LinuxQuestions.org - Hardening dedicated server

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Hardening dedicated server (https://www.linuxquestions.org/questions/linux-security-4/hardening-dedicated-server-519989/)

MrXX	01-16-2007 08:26 PM

Hardening dedicated server

If you have a debian linux web/mail dedicated server (like apache, postfix and so on) already configured, what other else would you do to secure more your machine? For example cron scripts to check file dir permissions, some IDS/IPS to detect strange behaviours, some scripts that can send email if something strange (like intrusion or server down) is happening, some rootkit scanners....what would you do to secure your server?

Can you hint me some trick?

Thanks :)

unSpawn

01-16-2007 08:49 PM

Hello and welcome to LQ, hope you like it here.

already configured, what else
The way you put your question it looks like you have already done some things to secure your server. Or was it handed over that way to you? If you did things yourself it would be good to list what you did so we don't duplicate or post unnecessary things. Then there's doing research. Debian has a rather good security manual. If you didn't read it you should. For more maybe check out the LQ FAQ: Security references. Then I'd use a checklist and use a scanner like Tiger to determine the general status of the server. Results vs checklist should show you where to start.

MrXX	01-17-2007 06:06 AM

Hi,

first of all many thanks for you reply :) really kind :)

Well, I set up apache2 following this guide http://www.securityfocus.com/infocus/1786

but without chroot. I think that if apache already run as a limited user (www-data) then it's not so harmful. At least an attacker has to escalate to root. But if he can escalate to root, even with chroot then it's not so secure, he can mount device and then escape from chroot.

I've even php4 (safe mode) and mysql. For postfix I followed this guide: http://www.onlamp.com/pub/a/bsd/2003/08/21/postfix.html

This is what I've done until now

many thanks in advance :)

unSpawn

01-17-2007 07:53 AM

OK. With all due respect but you reacted to half my post and left this out:

Quote:

Then there's doing research. Debian has a rather good security manual. If you didn't read it you should. For more maybe check out the LQ FAQ: Security references. Then I'd use a checklist and use a scanner like Tiger to determine the general status of the server. Results vs checklist should show you where to start.

Any remarks on (acting on) that?

MrXX	01-17-2007 08:29 AM

sorry :) I was only replying to your first question :)

No, I've still to read links you gave me :) Thanks :)

unSpawn

01-17-2007 08:41 AM

Ah, OK. BTW, don't try and grok the whole Security references part in one go or you'll go mad as a hatter, chunk it, take your time and ask questions as you progress.

MrXX	01-18-2007 09:21 AM

Question:

if I install apache2, php, mysql with apt-get and then chroot all these packages, then if there's a apt-get upgrade how can I updates these softwares inside chroot? Makejail?

Thanks :)

unSpawn

01-18-2007 08:40 PM

If "Makejail" contains functionality to copy the updated libs and binaries from the "host" system to the chroot, yes, why not?

All times are GMT -5. The time now is 06:02 PM.