[CentOS] Security checklist for new Centos server?

Fri Jul 20 21:12:34 UTC 2007
Stephen John Smoogen <smooge at gmail.com>

On 7/20/07, M. Fioretti <mfioretti at mclink.it> wrote:
> Greetings, everybody
>
> I've browsed around a bit, but there seems to be no single practical
> list of this kind.
>

My first point is going over the long list
http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out
what meets the local environment.

> What would you do to make a new Centos server which must run apache,
> IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains
> as secure from attacks as possible, using only standard RPM packages
> as much as possible?
>
> (Please note that choice of other IMAP and SMTP servers is not
> possible in my case, for a lot of reasons really not pertinent on the
> list, so let's not go there, please)
>
> Here's a first absolutely uncomplete draft off the top of my head:
>
> - remove as many unnecessary packages as possible (best way to find
>   them?)
>
> - install dovecot (not included in centos, IIRC) and other extra
>   packages you do need
>
> - run yum update
>
> - enable long passwords
>
> - set up only ssh2 on a non standard port
>

Depending on the environment, I have found that this is not a useful
tool. The problems I have encountered is that it just turns off some
of the attacks. But if the target is considered worthwhile it does
nothing as a slow nmap will point out that SSH is running on another
port.

The problems I have with security through obscurity is that too many
people rely on it too much. [Oh I will put ssh on the telnet port as
no one would explain that.. and that way I can use a 5 letter
password.]

Other issues are that it can flag other security tools that might be
used in an environment looking for non-standard traffic.

> - set up Single Packet Authorization?
>

I do not know enough about this to answer, but its name does not imbue
trust in me :). [E.G. I would believe more in a 3-5 packet approach.
Query, ReverseQuery, Answer-To-RQuery, Authorization]

> - set up itables (what would the safest iptables script to do all and
>   only the services listed above?
>

I think that if security is essential, then one should know iptables
first.. then use a script. Not knowing iptables and relying on a
script usually ends up with lots of email to some firewall list about
why I cant talk to my remote server anymore.


> - what else?
>
> Feel free to rearrange, cut, add, give links, whatever: personally,
> I'm interested in securing the whole box, meaning how to glue things
> together in the safest possible way, without forgetting anything,
> while things like how to make Postfix not an open relay, for example,
> are already covered in detail in the Postfix docs.
>
> TIA,
>         Marco
> --
> The Family Guide to Digital Freedom:           http://digifreedom.net
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"