[CentOS] Security checklist for new Centos server?
Stephen John Smoogen
smooge at gmail.com
Fri Jul 20 21:12:34 UTC 2007
On 7/20/07, M. Fioretti <mfioretti at mclink.it> wrote:
> Greetings, everybody
> I've browsed around a bit, but there seems to be no single practical
> list of this kind.
My first point is going over the long list
http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out
what meets the local environment.
> What would you do to make a new Centos server which must run apache,
> IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains
> as secure from attacks as possible, using only standard RPM packages
> as much as possible?
> (Please note that choice of other IMAP and SMTP servers is not
> possible in my case, for a lot of reasons really not pertinent on the
> list, so let's not go there, please)
> Here's a first absolutely uncomplete draft off the top of my head:
> - remove as many unnecessary packages as possible (best way to find
> - install dovecot (not included in centos, IIRC) and other extra
> packages you do need
> - run yum update
> - enable long passwords
> - set up only ssh2 on a non standard port
Depending on the environment, I have found that this is not a useful
tool. The problems I have encountered is that it just turns off some
of the attacks. But if the target is considered worthwhile it does
nothing as a slow nmap will point out that SSH is running on another
The problems I have with security through obscurity is that too many
people rely on it too much. [Oh I will put ssh on the telnet port as
no one would explain that.. and that way I can use a 5 letter
Other issues are that it can flag other security tools that might be
used in an environment looking for non-standard traffic.
> - set up Single Packet Authorization?
I do not know enough about this to answer, but its name does not imbue
trust in me :). [E.G. I would believe more in a 3-5 packet approach.
Query, ReverseQuery, Answer-To-RQuery, Authorization]
> - set up itables (what would the safest iptables script to do all and
> only the services listed above?
I think that if security is essential, then one should know iptables
first.. then use a script. Not knowing iptables and relying on a
script usually ends up with lots of email to some firewall list about
why I cant talk to my remote server anymore.
> - what else?
> Feel free to rearrange, cut, add, give links, whatever: personally,
> I'm interested in securing the whole box, meaning how to glue things
> together in the safest possible way, without forgetting anything,
> while things like how to make Postfix not an open relay, for example,
> are already covered in detail in the Postfix docs.
> The Family Guide to Digital Freedom: http://digifreedom.net
> CentOS mailing list
> CentOS at centos.org
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the CentOS