[CentOS] new CentOS 5 as DNS server

pctech at mybellybutton.com pctech at mybellybutton.com
Thu Aug 2 15:07:24 UTC 2007 

Hi folks,

As a breather from the
"thread-now-wider-than-my-headers-window-in-thunderbird" conversation
re: mixing repos, I have a question regarding a machine I'm about to put
online. :)

I run a web hosting company and my secondary (primary to the world) DNS
box died from a massive rootkit/hack last night.  It was running an old
Slackware 9.1 installation and I will be completely cleaning those
drives sector-by-sector.  After which I'll be installing CentOS 5 on
that hardware.

As it will be a production server and this is my first foray into
CentOS/SELinux in a production environment I was hoping to get a
recommended list of what to include and, more specifically, what *not*
to include from the distro CDs

I will be doing a text based install, hoping to avoid the installation
of X.  Other than BIND and vsftpd, I don't think I need much.  This
machine will be pulling zone files from my primary web server and
storing some archive files and backups for me.

I'm dilligently R`ingTFMs, and will continue to.... I'd sure be
appreciative of any jumpstart help and/or any pitfalls of which to be
cognizant.

-----------------------------------------------------------------

Sorry for my broken ass webmail, but I don't have access to a real mail client at the moment.


Personally I would recommend against installing any service that isn't absolutely necessary.  Such as FTP.  On a DNS server, if that's all it is going to be, there is no need for FTP services.  If you need to upload things to the server, use scp, which is a part of SSH.  The install is going to add alot of services that you probably won't need on the server, such as sendmail.  Shut down any service that you don't need.  The fewer services running the fewer attack vectors.  You will never get it "hack proof".  What you will get is something that "script kiddies" may not bother with in favor of easier targets.  Like the old saying goes, "You don't have to run faster than the cheetah.  You just have to run faster than the man running next to you."

I would also, if possible, disallow root logins to the server via SSH.  Configure it so that you have to log in as a normal restricted user and then su to root.

------------------------------------------------------------------

TIA,
~Ray
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list