The short answer is check out the LQ FAQ: Security references
, read, then return to ask specific questions.
IMHO there is no long answer, at least not at this point. Sure anybody could post some measures assortis
right away and w/o thinking, but I'd rather assess the situation first and *then* come up with coherent advice.
We should look at all aspects of the machines involved, including purpose, network segmentation, maintenance and incident history, measures implemented, etc, etc to come up with say list of priorities. From that you can pinpoint things that need to be fixed urgently and make a top ten list of things that are necessary to reach overall "base level" security. After that you implement the rest of the measures to improve security further.
ca. 20 servers all running suse 8.2 - 10.2, that have global IP addresses, and are not behind a firewall. This servers run apache, mysql, pop, smtp, etc.
- are all the machines located in one place?
- what is the purpose of these servers? (ISP, business, other)
- what is the relationship between servers? That is, do some or all provide services *together* (think Apache + MySQL + Squid = application)? Are there some that provide services to one, two or more separate domains (LAN nets, Internet)? Are there some that provide multiple services that really should be separated? (say MTA vs LAN firewall/router)?
- is there a specific reason all have public IP addresses?
- is there a reason why the distribution release version differs and includes stale release versions?
- what is the integrity state of the machines? (Known problems, past intrusions etc)
- if there is any "evidence" of past hardening, auditing and maintenance, do you have access to relevant admin logs?
- you posted some measures taken. Can you point which ones have been done on all machines and what was used? (Just name the tool: sshd, tcp_wrappers, Xinetd, iptables),
- is there a todo list with security-related tasks that need taking care off urgently?
- are you in any way constrained wrt effort, time and money (who isn't)?
* Please take your time answering/asking. There are no "wrong" or "right" answers. In this case "more *is* more", so the more information the better it will be. If there is anything security-related you would like to mention (past incidents, unrelated events, suspicions, etc) please do also.
** If you're OTOH not interested in this approach but would rather like to get a set of generic security-related measures just say so. In that case you can skip back to the short answer.