Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've just got a new root server from One & One, but by default it's just a nice clean install of Redhat 7.2. It comes with Ensim Appliance software, but doesn't have a firewall so all ports are open. This is going to be used as a production server running an online shopping site so security is one of my priorities when setting it up. Has anyone any good tips on the quickest, easiest, and most secure way(s) to lock down my new server?
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
Yeah, don't run it as a firewall itself. If it is to be a server setup to deliver content then it needs to be in it's own DMZ. What you should do is scour the rc.*'s and disable any and all services you do not need. Then patch any services you do need to the latest levels. Meaning apache, mysql, etc.
Next put that puppy between two firewalls or in a segment off you current firewall. Segment it off your regular LAN.
Sounds great - I'd love to do that much, only we're very limited:
Please see http://www.oneandone.co.uk (We have Root Server II).
We need to move from the shared server that we have at the moment, onto the root server as soon as possible, but obviously not if it's going to be in any way insecure...
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
Ah I see now, it is a colocation kinda deal. Sorta your rented server but at their Network Center. Ummm my first thoughts would be to turn off any unused services....sendmail....telnet...etc. That should be a given. And get them to patch the server. Run NMap or Nessus against the box for known vulnerabilities. Document them and ask the hosting provider to patch.
Second they should have a firewall between the net and the server if not you could get screwed especially if you are maintaining billing or payment data in a database on that server.
Call or email them to find out what they can do for you.
Don't know about them patching the server. Their root servers are totally hands off from their point of view, you have complete control of the server, they have none.
cyph3r7 the root servers are plugged directly into their net connection backbone so no firewalls.
On a side note, get rid of ensim, it's horrible. I managed to kill it after two days of very gentle prodding.
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
Ah well that sounds like fun.
Then certainly setting up iptables on these servers would be a GREAT idea. If they are only offering web content then I guess the minimum would be to see if you could patch Apache, mySql (if used) and other services exposed. Not being familiar with their Ensim product I am don't know it's relationship to other moving parts.
Hmmm I just re-read...RH 7.2. Is the kernel updated to use iptables or do they run a 2.2 kernel? I don't recall what 7.2, gut says 2.4.7. If not I guess ipchains would suffice.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.