On 7/20/07, M. Fioretti <mfioretti at mclink.it> wrote: > Greetings, everybody > > I've browsed around a bit, but there seems to be no single practical > list of this kind. > My first point is going over the long list http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out what meets the local environment. > What would you do to make a new Centos server which must run apache, > IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains > as secure from attacks as possible, using only standard RPM packages > as much as possible? > > (Please note that choice of other IMAP and SMTP servers is not > possible in my case, for a lot of reasons really not pertinent on the > list, so let's not go there, please) > > Here's a first absolutely uncomplete draft off the top of my head: > > - remove as many unnecessary packages as possible (best way to find > them?) > > - install dovecot (not included in centos, IIRC) and other extra > packages you do need > > - run yum update > > - enable long passwords > > - set up only ssh2 on a non standard port > Depending on the environment, I have found that this is not a useful tool. The problems I have encountered is that it just turns off some of the attacks. But if the target is considered worthwhile it does nothing as a slow nmap will point out that SSH is running on another port. The problems I have with security through obscurity is that too many people rely on it too much. [Oh I will put ssh on the telnet port as no one would explain that.. and that way I can use a 5 letter password.] Other issues are that it can flag other security tools that might be used in an environment looking for non-standard traffic. > - set up Single Packet Authorization? > I do not know enough about this to answer, but its name does not imbue trust in me :). [E.G. I would believe more in a 3-5 packet approach. Query, ReverseQuery, Answer-To-RQuery, Authorization] > - set up itables (what would the safest iptables script to do all and > only the services listed above? > I think that if security is essential, then one should know iptables first.. then use a script. Not knowing iptables and relying on a script usually ends up with lots of email to some firewall list about why I cant talk to my remote server anymore. > - what else? > > Feel free to rearrange, cut, add, give links, whatever: personally, > I'm interested in securing the whole box, meaning how to glue things > together in the safest possible way, without forgetting anything, > while things like how to make Postfix not an open relay, for example, > are already covered in detail in the Postfix docs. > > TIA, > Marco > -- > The Family Guide to Digital Freedom: http://digifreedom.net > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"