Quote:
Originally Posted by siddartha
(..) they should be accessible from the localhost and invisible to the exterior,
|
Then configure then to listen only on the loopback device.
Quote:
Originally Posted by siddartha
Could you point out some recent documentation about securing them?
|
Note security isn't a fire-and-forget one-off. It's a constant cycle of auditing and adjusting.
- A secured server starts with hardening the OS, so start with creating a baseline (so you can document which changes have what effect) and read what documentation your distribution provides. If you want to meditate on the finer points, or if your distribution doesn't provide enough documentation, check out the "Securing Debian" manual, one of the oldest around. Once done check your changes locally with Tiger and from remote with OpenVAS (not netstat or nmap). Bonus points for using the Cisecurity benchmarks (for example what applies to
RHEL / Centos / SL).
- Create an application level baseline, so you can document which changes have what effect, visit the web site for your database, web server and interpreter of choice for up to date information and implement what advice their security documentation offers. Then check the SANS InfoSec Reading Room for topics like
Web Servers and docs like
Step by Step Installation of a Secure Linux Web, DNS and Mail Server, the
Top 10 2010 and the
OWASP Application Security FAQ. Increase your mana by using the
CIS Apache benchmark and remembering to run OpenVAS after you made changes. More bonus points for reading more like
Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues and
IT Audit: Security Beyond the Checklist.
* If you want to see a Real Life case then
this thread would be a good example IMHO.
HTH
