Hi,
I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries.
I wonder where to begin. I would say first thing is get a series of "auditing" tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that?
The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good "reasonable" set of rules for a web server, for example?
Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject.
Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD
Any suggestions?
Niki
On Feb 1, 2008 9:14 AM, Niki Kovacs contact@kikinovak.net wrote:
Hi,
I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries.
Ussualy default linux setup have already good security rules enabled. The problems will come from you, what you will chnage, how you will reduce the security!
I wonder where to begin. I would say first thing is get a series of "auditing" tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that?
nmap is the first step, nessus is overkill if you have to learn it to only protect one server.
The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good "reasonable" set of rules for a web server, for example?
You will certainly have dynamic contains, use PHP, ... You must first worry about the security of your web application ! Use the good settings in your php.ini, be careful about checking the validity of your user input ...
Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject.
You have 3 mode for SELinux: disabled, permissive, enforcing Set it to permissive, and then try to solve the few errors. When your server is stable (no more change) and you have no new error, switch to enforcing.
Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD
Any suggestions?
Niki _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alain Spineux -
Niki Kovacs