|
Posted by Tom Forsmo on March 17, 2008, 12:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi
I am setting up a small private server which will run services like
smtp, imap, webserver, news and webmail on Debian. I have been reading,
among other things, the Gentoo hardening documentation and it explains
different hardening techniques, such as PaX, GrSecurity and hardened
toolchain and sources. I am a little bit confused now and are looking
for some help to clarify some questions I have.
My main question is, what of all that is relevant for me to do to harden
my server? Since my server is only going to run a few security minded
services, my thinking is that a lot of what the gentoo hardening
doucmentation describes does not apply as much to my scenario.
- As I see it, MAC is mostly of interest if users has login access to
the server.
- hardened toolchains and sources (i.e. use of ASLR and SSP) are mostly
of interest to servers/programs which do not care that much about
security, i.e. they have lots of buffer overrun problems
On the contrary, Bastille is important, so is probably parts of GrSecurity.
The way I see it is that if I run a server, the most important things I
have to focus on is:
- only use servers that are designed for security, such as dovecot,
postfix, apache2, ssh, openvpn
- configure them properly and securely, including applying chroot and
only accepting ssl connections with certificates.
- only start the services I actually use
- setup a proper firewall
- perform environment security setup, including things such as
- using bastille,
- basic linux security setup, such as hosts.deny etc
- read-only partitions
- tripwire
- secure system logs
- regularily perform security maintenance and updates.
Is this enough to fend of 99% of the security issues, or am I entirely
mistaken? My aim here is to keep away even the seasoned hackers, but
probably not the best of them. DDOS is not an issue yet, its more about
making sure things stored on the server are kept private.
regards
tom
|
| Similar Threads | Posted | | Linux Help | September 27, 2006, 7:23 pm |
| Linux? Which one is the most friendly? | May 1, 2005, 3:37 pm |
| end of linux-nightmares... approachable | June 17, 2005, 11:27 am |
| my linux box is bogged down, could it be a breach? | August 5, 2006, 1:38 am |
| security software for linux and mac | July 4, 2007, 1:43 pm |
| Re: Checkpoint FW-1 and linux Freeswan VPN problem | March 23, 2004, 3:17 pm |
| Re: Checkpoint FW-1 and linux Freeswan VPN problem | March 23, 2004, 4:06 pm |
| Linux Sequence Number Generation | January 26, 2006, 9:59 am |
| Should Linux wipe memory more often for better security? | February 25, 2008, 5:31 pm |
| Forgotten SUSE Linux root Password | December 28, 2005, 6:37 am |
|
XML site map