sean finney on 3 Feb 2005 21:30:04 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Basic Post-Install Config? 

hi marc,

On Thu, Feb 03, 2005 at 02:27:57PM -0500, jazzman@exdomain.org wrote:
> Is there any "definitive" set of steps one should ALWAYS follow to tighten 
> up security on a linux box after a fresh install?

there are certainly guidelines and principles you should follow, but
there's no definitive answer just as there's no definitive definition
of what "security" means.

> A friend of mine is running a machine (as am I, actually) that is a linux 
> box that will host mail(smtp and imap), web, and ssh servers. Mysql will 
> also be running for the CMS we use, that really only needs to be 
> accessible from behind the firewall/router. Our comm lines (his is cable, 
> mine is dsl) go right from the modem to a hardware router/firewall which 
> then NATs our servers out to the world with a few ports forwarded (80, 25, 
> 22, and the imap port... 143 i think?). All other ports are dropped at the 
> router.

so, the very first thing you should do is make a list of the services
running on the machine that you want to be able to access.  of these
services, you should list from where and to whom you want to grant
access, and then configure the applications accordingly.  

for example, there's a good chance that you don't need to enable network
access to your mysql server if you're just using a php/mysql app, so
adding the "skip-networking" option to my.cnf would be appropriate.
if you only want to allow local 192.168/16 traffic to your apache
server, you can tell your httpd to only bind to your internal ethernet
interface.  these are just two examples, to give you an idea.

in general, googling on an application by application basis ("securing
php" vs "securing linux") will provide you with some pretty good
results.

you should also consider disabling/removing any unneccesary
software/services.  to help determine what's running that you might
not know about, look into tools such as netstat, lsof, and nmap.

something else to consider is of the stuff you do want to make network
accessible, how it is accessed.  is it password protected?  is the
password encrypted?  for example, consider using ssl-enabled imap or
ssh-tunnelled imap instead of regular imap.

after all of this, write some iptables firewall rules to add an
extra layer of security.  be as restrictive as you feel is appropriate.
for my servers, for example, i block not only incoming traffic
but traffic created by my own machine, with only specifically
listed exceptions in either direction.

also, depending on what distribution you are using, there may be
some helpful tips specific to your flavour of gnu/linux.  for example,
debian provides a "Securing Debian Manual" off of their website[1],
which is a good read.


hth
	sean

[1] http://www.debian.org/doc/user-manuals#securing

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug