LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-29-2004, 07:50 AM   #1
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Rep: Reputation: 30
Question Security advice for a web server please


Hello,

I am going to run the following services on a server connected to the internet semi-permanently

- http/php server
- ftp server
- mail server
- firewall
- router (to internal lan)
- smb server (for internal lan)
- ssh terminal (for remote login)

I would like to know what security tools are must have's for this setup, along with pre-emtive measures. Links specifically on this topic owuld also be appreciated.

Suggestion for an ftp daemon would also be appreciated.

If it helps, I intend to use an external USB drive to aid backup, not sure exactly how yet.

Thank you
 
Old 06-29-2004, 11:05 AM   #2
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
iptables

grsecurity wouldn't hurt either

and pay careful attention to the permissions
 
Old 06-29-2004, 03:15 PM   #3
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
tripwire would be nice also....

As for FTP, try VSFTP...very nice and fairly secure....
 
Old 06-29-2004, 10:36 PM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
here is a great article on the securityfocus site.

http://www.securityfocus.com/infocus/1694
http://www.securityfocus.com/infocus/1786
 
Old 07-01-2004, 03:19 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,521
Blog Entries: 51

Rep: Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600
I am going to run the following services on a server connected to the internet semi-permanently
- firewall
- router (to internal lan)
Don't run all services on one box. At least have a separate firewall(/router). Harden the box before installing services. For more please check out the LQ FAQ: Security references, especially the hardening part. Make sure you disable all services "fancy" features until you know you really need them. Use access controls. Running services from Xinetd get's you some, plus connection limiting and such. Services like OpenSSH have their own access controls utilising TCP wrappers. If services are for LAN use, make sure account and host access rules match. If it's a server don't install (or remove after compiling) development packages, graphical environment, most distro helper apps. Don't trust (LAN) users. Don't use system auth (/etc/passwd,groups) for service accounts. Most services can use external databases. If they're PAM-ified it's easy to set up. If you're using encrypted passwords/hashes, don't use weak variations (like LANMAN hashes for Samba).


- http/php server
Make sure you need to serve public stuff. Don't allow people to upload and execute arbitrary (parsed) executables. If you can get away with running PHP in safe mode, do so.


- ftp server
I run either Muddleftpd (slightly modified in the logging department and it won't run SITE commands) or Vsftpd. Both can use external means of authentication. Don't use your system auth files for users who need FTP-only access. Better yet, ditch FTP and use OpenSSH to SCP/SFTP.


- mail server
If for public use choose a daemon whose name doesnt being with "Send" and ends with "mail". Disable relaying. Make sure to disable querying for addresses (VRFY and such).


- smb server (for internal lan)
See top.


- ssh terminal (for remote login)
SSH is OK provided you ditch root logins, use key auth, use compression by default and don't get your remote keys compromised (strokes logged).

Last edited by unSpawn; 07-01-2004 at 03:41 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Streaming Web Server advice needed Tectron1 Linux - Software 1 06-15-2005 11:51 AM
seeking advice on running a web server hirman Linux - Newbie 4 11-25-2004 09:29 AM
Noob security advice Fiend Linux - Security 3 08-28-2004 08:46 PM
Mandrake 10: Issues with "higher" security setting and web server maverick106 Mandriva 6 04-26-2004 10:39 AM
Linux Newbie seeking advice on proper security for 7.3 web server... marvc Linux - Security 3 03-24-2003 02:42 PM


All times are GMT -5. The time now is 07:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration