[CentOS] Security checklist for new Centos server?
Stephen John Smoogen
smooge at gmail.com
Fri Jul 20 21:12:34 UTC 2007
On 7/20/07, M. Fioretti <mfioretti at mclink.it> wrote:
> Greetings, everybody
>
> I've browsed around a bit, but there seems to be no single practical
> list of this kind.
>
My first point is going over the long list
http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out
what meets the local environment.
> What would you do to make a new Centos server which must run apache,
> IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains
> as secure from attacks as possible, using only standard RPM packages
> as much as possible?
>
> (Please note that choice of other IMAP and SMTP servers is not
> possible in my case, for a lot of reasons really not pertinent on the
> list, so let's not go there, please)
>
> Here's a first absolutely uncomplete draft off the top of my head:
>
> - remove as many unnecessary packages as possible (best way to find
> them?)
>
> - install dovecot (not included in centos, IIRC) and other extra
> packages you do need
>
> - run yum update
>
> - enable long passwords
>
> - set up only ssh2 on a non standard port
>
Depending on the environment, I have found that this is not a useful
tool. The problems I have encountered is that it just turns off some
of the attacks. But if the target is considered worthwhile it does
nothing as a slow nmap will point out that SSH is running on another
port.
The problems I have with security through obscurity is that too many
people rely on it too much. [Oh I will put ssh on the telnet port as
no one would explain that.. and that way I can use a 5 letter
password.]
Other issues are that it can flag other security tools that might be
used in an environment looking for non-standard traffic.
> - set up Single Packet Authorization?
>
I do not know enough about this to answer, but its name does not imbue
trust in me :). [E.G. I would believe more in a 3-5 packet approach.
Query, ReverseQuery, Answer-To-RQuery, Authorization]
> - set up itables (what would the safest iptables script to do all and
> only the services listed above?
>
I think that if security is essential, then one should know iptables
first.. then use a script. Not knowing iptables and relying on a
script usually ends up with lots of email to some firewall list about
why I cant talk to my remote server anymore.
> - what else?
>
> Feel free to rearrange, cut, add, give links, whatever: personally,
> I'm interested in securing the whole box, meaning how to glue things
> together in the safest possible way, without forgetting anything,
> while things like how to make Postfix not an open relay, for example,
> are already covered in detail in the Postfix docs.
>
> TIA,
> Marco
> --
> The Family Guide to Digital Freedom: http://digifreedom.net
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the CentOS
mailing list