[CentOS] Hardening
Michael A. Peters
mpeters at mac.com
Sat May 2 10:28:53 UTC 2009
Jim Perrin wrote:
> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen <smooge at gmail.com> wrote:
>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>> <mailinglists at mailnewsrss.com> wrote:
>>> Hi All,
>>>
>>> What tips does everyone have on hardening a CenOS Server that is
>>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>>> processing payments from www?
>> NSA hardening guidelines would be a good start. The CIS hardening
>> guidelines would be also good. After that you want to look at specific
>> hardening guidelines for apache
>
> The NSA guide is a very good start, and
> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
> it rather well.
> You might also want to have a look at the DoD STIG guidelines, though
> reading them will make your eyes bleed.
>
For php, you really want to run php built with the suhosin patch and run
the suhosin module as well.
I'm not sure, but I seem to recall there being a suhosin patched php
either in testing or centos plus.
Assuming you run php.
I can't really comment on the others.
One of the nice things about suhosin is it does transparent encryption
of cookies / sessions (you can tweak it) making things like session
theft a lot more difficult.
I believe suhosin patch/module is standard in bsd ports, I'm not sure
why it isn't standard in RHEL (maybe because it can cause issues with
some php accelerators ??)
More information about the CentOS
mailing list