[CentOS] Hardening

Sat May 2 16:34:18 UTC 2009
Lucian@lastdot.org <lucian at lastdot.org>

On Sat, May 2, 2009 at 11:28 AM, Michael A. Peters <mpeters at mac.com> wrote:
> Jim Perrin wrote:
>> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen <smooge at gmail.com> wrote:
>>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>>> <mailinglists at mailnewsrss.com> wrote:
>>>> Hi All,
>>>>
>>>> What tips does everyone have on hardening a CenOS Server that is
>>>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>>>> processing payments from www?
>>> NSA hardening guidelines would be a good start. The CIS hardening
>>> guidelines would be also good. After that you want to look at specific
>>> hardening guidelines for apache
>>
>> The NSA guide is a very good start, and
>> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
>> it rather well.
>> You might also want to have a look at the DoD STIG guidelines, though
>> reading them will make your eyes bleed.
>>
>
> For php, you really want to run php built with the suhosin patch and run
> the suhosin module as well.
>
> I'm not sure, but I seem to recall there being a suhosin patched php
> either in testing or centos plus.
>
> Assuming you run php.
>
> I can't really comment on the others.
>
> One of the nice things about suhosin is it does transparent encryption
> of cookies / sessions (you can tweak it) making things like session
> theft a lot more difficult.
>
> I believe suhosin patch/module is standard in bsd ports, I'm not sure
> why it isn't standard in RHEL (maybe because it can cause issues with
> some php accelerators ??)

I think there are issues with suhosin vs zend optimizer (other
encoders/loaders/decoders may have issues as well). I tested php
suhosin enabled + APC accelerator and haven't had a problem,
eaccelerator also will probably work just fine with it.
There's a rpm for suhosin compatible with the php version in rhel5/centos5 at:
http://repo.redhat-club.org/redhat/5/i386/

> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>