Hello to all who might wish to comment,


Primary question for those in skim-mode (see below for more info): Are there any additional security procedures that would be advised for the server installation described below, namely an Ubuntu-based command-line only DNS server with no other applications (other than openSSH) running on it? Details follow:

OS environment: a new server freshly installed with Ubuntu 6.06.1 LTS-Server, and installed using the bare-bones "Install to the hard disk" install option and the default "Erase entire disk" option for partitioning.

Sole purpose: External DNS server (via BIND) to provide primary public name resolution for several low-traffic domains

Additional packages installed and how:

• apt-get install openssh-server (to allow secure remote admin)
• apt-get install bind9 (DNS server app, Ver 9.3.2 - realize that 9.4.1 is current)

BIND has been chrooted by the method described in section 9 of http://www.howtoforge.com/perfect_setup_ubuntu_6.06_p4

Additional configs performed beyond initial CD-ROM install:

• enabled the root account via "sudo passwd root"
• configured eth0 with a static public address (connected via frac-T1)
• commented out the CD-ROM entries in the /etc/apt/sources.list file
• updated to the latest 6.06 packages via "apt-get update" and "apt-get upgrade"

I class myself mostly as a Linux newbie, though about 10 years ago I was responsible for maintaining a pair of Linux (Redhat) servers that provided DHCP, DNS, and ftp(?? might have been via Windows - I forget...) services for the company I was with at the time. Someone else did the initial install and firewalling (ipchains as I recall), so I just maintained the database files. In any case, I'm basically a newbie for install and for any modern Linux, but have at least a bit of hands-on, so I can figure most things out when pointed in the right direction... In particular, I'm new to Ubuntu and the apt-get methods. For example, how would I upgrade to bind 9.4.1 when the "apt-cache search bind9" command only shows 9.3.2 as available...? Does that mean no-one has yet created a Debian/Ubuntu package for 9.4.1 yet? that I have to upgrade to 6.10 (unstable) or higher to have it appear as available? Not sure....


Appreciate anyone who wishes to respond with comments/suggestions. Thanks in advance!

You're doing EXACTLY what I'm about to do

Some things I would suggest is:
1) Secure your SSH. Have a look here for some info: http://wiki.linuxquestions.org/wiki/Securing_ssh
2) Why did you add a password to the root account?
3) You may be able to find a Debian package for 9.4.1 (try Google), or you could compile from source. You will need to install the 'build-essential' package with apt-get to be able to compile on a default Ubuntu install.
4) Setup iptables to default to "DROP" and only allow what is needed (Port 53 TCP and UDP, and Port 22 (or whatever your SSH is on) TCP). Don't forget an outbound firewall too.

EDIT:
Debian packages here: http://packages.debian.org/testing/net/bind9
Compile from source instructions here: http://www.unixwiz.net/techtips/bind9-chroot.html

Thanks much for the reply. It's going to be almost a full day before I'm back where the server is (and to be safe, I left it disco'd from the network until I saw what replies I got here), but will try your pointers on locating/installing BIND 9.4.1 and further securing openSSH when I return.

Regarding iptables, I'll get that loaded if it isn't already, and get it configured. I did some searching and found a few good pages on it, so I think I can translate what I know about firewalls to it w/o much problem. I certainly understand what you're suggesting.

Finally, to your question of why I enabled the root account - well, I wondered if I might get called on that... Here's the chain of events:

After I first installed the OS, I had problems with the system not having any IP connectivity, and spent quite a while tracking that one down. Come to find out there was a conflict with the USB 2.0 PCI card that it had in it and the Ethernet card that was next to it. I was clued in by doing a cat on the PCI interrupts and seeing that both devices were sharing the interrupt, and by having several occurances of a "kernal panic" whilst executing IP-related diag commands, where the panic page referenced IRQs as the issue.

All in all, that wasn't by itself a good reason to enable root password, but I was doing a bunch of commands that required root access, and at least two of the "how-to's" that I read up on had the user set up the root account early on "because you need to in order to install the packages below" (most all of which I elected not to install, since I wanted a bare-bones DNS server). As I said, I'm new to Debian/Ubuntu, and I still haven't quite figured out the "sudo" command and the reasoning behind it, but am familiar with going "su", so I elected to go the easy route for the moment and come back later to remove the root password if it turned out to be "the right/secure thing to do"...

Not sure if that really gives you a good answer as to why, but that's more or less how it happened...

Thanks again for the reply, and I have a feeling I'll be back. In the meantime...

I don't know why all these guides don't just tell you to 'sudo su -'

It achieves the same thing (root shell) but without having to set the password.

My personal suggestion is that you re-lock the root account and use 'sudo su -' instead