Jim Perrin wrote: > On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen <smooge at gmail.com> wrote: >> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle >> <mailinglists at mailnewsrss.com> wrote: >>> Hi All, >>> >>> What tips does everyone have on hardening a CenOS Server that is >>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be >>> processing payments from www? >> NSA hardening guidelines would be a good start. The CIS hardening >> guidelines would be also good. After that you want to look at specific >> hardening guidelines for apache > > The NSA guide is a very good start, and > http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments > it rather well. > You might also want to have a look at the DoD STIG guidelines, though > reading them will make your eyes bleed. > For php, you really want to run php built with the suhosin patch and run the suhosin module as well. I'm not sure, but I seem to recall there being a suhosin patched php either in testing or centos plus. Assuming you run php. I can't really comment on the others. One of the nice things about suhosin is it does transparent encryption of cookies / sessions (you can tweak it) making things like session theft a lot more difficult. I believe suhosin patch/module is standard in bsd ports, I'm not sure why it isn't standard in RHEL (maybe because it can cause issues with some php accelerators ??)