Hi folks,
As a breather from the "thread-now-wider-than-my-headers-window-in-thunderbird" conversation re: mixing repos, I have a question regarding a machine I'm about to put online. :)
I run a web hosting company and my secondary (primary to the world) DNS box died from a massive rootkit/hack last night. It was running an old Slackware 9.1 installation and I will be completely cleaning those drives sector-by-sector. After which I'll be installing CentOS 5 on that hardware.
As it will be a production server and this is my first foray into CentOS/SELinux in a production environment I was hoping to get a recommended list of what to include and, more specifically, what *not* to include from the distro CDs
I will be doing a text based install, hoping to avoid the installation of X. Other than BIND and vsftpd, I don't think I need much. This machine will be pulling zone files from my primary web server and storing some archive files and backups for me.
I'm dilligently R`ingTFMs, and will continue to.... I'd sure be appreciative of any jumpstart help and/or any pitfalls of which to be cognizant.
-----------------------------------------------------------------
Sorry for my broken ass webmail, but I don't have access to a real mail client at the moment.
Personally I would recommend against installing any service that isn't absolutely necessary. Such as FTP. On a DNS server, if that's all it is going to be, there is no need for FTP services. If you need to upload things to the server, use scp, which is a part of SSH. The install is going to add alot of services that you probably won't need on the server, such as sendmail. Shut down any service that you don't need. The fewer services running the fewer attack vectors. You will never get it "hack proof". What you will get is something that "script kiddies" may not bother with in favor of easier targets. Like the old saying goes, "You don't have to run faster than the cheetah. You just have to run faster than the man running next to you."
I would also, if possible, disallow root logins to the server via SSH. Configure it so that you have to log in as a normal restricted user and then su to root.
------------------------------------------------------------------
TIA, ~Ray _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I want to share my DNS experience.
htt-consult.com labs.htt-consult.com
and a couple test sub zones, are being served from this box.
I installed EVERYTHING that bespoke of BIND, well almost everything. I wanted to make sure I had any file I might need.
[log]#grep bind rpmpkgs
bind-9.3.3-9.0.1.el5.i386.rpm bind-chroot-9.3.3-9.0.1.el5.i386.rpm bind-libs-9.3.3-9.0.1.el5.i386.rpm bind-utils-9.3.3-9.0.1.el5.i386.rpm system-config-bind-4.0.3-2.el5.centos.noarch.rpm
{log]# grep bind yum.log Aug 03 18:00:20 Updated: bind-libs.i386 30:9.3.3-9.0.1.el5 Aug 03 18:01:07 Updated: bind.i386 30:9.3.3-9.0.1.el5 Aug 03 18:04:47 Updated: bind-utils.i386 30:9.3.3-9.0.1.el5 Aug 03 18:04:48 Updated: bind-chroot.i386 30:9.3.3-9.0.1.el5
Then I went to work in the following directories:
/var/named/chroot/ etc and var/named
I have determined that you can forget about any named.whatever file in /etc/ as the chroot is really what is run.
Here is my /var/named/chroot/etc (I have 2 views, external and internal):
named.rfc1912.zones (to find this and others, remember updatedb and locate are your friends) named.acl named.external named.root <- wget ftp://ftp.rs.internic.net/domain/named.root named.root.hints named.caching-nameserver.conf <- not used, but what the heck... named.internal named.conf rndc.key
Here is some of my /var/named/chroot/var/named files:
named.broadcast named.ip6.local named.local named.zero localdomain.zone localhost.zone Plus all of my specific zone and reverse files, both internal and external views.
Once I got this all built, I have had no trouble maintaning this with webmin.
I think this covers everything.
Happy BINDings!
-
pctech@mybellybutton.com -
Robert Moskowitz