What should be uninstalled from an FTP server
I have a server that's only function is to run a vsftp server for people to send us files on. Below is an rpm -qa that's sorted alphabetically, are there any things in this list that should probably be removed for security purposes, that wouldn't affect the ftp servers functionality? We only access it from the CLI, if that helps. I dont know what 99% of the items in this list are so i'm not sure even where to start.
Code:
acl-2.2.39-6.el5 |
Quote:
A lot of system administration work involves long complicated steps. I think that you should simply look up each of the components and find out what they are and what they do. Then if you decide to remove any of them you will learn whether that component was critical or not when you restart the computer. My initial impression is that there is very little fat to trim in that list. I probably wouldn't remove any of them. You absolutely SHOULD look at the user account list and remove unnecessary ones. However that is another research project. You might be surprised if you remove the nobody account, or example, and find that something stops working, like updatedb for example. |
Thanks for the tip. I wasn't really looking for someone to go through one by one, i was more hoping for a general response like you gave. I am starting to research them all.
|
My company uses dozens of S/FTP/SCP servers and if there's one recommendation I can make it's this: Go download a server only OS without a desktop/window manager. We're currently running Ubuntu 9.10 minimal server edition which comes with literally nothing but the kernel and base packages. The only thing we install on it is vsftpd, ssh, acl, and some pam modules. Going that route eliminates all those extra threats that come with running a multi-purpose machine.
|
Thanks for that tip!
|
RHEL - and its derivative distros - is a fantastic OS, but even a minimal package install throws in some cruft that is not necessary for a single-service server. I recommend firing up an installation in a VM, and using it as a test bed for learning about packages (manpages will be helpful to read as you go along) and dependencies.
Alternatively, there are other OSes that simply don't install everything and the kitchen sink by default. One (non-Linux) example is FreeBSD. |
Thanks. From what I'm told all the servers I've inherited were mostly installed with whatever was the default, so i'm guessing some of them have fluff on them that isn't needed.
|
Quote:
My personal recommendation is Debian, and don't install any 'typical' systems if you are offered the choice. Bare Debian is very lean, doesn't even include less or ssh. If you are a serious RedHat person, stick with RedHat. Altough Debian is much better than RH (hehe just kidding) it won't pay back the additional time you have to spend to unlearn RH and learn Debian policy. jlinkels |
Quote:
Quote:
Quote:
|
I was looking more to eliminate any unnecessary things as to lessen the areas that a possible attacker could get in.
|
Quote:
|
Right, and I was agreeing with his point :-)
|
Overlooked the security thing and I wasn't aware I was reading in the security forum. Sorry.
jlinkels |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 12:14 PM. |