RQuery, Authorization]
- set up itables (what would the safest iptables script to do all and
only the services listed above?
I think that if security is essential, then one should know iptables
first.. then use a script. Not knowing iptables and relying on a
script usually ends up with lots of email to some firewall list about
why I cant talk to my remote server anymore.
- what else?
Feel free to rearrange, cut, add, give links, whatever: personally,
I'm interested in securing the whole box, meaning how to glue things
together in the safest possible way, without forgetting anything,
while things like how to make Postfix not an open relay, for example,
are already covered in detail in the Postfix docs.
TIA,
Marco
--
The Family Guide to Digital Freedom: http://digifreedom.net
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
