[sclug] Securing a server
Tom Chance
tom at acrewoods.net
Mon Sep 5 18:07:10 UTC 2005
Ahoy,
Thanks for all those tips, I'm reading about & considering them now. It's nice
to be able to simply deny connections from a spammer who's been pissing us
off for the past couple of weeks :D
Regards,
Tom
On Monday 05 Sep 2005 13:34, Alex Butcher wrote:
> On Mon, 5 Sep 2005, Tom Chance wrote:
> > I've got a VM and I'm looking into further securing it at the moment.
> > I've got the basics - only necessary services running, no root ssh login,
> > permissions on files as tight as possible, basic configurations in
> > servers to block typical attacks, require encrypted connections, etc.
> >
> > I've started by looking at mod_security and mod_dosevasive for Apache
> > after the server got hit with 60,000 requests in four days by a spammer.
> > I've also idly browsed some pages about clever firewall scripts and
> > Intrusion Detection Systems.
> >
> > What would people's recommendations be? Where to start in proactively
> > tightening security?
>
> - Configure TCP_WRAPPERS (i.e. hosts.deny/hosts.allow) and/or iptables
> (preferably the latter) to only permit SSH from known-safe IP addresses and
> ranges.
>
> - Be careful about what server-side code you run (e.g. do some research on
> the security track record of any pre-written PHP packages you plan to
> install - some are truly awful). If the code is not for general
> consumption, use .htaccess to block access from the rest of the Internet.
>
> - Disable all superfluous network services (r-services, CUPS, portmap, NFS,
> samba) and restrict access to the minimum set of source addresses for those
> that are necessary (restating of rule 1 above)
>
> - Consider configuring SELinux in enforcing mode. Fedora and CentOS/RHEL
> include SELinux and a pretty good base configuration, these days.
>
> Beyond those basics:-
>
> - Consider using various unofficial kernel patches (e.g. grsecurity) to
> further harden the OS.
>
> - Checksum each file before putting into production and keep the checksums
> offline. In the event of suspected compromise, compare checksums.
>
> - Consider using netfilter/iptables and the setgid bit to restrict the type
> of connections that binaries can make and accept (e.g. browsers should
> never accept incoming FTP connections -
> <http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=browno
>rifice>).
>
> > Regards,
> > Tom
>
> HTH,
> Alex.
--
I'm aware that e-mails to me may be blocked by my host
because they are mistaken as spam. If this happens,
please e-mail me at: telex4 at yahoo.com
More information about the Sclug
mailing list