Help & Suggestions Please! (Security, Servers)

[macawgumbo]

I am building a Gentoo Web/File/Mail Server on my AMD K6-2 500MHZ computer with 128MB SDRAM. Basically, I need suggestions about what USE Flags to use as I am not going to be using any kind of X graphics, audio, local printing (to a networked windows box maybe).

Here's a listing of what it will eventually do:

External Roles:
1. Web Server - Apache (secured by SSL)
2. Mail Server - POP3 (vpopmail), Qmail, Webmail (horde / IMP)
3. FTP Server - vsftp
4. SSH - OpenSSH

Internal:
1. Samba - Windows backups
2. NFS - Linux backups and sharing

Firewall and VirusScan are musts.



I have read a little about using hardened-dev-sources and grsecurity. Can anyone give an opinion one way or the other if the hassle is worth it or not.

Server Specs:
AMD K6-2 500MHz
128MB SDRAM (may be upgrading to 256MB+)
60GB 7200RPM 8MB HD
10/100 NIC (3COM 3c595)
Radeon 7500 PCI Graphics Card

Current Partitioning Scheme (make suggestions please):
Filesystem Size Used Avail Use% Mounted on FS
/dev/hda3 14G 1.8G 12G 14% / Ext3
/dev/hda5 4.6G 173M 4.2G 4% /var Ext3
/dev/hda7 33G 33M 32G 1% /data Ext3
none 61M 0 61M 0% /dev/shm
/dev/hda6 4.7G 33M 4.7G 1% /webdata Resierfs
swap 768M



I have a current setup, but I am redoing it correctly (most likely without hardened-dev-sources as kernel)
---------------------------
Here's my emerge info:
--
System uname: 2.6.7-hardened-r15 i586 AMD-K6(tm) 3D processor
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.90.0.1.1-r3
Headers: sys-kernel/linux-headers-2.4.21-r1
Libtools: sys-devel/libtool-1.5.2-r7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=k6-2 -fomit-frame-pointer"
CHOST="i386-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=k6-2 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow apache2 apm avi bitmap-fonts crypt cups dedicated encode f77 foomaticdb fortran ftp gdbm gif gpm gtk2 hardened hardenedphp imlib impa ipv6 java jpeg libg++ libwww mad maildir mikmod mmx mod_php motif mpeg mysql mysqli ncurses nls oggvorbis pam pdflib perl php pic pie png python quicktime readline samba sasl sdl slp spell spl ssl svga tcpd tiff truetype usb x86 xml2 zlib"
--

[jkt]

Hey, just play with it. Your initial flags should be "-X -kde -gnome -gtk -qt", then use `emerge -pv`, it'll show you the use flags, look at their description with `equery uses name-of-package` (`emerge gentoolkit` before) and use your common sense to decide which of them are needed and which are not.