[CentOS] Security checklist for new Centos server?

M. Fioretti mfioretti at mclink.it
Fri Jul 20 20:33:18 UTC 2007

Greetings, everybody

I've browsed around a bit, but there seems to be no single practical
list of this kind.

What would you do to make a new Centos server which must run apache,
IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains
as secure from attacks as possible, using only standard RPM packages
as much as possible?

(Please note that choice of other IMAP and SMTP servers is not
possible in my case, for a lot of reasons really not pertinent on the
list, so let's not go there, please)

Here's a first absolutely uncomplete draft off the top of my head:

- remove as many unnecessary packages as possible (best way to find

- install dovecot (not included in centos, IIRC) and other extra
  packages you do need

- run yum update

- enable long passwords

- set up only ssh2 on a non standard port

- set up Single Packet Authorization?

- set up itables (what would the safest iptables script to do all and
  only the services listed above?

- what else?

Feel free to rearrange, cut, add, give links, whatever: personally,
I'm interested in securing the whole box, meaning how to glue things
together in the safest possible way, without forgetting anything,
while things like how to make Postfix not an open relay, for example,
are already covered in detail in the Postfix docs.

The Family Guide to Digital Freedom:           http://digifreedom.net

More information about the CentOS mailing list