Jim Perrin wrote:
On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
The NSA guide is a very good start, and http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments it rather well. You might also want to have a look at the DoD STIG guidelines, though reading them will make your eyes bleed.
For php, you really want to run php built with the suhosin patch and run the suhosin module as well.
I'm not sure, but I seem to recall there being a suhosin patched php either in testing or centos plus.
Assuming you run php.
I can't really comment on the others.
One of the nice things about suhosin is it does transparent encryption of cookies / sessions (you can tweak it) making things like session theft a lot more difficult.
I believe suhosin patch/module is standard in bsd ports, I'm not sure why it isn't standard in RHEL (maybe because it can cause issues with some php accelerators ??)