Linux Firewall - Where do I start?
 

Hi,

I've just got a new root server from One & One, but by default it's just a nice clean install of Redhat 7.2. It comes with Ensim Appliance software, but doesn't have a firewall so all ports are open. This is going to be used as a production server running an online shopping site so security is one of my priorities when setting it up. Has anyone any good tips on the quickest, easiest, and most secure way(s) to lock down my new server?

Thanks,

Steve.

Yeah, don't run it as a firewall itself. If it is to be a server setup to deliver content then it needs to be in it's own DMZ. What you should do is scour the rc.*'s and disable any and all services you do not need. Then patch any services you do need to the latest levels. Meaning apache, mysql, etc.

Next put that puppy between two firewalls or in a segment off you current firewall. Segment it off your regular LAN.

See http://www.pittech.com/dmz.htm for a lil tidbit I wrote about DMZs

oh, two other things I would do before placing the server live is install bastille and tripwire.

Sounds great - I'd love to do that much, only we're very limited:
Please see http://www.oneandone.co.uk (We have Root Server II).

We need to move from the shared server that we have at the moment, onto the root server as soon as possible, but obviously not if it's going to be in any way insecure... :(

Ah I see now, it is a colocation kinda deal. Sorta your rented server but at their Network Center. Ummm my first thoughts would be to turn off any unused services....sendmail....telnet...etc. That should be a given. And get them to patch the server. Run NMap or Nessus against the box for known vulnerabilities. Document them and ask the hosting provider to patch.

Second they should have a firewall between the net and the server if not you could get screwed especially if you are maintaining billing or payment data in a database on that server.

Call or email them to find out what they can do for you.

Cheers, cyph3r7 - I should have been a little clearer in my original post!

I'll get onto them right away...

:)

Steve.

be careful when updating ! some updates might broke your Ensim Appliance ....

Don't know about them patching the server. Their root servers are totally hands off from their point of view, you have complete control of the server, they have none.

cyph3r7 the root servers are plugged directly into their net connection backbone so no firewalls.

On a side note, get rid of ensim, it's horrible. I managed to kill it after two days of very gentle prodding.

Ah well that sounds like fun.

Then certainly setting up iptables on these servers would be a GREAT idea. If they are only offering web content then I guess the minimum would be to see if you could patch Apache, mySql (if used) and other services exposed. Not being familiar with their Ensim product I am don't know it's relationship to other moving parts.

Hmmm I just re-read...RH 7.2. Is the kernel updated to use iptables or do they run a 2.2 kernel? I don't recall what 7.2, gut says 2.4.7. If not I guess ipchains would suffice.

It runs 2.4.