LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Security advice for a web server please (http://www.linuxquestions.org/questions/linux-security-4/security-advice-for-a-web-server-please-199046/)

pembo13 06-29-2004 07:50 AM

Security advice for a web server please
 
Hello,

I am going to run the following services on a server connected to the internet semi-permanently

- http/php server
- ftp server
- mail server
- firewall
- router (to internal lan)
- smb server (for internal lan)
- ssh terminal (for remote login)

I would like to know what security tools are must have's for this setup, along with pre-emtive measures. Links specifically on this topic owuld also be appreciated.

Suggestion for an ftp daemon would also be appreciated.

If it helps, I intend to use an external USB drive to aid backup, not sure exactly how yet.

Thank you

SciYro 06-29-2004 11:05 AM

iptables

grsecurity wouldn't hurt either

and pay careful attention to the permissions

cyph3r7 06-29-2004 03:15 PM

tripwire would be nice also....

As for FTP, try VSFTP...very nice and fairly secure....

ppuru 06-29-2004 10:36 PM

here is a great article on the securityfocus site.

http://www.securityfocus.com/infocus/1694
http://www.securityfocus.com/infocus/1786

unSpawn 07-01-2004 03:19 PM

I am going to run the following services on a server connected to the internet semi-permanently
- firewall
- router (to internal lan)
Don't run all services on one box. At least have a separate firewall(/router). Harden the box before installing services. For more please check out the LQ FAQ: Security references, especially the hardening part. Make sure you disable all services "fancy" features until you know you really need them. Use access controls. Running services from Xinetd get's you some, plus connection limiting and such. Services like OpenSSH have their own access controls utilising TCP wrappers. If services are for LAN use, make sure account and host access rules match. If it's a server don't install (or remove after compiling) development packages, graphical environment, most distro helper apps. Don't trust (LAN) users. Don't use system auth (/etc/passwd,groups) for service accounts. Most services can use external databases. If they're PAM-ified it's easy to set up. If you're using encrypted passwords/hashes, don't use weak variations (like LANMAN hashes for Samba).


- http/php server
Make sure you need to serve public stuff. Don't allow people to upload and execute arbitrary (parsed) executables. If you can get away with running PHP in safe mode, do so.


- ftp server
I run either Muddleftpd (slightly modified in the logging department and it won't run SITE commands) or Vsftpd. Both can use external means of authentication. Don't use your system auth files for users who need FTP-only access. Better yet, ditch FTP and use OpenSSH to SCP/SFTP.


- mail server
If for public use choose a daemon whose name doesnt being with "Send" and ends with "mail". Disable relaying. Make sure to disable querying for addresses (VRFY and such).


- smb server (for internal lan)
See top.


- ssh terminal (for remote login)
SSH is OK provided you ditch root logins, use key auth, use compression by default and don't get your remote keys compromised (strokes logged).


All times are GMT -5. The time now is 05:56 PM.