[CentOS] Recommendations for securing a webserver

Sat Feb 4 03:11:48 UTC 2006
Benjamin Smith <lists at benjamindsmith.com>


We're migrating a webserver from RedHat 7.x to CentOS 4.2. In the process, 
we'd like to improve security. 

We're currently planning on making sure SELinux is enabled, mounting the /tmp 
partition noexec, and running PHP in safe mode, hide_errors on, 
register_globals off by default. 

vsftpd is set to chroot logins. 

I've seen Apache run inside a chroot jail, but that was always very 
hassle-prone, and ironically, when security updates came out, they weren't 
applied within the chroot jail, (eg, installed via yum) making it more likely 
to get compromised! Is there an easier/better way to do this? Can you 
mix/match chroot'ed websites with those that aren't, without running a wholy 
separate webserver daemon? 

What other actions would the knowledgeable crowd here suggest? 

"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978