Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
-Jason
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
The NSA guide is a very good start, and http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments it rather well. You might also want to have a look at the DoD STIG guidelines, though reading them will make your eyes bleed.
On Fri, May 1, 2009 at 11:14 AM, Jim Perrin jperrin@gmail.com wrote:
On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
The NSA guide is a very good start, and http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments it rather well. You might also want to have a look at the DoD STIG guidelines, though reading them will make your eyes bleed.
Bah the STIGS are wonderful things... they make my heart sing.
Jim Perrin wrote:
On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
The NSA guide is a very good start, and http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments it rather well. You might also want to have a look at the DoD STIG guidelines, though reading them will make your eyes bleed.
For php, you really want to run php built with the suhosin patch and run the suhosin module as well.
I'm not sure, but I seem to recall there being a suhosin patched php either in testing or centos plus.
Assuming you run php.
I can't really comment on the others.
One of the nice things about suhosin is it does transparent encryption of cookies / sessions (you can tweak it) making things like session theft a lot more difficult.
I believe suhosin patch/module is standard in bsd ports, I'm not sure why it isn't standard in RHEL (maybe because it can cause issues with some php accelerators ??)
On Sat, May 2, 2009 at 11:28 AM, Michael A. Peters mpeters@mac.com wrote:
Jim Perrin wrote:
On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
The NSA guide is a very good start, and http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments it rather well. You might also want to have a look at the DoD STIG guidelines, though reading them will make your eyes bleed.
For php, you really want to run php built with the suhosin patch and run the suhosin module as well.
I'm not sure, but I seem to recall there being a suhosin patched php either in testing or centos plus.
Assuming you run php.
I can't really comment on the others.
One of the nice things about suhosin is it does transparent encryption of cookies / sessions (you can tweak it) making things like session theft a lot more difficult.
I believe suhosin patch/module is standard in bsd ports, I'm not sure why it isn't standard in RHEL (maybe because it can cause issues with some php accelerators ??)
I think there are issues with suhosin vs zend optimizer (other encoders/loaders/decoders may have issues as well). I tested php suhosin enabled + APC accelerator and haven't had a problem, eaccelerator also will probably work just fine with it. There's a rpm for suhosin compatible with the php version in rhel5/centos5 at: http://repo.redhat-club.org/redhat/5/i386/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Stephen John Smoogen wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
And we have our very own Wiki guide for hardening SSH:
http://wiki.centos.org/HowTos/Network/SecuringSSH
As for ftp - disable it IMHO :)
Stephen John Smoogen wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start.
extremely good start, 2 useful documents here specific to RHEL5
here -> http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_syste...
On May 1, 2009, at 12:22 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
NSA hardening guidelines would be a good start. The CIS hardening guidelines would be also good. After that you want to look at specific hardening guidelines for apache
Also using Xen to build out a CentOS guest PV host for the separate functions while hardening the main dom0 host to the teeth would allow you to zone the risks between the virtual hosts.
-Ross
Jason Todd Slack-Moehrle wrote:
Hi All,
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
-Jason
Linux Server Security is one I'm reading through right now. Covers most of the bases.
http://www.amazon.com/Linux-Server-Security-Michael-Bauer/dp/0596006705
-- Ryan Duff web: http://www.ryanduff.net aim: ryancduff twitter: ryancduff
On Fri, May 1, 2009 at 11:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
I was out of town and I just read your post. I would strongly suggest that you download the free manual about hardening RHEL 5, in .pdf form, from nsa.gov As I recall, they do *NOT* recommend running more than one service on a server, if possible. Among many other recommendations. Search for "Guide to the Secure Configuration of Red Hat Enterprise Linux 5", Revision 2, December 20, 2007. HTH
It also depends on which service you are running on the server. It depends on what you are running.... etc....
On Fri, May 8, 2009 at 4:59 PM, Lanny Marcus lmmailinglists@gmail.comwrote:
On Fri, May 1, 2009 at 11:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
I was out of town and I just read your post. I would strongly suggest that you download the free manual about hardening RHEL 5, in .pdf form, from nsa.gov As I recall, they do *NOT* recommend running more than one service on a server, if possible. Among many other recommendations. Search for "Guide to the Secure Configuration of Red Hat Enterprise Linux 5", Revision 2, December 20, 2007. HTH _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, May 1, 2009 at 11:19 AM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www?
Jason: In addition to the other recommendations in this thread, IMHO, you should contemplate offloading the credit card processing, to a company who has the expertise and network required, to try to protect that data. Lanny
-
James Matthews -
Jason Todd Slack-Moehrle -
Jim Perrin -
John R Pierce -
Lanny Marcus -
Lucian@lastdot.org -
Michael A. Peters -
Ned Slider -
Ross Walker -
Ryan Duff -
Stephen John Smoogen