Re: Hardening

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Jim Perrin wrote:
> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen <smooge@xxxxxxxxx> wrote:
>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>> <mailinglists@xxxxxxxxxxxxxxx> wrote:
>>> Hi All,
>>>
>>> What tips does everyone have on hardening a CenOS Server that is
>>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>>> processing payments from www?
>> NSA hardening guidelines would be a good start. The CIS hardening
>> guidelines would be also good. After that you want to look at specific
>> hardening guidelines for apache
> 
> The NSA guide is a very good start, and
> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
> it rather well.
> You might also want to have a look at the DoD STIG guidelines, though
> reading them will make your eyes bleed.
> 

For php, you really want to run php built with the suhosin patch and run 
the suhosin module as well.

I'm not sure, but I seem to recall there being a suhosin patched php 
either in testing or centos plus.

Assuming you run php.

I can't really comment on the others.

One of the nice things about suhosin is it does transparent encryption 
of cookies / sessions (you can tweak it) making things like session 
theft a lot more difficult.

I believe suhosin patch/module is standard in bsd ports, I'm not sure 
why it isn't standard in RHEL (maybe because it can cause issues with 
some php accelerators ??)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux