[CentOS] General questions about security

Alain Spineux aspineux at gmail.com
Fri Feb 1 13:06:06 UTC 2008 

On Feb 1, 2008 9:14 AM, Niki Kovacs <contact at kikinovak.net> wrote:
> Hi,
>
> I admit I never gave security that much thought, that is, except the
> most basic security rules like choosing good passwords, or reasonable
> file and directory permissions. But now I have to change that, since
> I'll soon have to setup a dedicated production server for our public
> libraries.

Ussualy default linux setup have already good security rules enabled.
The problems will come from you, what you will chnage, how you will
reduce the security!

>
> I wonder where to begin. I would say first thing is get a series of
> "auditing" tools such as, for example, the port scanner nmap, to test
> the firewall on the server. Any other ideas for that?

nmap is the first step, nessus is overkill if you have to learn it to
only protect one server.

>
> The firewall: CentOS includes a default firewall, where ports can be
> chosen using a simple graphical (or ncurses) tool. Is that solid enough
> for a web server? Or do you recommend diving into the innards of
> iptables? Or maybe, other solution, can you recommend some good
> "reasonable" set of rules for a web server, for example?

You will certainly have dynamic contains, use PHP, ...
You must first worry about the security of your web application !
Use the good settings in your php.ini, be careful about checking
the validity of your user input ...

>
> Last but not least: SELinux. For the moment I don't use it. I read the
> chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy
> Fox, and I simply wonder if it's worth the pain. I'm curious about your
> opinions about this subject.

You have 3 mode for SELinux: disabled, permissive, enforcing
Set it to permissive, and then try to solve the few errors.
When your server is stable (no more change) and you have no new error,
switch to enforcing.

>
> Maybe some good reads on security? That is, articles that don't require
> you to be a doctor in computer science to get a grasp of the subject?
> And also documentation that doesn't require me to have a life expectance
> of 500+ years
> :oD
>
> Any suggestions?
>
> Niki
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you

More information about the CentOS mailing list