On 7/20/07, M. Fioretti mfioretti@mclink.it wrote:
Greetings, everybody
I've browsed around a bit, but there seems to be no single practical list of this kind.
My first point is going over the long list http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out what meets the local environment.
What would you do to make a new Centos server which must run apache, IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains as secure from attacks as possible, using only standard RPM packages as much as possible?
(Please note that choice of other IMAP and SMTP servers is not possible in my case, for a lot of reasons really not pertinent on the list, so let's not go there, please)
Here's a first absolutely uncomplete draft off the top of my head:
remove as many unnecessary packages as possible (best way to find them?)
install dovecot (not included in centos, IIRC) and other extra packages you do need
run yum update
enable long passwords
set up only ssh2 on a non standard port
Depending on the environment, I have found that this is not a useful tool. The problems I have encountered is that it just turns off some of the attacks. But if the target is considered worthwhile it does nothing as a slow nmap will point out that SSH is running on another port.
The problems I have with security through obscurity is that too many people rely on it too much. [Oh I will put ssh on the telnet port as no one would explain that.. and that way I can use a 5 letter password.]
Other issues are that it can flag other security tools that might be used in an environment looking for non-standard traffic.
- set up Single Packet Authorization?
I do not know enough about this to answer, but its name does not imbue trust in me :). [E.G. I would believe more in a 3-5 packet approach. Query, ReverseQuery, Answer-To-RQuery, Authorization]
- set up itables (what would the safest iptables script to do all and only the services listed above?
I think that if security is essential, then one should know iptables first.. then use a script. Not knowing iptables and relying on a script usually ends up with lots of email to some firewall list about why I cant talk to my remote server anymore.
- what else?
Feel free to rearrange, cut, add, give links, whatever: personally, I'm interested in securing the whole box, meaning how to glue things together in the safest possible way, without forgetting anything, while things like how to make Postfix not an open relay, for example, are already covered in detail in the Postfix docs.
TIA, Marco -- The Family Guide to Digital Freedom: http://digifreedom.net _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos