Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Securing a server, suggestions ?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lenkki
n00b
n00b


Joined: 03 Mar 2004
Posts: 55
PostPosted: Mon Dec 19, 2005 9:56 pm    Post subject: Securing a server, suggestions ? Reply with quote
Hi I'm deploying a personal server and I want to secure it as tight as any "real-life-mission-critical-server" out there as practice.

I have two machines, my own PC and the server machine, both have fixed IP's.
And I'm not posting this from any of them ;)

Services provided shall be:
www
smtp
imap
ssh

www - Shall be provided by Apache and using MySQL and PHP. What versions of apache and php are still unclear ( 1.x/2.x ? 4.x/5.x ? )
smtp - Postfix only allowing relay from trusted ip's preferably with authentication if possible.
imap - Courier Imapd, using SSL not supplying non-ssl service.
ssh - Open sshd

I'm also going to deploy the box using the hardened profile and hardened toolchain and using PAX and GRSEC.

Local security has been taken care of.

Securing of services:
What I've done this far

SSH:

  • Is not using PAM
  • Disallows plaintext logins user must authenticate through pubkey
  • Only 1 trusted ip is allowed to login
  • Only 1 user is allowed to login
  • Still on default port


Apache
I'm not really sure as to how to secure apache, ultimally I'd like to have it running in a chroot as on OpenBSD but I dunno how to manage this in gentoo.

Courier Imapd
Has never caused my any problems and I feel that default settings are fine. Use of the not-so-common SSL port makes me feel a bit safer too.

PostFix
I'm clueless here. I've set the relay options to only allow relay from my trusted ip. I wonder if there is anything more I can do.

General system setup
Code:
/etc/security/access.conf :

#Block all local logins expect: root and myusername
-:ALL EXCEPT root myusername:LOCAL

#Block all non-local logins except for myusername
-:ALL EXCEPT myusername:ALL EXCEPT LOCAL



Don't know how usefull this is, but it might catch something:
Code:
/etc/security/limits.conf:

@users hard core 100000
@users soft nproc 20
@users hard nproc 35
@users -    maxlogins 10

/etc/limits:

* U32



Code:
/etc/hosts.allow

sshd:192.168.0.2

/etc/hosts.deny

ALL:PARANOID


I'm still in the progress of getting to GRSEC configuration, but PAX is up and running and apparently working too.

I've removed the SUID bit from most binaries I've fond just a handfull left like su and login etc.

MySQL is running with skip-networking

Code:

USE="-X no-suexec hardened userlocales apache2 php mysql imap utf8 gd hardenedphp png jpeg pam_chroot chroot"


Code:
/etc/fstab:

/dev/hda1               /boot           ext2            noauto,noatime  1 2
/dev/md0                none            swap            sw              0 0
/dev/md1                /               reiserfs        noatime         0 1
/dev/md2                /home           reiserfs        noatime,noexec,nodev,nosuid     0 0
/dev/md3                /usr            reiserfs        noatime,ro,nodev        0 0
/dev/md4                /tmp            reiserfs        noatime,noexec,nodev,nosuid     0 0
/dev/md5                /var            reiserfs        noatime,noexec,nodev    0 0

My question is, where could I improve security ? Any suggestions ?
Back to top
View user's profile Send private message
slam_head
Guru
Guru


Joined: 06 Jan 2003
Posts: 449
Location: New York City
PostPosted: Mon Dec 19, 2005 10:28 pm    Post subject: Reply with quote
The bastille scripts are always a good idea. You could also do some vulnerbility testing with tools such as nmap and nessus.
Back to top
View user's profile Send private message
VStrider
Apprentice
Apprentice


Joined: 27 Jun 2005
Posts: 244
Location: 1 to Rule All way, Moria Gate, Middle Earth, SAU 70N
PostPosted: Mon Dec 19, 2005 11:40 pm    Post subject: Re: Securing a server, suggestions ? Reply with quote
lenkki wrote:
Apache
I'm not really sure as to how to secure apache, ultimally I'd like to have it running in a chroot as on OpenBSD but I dunno how to manage this in gentoo.

Code:
emerge app-misc/jail

jail is very handy tool, that will create a chrooted env, and copy all the necessery files for a given daemon. It'll basically do all the work for you. Unfortunately it doesn't come with man pages. But this might be helpful.
Back to top
View user's profile Send private message
Valhlalla
Apprentice
Apprentice


Joined: 22 Sep 2003
Posts: 161
Location: Sydney, Australia.
PostPosted: Tue Dec 20, 2005 12:42 am    Post subject: Reply with quote
I guess a custom ipchains script is always good

[edit] God brain get into the new melenium I mean iptables
_________________
Pork Chop Sandwiches, Oh Sh*t!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy