What should be uninstalled from an FTP server

anon091 · 03-31-2011, 10:45 AM

I have a server that's only function is to run a vsftp server for people to send us files on. Below is an rpm -qa that's sorted alphabetically, are there any things in this list that should probably be removed for security purposes, that wouldn't affect the ftp servers functionality? We only access it from the CLI, if that helps. I dont know what 99% of the items in this list are so i'm not sure even where to start.

Code:

acl-2.2.39-6.el5
acpid-1.0.4-9.el5_4.2
alsa-lib-1.0.17-1.el5
alsa-utils-1.0.17-1.el5
amtu-1.0.6-1.el5
anacron-2.3-45.el5
apmd-3.2.2-5
aspell-0.60.3-7.1
aspell-en-6.0-2.1
at-3.1.8-84.el5
atk-1.12.2-1.fc6
attr-2.4.32-1.1
audiofile-0.2.6-5
audit-1.7.17-3.el5
audit-libs-1.7.17-3.el5
audit-libs-python-1.7.17-3.el5
authconfig-5.3.21-6.el5
authconfig-gtk-5.3.21-6.el5
autofs-5.0.1-0.rc2.143.el5
avahi-0.6.16-9.el5_5
avahi-compat-libdns_sd-0.6.16-9.el5_5
avahi-glib-0.6.16-9.el5_5
basesystem-8.0-5.1.1
bash-3.2-24.el5
bc-1.06-21
beecrypt-4.1.2-10.1.1
bind-libs-9.3.6-4.P1.el5_4.2
bind-utils-9.3.6-4.P1.el5_4.2
binutils-2.17.50.0.6-14.el5
bitmap-fonts-0.3-5.1.1
bluez-gnome-0.5-5.fc6
bluez-libs-3.7-1.1
bluez-utils-3.7-2.2
bridge-utils-1.1-2
busybox-1.2.0-7.el5
bzip2-1.0.3-6.el5_5
bzip2-libs-1.0.3-6.el5_5
cairo-1.2.4-5.el5
ccid-1.3.8-1.el5
checkpolicy-1.33.1-6.el5
chkconfig-1.3.30.2-2.el5
chkfontpath-1.10.1-1.1
comps-extras-11.1-1.1
conman-0.1.9.2-8.el5
coolkey-1.1.0-14.el5
coreutils-5.97-23.el5_4.2
cpio-2.6-23.el5_4.1
cpp-4.1.2-48.el5
cpuspeed-1.2.1-9.el5
cracklib-2.8.9-3.3
cracklib-dicts-2.8.9-3.3
crash-4.1.2-4.el5_5.1
crontabs-1.10-8
cryptsetup-luks-1.0.3-5.el5
cups-1.3.7-26.el5_6.1
cups-libs-1.3.7-26.el5_6.1
curl-7.15.5-9.el5
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
db4-4.3.29-10.el5_5.2
dbus-1.1.2-14.el5
dbus-glib-0.73-10.el5_5
dbus-libs-1.1.2-14.el5
dbus-python-0.70-9.el5_4
Deployment_Guide-en-US-5.2-11
desktop-file-utils-0.10-7
device-mapper-1.02.39-1.el5_5.2
device-mapper-event-1.02.39-1.el5_5.2
device-mapper-multipath-0.4.7-34.el5_5.4
dhcdbd-2.2-2.el5
dhclient-3.0.5-23.el5
dhcpv6-client-1.0.10-18.el5
diffutils-2.8.1-15.2.3.el5
dmidecode-2.10-3.el5
dmraid-1.0.0.rc13-63.el5
dmraid-events-1.0.0.rc13-63.el5
dnsmasq-2.45-1.1.el5_3
docbook-dtds-1.0-30.1
dos2unix-3.1-27.2.el5
dosfstools-2.11-9.el5
dump-0.4b41-5.el5
e2fsprogs-1.39-23.el5
e2fsprogs-libs-1.39-23.el5
ed-0.2-39.el5_2
eject-2.1.5-4.2.el5
elfutils-libelf-0.137-3.el5
emacs-21.4-20.el5
emacs-common-21.4-20.el5
emacs-leim-21.4-20.el5
emacspeak-23.0-3.el5
esound-0.2.36-3
ethtool-6-4.el5
expat-1.95.8-8.3.el5_4.2
fbset-2.1-22
file-4.17-15.el5_3.1
filesystem-2.4.0-3.el5
findutils-4.2.27-6.el5
finger-0.17-32.2.1.1
firstboot-1.4.27.8-1.el5
firstboot-tui-1.4.27.8-1.el5
fontconfig-2.4.1-7.el5
freetype-2.2.1-21.el5_3
ftp-0.17-35.el5
gail-1.9.2-3.el5
gamin-0.1.7-8.el5
gamin-python-0.1.7-8.el5
gawk-3.1.5-14.el5
GConf2-2.14.0-9.el5
gdbm-1.8.0-26.2.1
gettext-0.14.6-4.el5
giflib-4.1.3-7.1.el5_3.1
glib2-2.12.3-4.el5_3.1
glibc-2.5-49.el5_5.7
glibc-common-2.5-49.el5_5.7
gnome-doc-utils-0.8.0-2.fc6
gnome-keyring-0.6.0-1.fc6
gnome-mime-data-2.4.2-3.1
gnome-mount-0.5-3.el5
gnome-python2-2.16.0-1.fc6
gnome-python2-bonobo-2.16.0-1.fc6
gnome-python2-canvas-2.16.0-1.fc6
gnome-python2-extras-2.14.2-7.el5
gnome-python2-gconf-2.16.0-1.fc6
gnome-python2-gnomevfs-2.16.0-1.fc6
gnome-python2-gtkhtml2-2.14.2-7.el5
gnome-vfs2-2.16.2-6.el5_5.1
gnu-efi-3.0c-1.1
gnupg-1.4.5-14.el5_5.1
gnutls-1.4.1-3.el5_4.8
gpg-pubkey-37017186-45761324
gpm-1.20.1-74.1
grep-2.5.1-55.el5
groff-1.18.1.1-11.1
grub-0.97-13.5
gtk2-2.10.4-20.el5
gtk2-engines-2.8.0-3.el5
gtkhtml2-2.11.0-3
gtk-vnc-0.3.8-3.el5
gzip-1.3.5-11.el5_4.1
hal-0.5.8.1-59.el5
hdparm-6.6-2
hesiod-3.1.0-8
hicolor-icon-theme-0.9-2.1
htmlview-4.0.0-2.el5
hwdata-0.213.18-1.el5.1
ifd-egate-0.05-15
info-4.8-14.el5
initscripts-8.45.30-2.el5
iproute-2.6.18-11.el5
ipsec-tools-0.6.5-13.el5_3.1
iptables-1.3.5-5.3.el5_4.1
iptables-ipv6-1.3.5-5.3.el5_4.1
iptstate-1.4-2.el5
iputils-20020927-46.el5
irda-utils-0.9.17-2.fc6
irqbalance-0.55-15.el5
jwhois-3.2.3-8.el5
kbd-1.12-21.el5
kernel-2.6.18-92.1.10.el5
kernel-2.6.18-92.1.6.el5
kernel-2.6.18-92.el5
kernel-xen-2.6.18-92.1.10.el5
kernel-xen-2.6.18-92.1.6.el5
kernel-xen-2.6.18-92.el5
kexec-tools-1.102pre-21.el5_2.2
keyutils-libs-1.2-1.el5
kpartx-0.4.7-34.el5_5.4
krb5-libs-1.6.1-36.el5_5.5
krb5-workstation-1.6.1-36.el5_5.5
ksh-20100202-1.el5
kudzu-1.2.57.1.24-1
less-436-2.el5
lftp-3.7.11-4.el5
libacl-2.2.39-6.el5
libaio-0.3.106-5
libart_lgpl-2.3.17-4
libattr-2.4.32-1.1
libbonobo-2.16.0-1.fc6
libbonoboui-2.16.0-1.fc6
libcap-1.10-26
libdaemon-0.10-5.el5
libdmx-1.0.2-3.1
libdrm-2.0.2-1.1
libevent-1.4.13-1
libfontenc-1.0.2-2.2.el5
libFS-1.0.0-3.1
libgcc-4.1.2-48.el5
libgcrypt-1.4.4-5.el5
libglade2-2.6.0-2
libgnome-2.16.0-6.el5
libgnomecanvas-2.14.0-4.1
libgnomeui-2.16.0-5.el5
libgpg-error-1.4-2
libgssapi-0.10-2
libhugetlbfs-1.3-7.el5
libICE-1.0.1-2.1
libIDL-0.8.7-1.fc6
libidn-0.6.5-1.1
libjpeg-6b-37
libnl-1.0-0.10.pre5.5
libnotify-0.4.2-6.el5
libogg-1.1.3-3.el5
libpcap-0.9.4-15.el5
libpng-1.2.10-7.1.el5_5.3
libselinux-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
libsemanage-1.9.1-4.4.el5
libsepol-1.15.2-3.el5
libSM-1.0.1-3.1
libstdc++-4.1.2-48.el5
libsysfs-2.0.0-6
libtermcap-2.0.8-46.1
libtiff-3.8.2-7.el5_5.5
libusb-0.1.12-5.1
libuser-0.54.7-2.1.el5_4.1
libutempter-1.1.4-4.el5
libvirt-0.3.3-7.el5
libvirt-python-0.3.3-7.el5
libvolume_id-095-14.21.el5
libvorbis-1.1.2-3.el5_4.4
libwnck-2.16.0-4.fc6
libX11-1.0.3-11.el5
libXau-1.0.1-3.1
libXaw-1.0.2-8.1
libXcursor-1.1.7-1.1
libXdmcp-1.0.1-2.1
libXext-1.0.1-2.1
libXfixes-4.0.1-2.1
libXfont-1.2.2-1.0.3.el5_1
libXfontcache-1.0.2-3.1
libXft-2.1.10-1.1
libXi-1.0.1-4.el5_4
libXinerama-1.0.1-2.1
libxkbfile-1.0.3-3.1
libxml2-2.6.26-2.1.2.8
libxml2-python-2.6.26-2.1.2.8
libXmu-1.0.2-5
libXpm-3.5.5-3
libXrandr-1.1.1-3.3
libXrender-0.9.1-3.1
libXres-1.0.1-3.1
libxslt-1.1.17-2.el5_2.2
libXt-1.0.2-3.2.el5
libXTrap-1.0.0-3.1
libXtst-1.0.1-3.1
libXv-1.0.1-4.1
libXxf86dga-1.0.1-3.1
libXxf86misc-1.0.1-3.1
libXxf86vm-1.0.1-3.1
logrotate-3.7.4-9.el5_5.2
logwatch-7.3-8.el5
lsof-4.78-3
lvm2-2.02.56-8.el5_5.6
m2crypto-0.16-6.el5.6
m4-1.4.5-3.el5.1
mailcap-2.1.23-1.fc6
mailx-8.1.1-44.2.2
make-3.81-3.el5
MAKEDEV-3.23-1.2
man-1.6d-1.1
man-pages-2.39-15.el5
mcstrans-0.2.11-3.el5
mdadm-2.6.9-3.el5
mesa-libGL-6.5.1-7.8.el5
metacity-2.16.0-15.el5
mgetty-1.1.33-9.fc6
microcode_ctl-1.17-1.47.el5
mingetty-1.07-5.2.2
mkbootdisk-1.5.3-2.1
mkinitrd-5.1.19.6-28
mktemp-1.5-23.2.2
mlocate-0.15-1.el5
module-init-tools-3.3-0.pre3.1.37.el5
mozldap-6.0.5-1.el5
mtools-3.9.10-2.fc6
mtr-0.71-3.1
nano-1.3.12-1.1
nash-5.1.19.6-28
nc-1.84-10.fc6
ncurses-5.5-24.20060715
net-snmp-libs-5.3.1-24.el5_2.1
net-tools-1.60-78.el5
NetworkManager-0.7.0-10.el5_5.2
NetworkManager-glib-0.7.0-10.el5_5.2
newt-0.52.2-10.el5
nfs-utils-1.0.9-44.el5
nfs-utils-lib-1.0.8-7.2.z2
notification-daemon-0.3.5-9.el5
notify-python-0.1.0-3.fc6
nscd-2.5-24
nspr-4.8.6-1.el5
nss_db-2.2-35.3
nss_ldap-253-13.el5_2.1
nss-3.12.8-1.el5
nss-tools-3.12.8-1.el5
ntp-4.2.2p1-9.el5_4.1
ntsysv-1.3.30.2-2.el5
numactl-0.9.8-2.el5
OpenIPMI-2.0.16-7.el5
OpenIPMI-libs-2.0.16-7.el5
openjade-1.3.2-27
openldap-2.3.27-8.el5_2.4
opensp-1.5.2-4
openssh-4.3p2-26.el5_2.1
openssh-clients-4.3p2-26.el5_2.1
openssh-server-4.3p2-26.el5_2.1
openssl-0.9.8b-10.el5
ORBit2-2.14.3-5.el5
pam_ccreds-3-5
pam_krb5-2.2.14-1
pam_passwdqc-1.0.2-1.2.2
pam_pkcs11-0.5.3-23
pam_smb-1.1.7-7.2.1
pam-0.99.6.2-3.27.el5
pango-1.14.9-3.el5
paps-0.6.6-17.el5
parted-1.8.1-17.el5
passwd-0.73-1
patch-2.5.4-29.2.2
pax-3.4-1.2.2
pciutils-2.2.3-5
pcmciautils-014-5
pcre-6.6-2.el5_1.7
pcsc-lite-1.4.4-0.1.el5
pcsc-lite-libs-1.4.4-0.1.el5
perl-5.8.8-32.el5_5.2
perl-Compress-Zlib-1.42-1.fc6
perl-HTML-Parser-3.55-1.fc6
perl-HTML-Tagset-3.10-2.1.1
perl-libwww-perl-5.805-1.1.1
perl-String-CRC32-1.4-2.fc6
perl-URI-1.35-3
pinfo-0.6.9-1.fc6
pirut-1.3.28-13.el5
pkgconfig-0.21-2.el5
pkinit-nss-0.7.3-1.el5
pm-utils-0.99.3-6.el5.19
policycoreutils-1.33.12-14.el5
poppler-0.5.4-4.4.el5_4.11
poppler-utils-0.5.4-4.4.el5_4.11
popt-1.10.2.3-20.el5_5.1
portmap-4.0-65.2.2.1
ppp-2.4.4-1.el5
prelink-0.3.9-2.1
procmail-3.22-17.1
procps-3.2.7-9.el5
psacct-6.3.2-41.1
psgml-1.2.5-4.3
psmisc-22.2-6
pycairo-1.2.0-1.1
pygobject2-2.12.1-5.el5
pygtk2-2.10.1-12.el5
pygtk2-libglade-2.10.1-12.el5
pyOpenSSL-0.6-1.p24.7.2.2
pyorbit-2.14.1-1.1
python-2.4.3-27.el5_5.3
python-dmidecode-3.10.13-1.el5_5.1
python-elementtree-1.2.6-5
python-iniparse-0.2.3-4.el5
python-ldap-2.2.0-2.1
python-numeric-23.7-2.2.2
python-sqlite-1.1.7-1.2.1
python-urlgrabber-3.1.0-5.el5
python-virtinst-0.300.2-8.el5
pyxf86config-0.3.31-2.fc6
quota-3.13-1.2.3.2.el5
rdate-1.4-6
rdist-6.1.5-44
readahead-1.3-7.el5
readline-5.1-1.1
redhat-artwork-5.0.9-1.el5
redhat-logos-4.9.16-1
redhat-menus-6.7.8-2.el5
redhat-release-5Server-5.2.0.4
redhat-release-notes-5Server-15
rhel-instnum-1.0.8-1.el5
rhn-check-0.4.20-33.el5_5.2
rhn-client-tools-0.4.20-33.el5_5.2
rhnlib-2.5.22-3.el5
rhnsd-4.6.1-1.el5
rhn-setup-0.4.20-33.el5_5.2
rhn-setup-gnome-0.4.20-33.el5_5.2
rhn-virtualization-common-1.0.1-55
rhn-virtualization-host-1.0.1-55
rhpl-0.194.1-1
rhpxl-0.41.1-6.el5
rmt-0.4b41-2.fc6
rng-utils-2.0-1.14.1.fc6
rootfiles-8.1-1.1.1
rpm-4.4.2.3-20.el5_5.1
rpm-libs-4.4.2.3-20.el5_5.1
rpm-python-4.4.2.3-20.el5_5.1
rp-pppoe-3.5-32.1
rsh-0.17-38.el5
rsync-2.6.8-3.1
sabayon-2.12.4-5.el5
sabayon-apply-2.12.4-5.el5
scrollkeeper-0.3.14-9.el5
SDL-1.2.10-8.el5
sed-4.1.5-5.fc6
selinux-policy-2.4.6-137.1.el5_2
selinux-policy-targeted-2.4.6-137.1.el5_2
sendmail-8.13.8-2.el5
setarch-2.0-1.1
setools-3.0-3.el5
setroubleshoot-2.0.5-3.el5
setroubleshoot-plugins-2.0.4-2.el5
setroubleshoot-server-2.0.5-3.el5
setserial-2.17-19.2.2
setup-2.5.58-1.el5
setuptool-1.19.2-1
sgml-common-0.6.3-18
sgpio-1.2.0_10-2.el5
shadow-utils-4.0.17-13.el5
shared-mime-info-0.19-5.el5
slang-2.0.6-4.el5
smartmontools-5.38-2.el5
sos-1.7-9.2.el5_2.2
sox-12.18.1-1
specspo-13-1.el5
sqlite-3.3.6-2
startup-notification-0.8-4.1
stunnel-4.15-2.el5.1
sudo-1.7.2p1-7.el5_5
svrcore-4.0.4-3.el5
symlinks-1.2-24.2.2
sysfsutils-2.0.0-6
sysklogd-1.4.1-44.el5
syslinux-3.11-4
system-config-date-1.8.12-3.el5
system-config-display-1.0.48-2.el5
system-config-kdump-1.0.14-1.el5
system-config-keyboard-1.2.11-1.el5
system-config-language-1.1.18-2.el5
system-config-lvm-1.1.3-2.0.el5
system-config-network-1.3.99.10-2.el5
system-config-network-tui-1.3.99.10-2.el5
system-config-rootpassword-1.1.9.1-1
system-config-securitylevel-1.6.29.1-2.1.el5
system-config-securitylevel-tui-1.6.29.1-2.1.el5
system-config-soundcard-2.0.6-1.el5
system-config-users-1.2.51-4.el5
SysVinit-2.86-15.el5
talk-0.17-29.2.2
tar-1.15.1-30.el5
tcl-8.4.13-3.fc6
tclx-8.4.0-5.fc6
tcp_wrappers-7.6-40.4.el5
tcpdump-3.9.4-12.el5
tcsh-6.14-12.el5
telnet-0.17-39.el5
termcap-5.5-1.20060701.1
time-1.7-27.2.2
tk-8.4.13-5.el5_1.1
tmpwatch-2.9.7-1.1.el5.2
traceroute-2.0.1-5.el5
tree-1.5.0-4
ttmkfdir-3.0.9-23.el5
tzdata-2011d-1.el5
udev-095-14.16.el5
unix2dos-2.2-26.2.2
unzip-5.52-3.el5
urw-fonts-2.3-6.1.1
usbutils-0.71-2.1
usermode-1.88-3.el5.1
usermode-gtk-1.88-3.el5.1
util-linux-2.13-0.47.el5
vconfig-1.9-2.1
vim-common-7.0.109-6.el5
vim-enhanced-7.0.109-6.el5
vim-minimal-7.0.109-6.el5
virt-viewer-0.0.2-2.el5
vixie-cron-4.1-72.el5
vsftpd-2.0.5-16.el5_6.1
wget-1.11.4-2.el5_4.1
which-2.16-7
wireless-tools-28-2.el5
words-3.0-9.1
wpa_supplicant-0.5.10-9.el5
Xaw3d-1.5E-10.1
xen-3.0.3-64.el5_2.1
xen-libs-3.0.3-64.el5_2.1
xkeyboard-config-0.8-9.el5
xml-common-0.6.3-18
xorg-x11-drv-evdev-1.0.0.5-5.el5
xorg-x11-drv-keyboard-1.1.0-3
xorg-x11-drv-mouse-1.1.1-1.1
xorg-x11-drv-vesa-1.3.0-8.2.el5
xorg-x11-drv-void-1.1.0-3.1
xorg-x11-filesystem-7.1-2.fc6
xorg-x11-fonts-base-7.1-2.1.el5
xorg-x11-fonts-ISO8859-1-75dpi-7.1-2.1.el5
xorg-x11-font-utils-7.1-2
xorg-x11-server-utils-7.1-4.fc6
xorg-x11-server-Xnest-1.1.1-48.76.el5_5.2
xorg-x11-server-Xorg-1.1.1-48.76.el5_5.2
xorg-x11-utils-7.1-2.fc6
xorg-x11-xfs-1.0.2-4
xorg-x11-xkb-utils-1.0.2-2.1
xsri-2.1.0-10.fc6
xulrunner-1.9.2.11-4.el5_5
yelp-2.16.0-26.el5
ypbind-1.19-12.el5
yp-tools-2.9-1.el5
yum-3.2.22-33.el5
yum-metadata-parser-1.1.2-3.el5
yum-rhn-plugin-0.5.4-17.el5_6.1
yum-security-1.1.16-13.el5_4.1
yum-updatesd-0.9-2.el5
yum-utils-1.1.16-13.el5_4.1
zip-2.31-2.el5
zlib-1.2.3-3

stress_junkie · 03-31-2011, 11:10 AM

Quote:

Originally Posted by rjo98

I have a server that's only function is to run a vsftp server for people to send us files on. Below is an rpm -qa that's sorted alphabetically, are there any things in this list that should probably be removed for security purposes, that wouldn't affect the ftp servers functionality? We only access it from the CLI, if that helps. I dont know what 99% of the items in this list are so i'm not sure even where to start.

I honestly think that this is an opportunity for you to learn what all of these components do and make up your own mind about whether each one is necessary. You are asking someone here to do a lot of work. That's a lot to ask.

A lot of system administration work involves long complicated steps. I think that you should simply look up each of the components and find out what they are and what they do. Then if you decide to remove any of them you will learn whether that component was critical or not when you restart the computer.

My initial impression is that there is very little fat to trim in that list. I probably wouldn't remove any of them.

You absolutely SHOULD look at the user account list and remove unnecessary ones. However that is another research project. You might be surprised if you remove the nobody account, or example, and find that something stops working, like updatedb for example.

anon091 · 03-31-2011, 01:03 PM

Thanks for the tip. I wasn't really looking for someone to go through one by one, i was more hoping for a general response like you gave. I am starting to research them all.

thund3rstruck · 03-31-2011, 02:42 PM

My company uses dozens of S/FTP/SCP servers and if there's one recommendation I can make it's this: Go download a server only OS without a desktop/window manager. We're currently running Ubuntu 9.10 minimal server edition which comes with literally nothing but the kernel and base packages. The only thing we install on it is vsftpd, ssh, acl, and some pam modules. Going that route eliminates all those extra threats that come with running a multi-purpose machine.

anon091 · 03-31-2011, 02:51 PM

Thanks for that tip!

anomie · 03-31-2011, 02:54 PM

RHEL - and its derivative distros - is a fantastic OS, but even a minimal package install throws in some cruft that is not necessary for a single-service server. I recommend firing up an installation in a VM, and using it as a test bed for learning about packages (manpages will be helpful to read as you go along) and dependencies.

Alternatively, there are other OSes that simply don't install everything and the kitchen sink by default. One (non-Linux) example is FreeBSD.

anon091 · 03-31-2011, 02:55 PM

Thanks. From what I'm told all the servers I've inherited were mostly installed with whatever was the default, so i'm guessing some of them have fluff on them that isn't needed.

jlinkels · 03-31-2011, 06:38 PM

Quote:

Originally Posted by rjo98

Thanks. From what I'm told all the servers I've inherited were mostly installed with whatever was the default, so i'm guessing some of them have fluff on them that isn't needed.

You should not care too much about that. Make sure X doesn't start, and you almost have a lean system. You shouldn't care about whether foo or bar is installed or not. All those packages take up little space, and no CPU time. Even a full GUI installation with OpenOffice and all is about 4 GB, that is not something to worry about in 2011.

My personal recommendation is Debian, and don't install any 'typical' systems if you are offered the choice. Bare Debian is very lean, doesn't even include less or ssh. If you are a serious RedHat person, stick with RedHat. Altough Debian is much better than RH (hehe just kidding) it won't pay back the additional time you have to spend to unlearn RH and learn Debian policy.

jlinkels

unSpawn · 03-31-2011, 10:55 PM

Quote:

Originally Posted by jlinkels

You should not care too much about that.

Yes you should. Generally speaking the less "moving parts" are installed the smaller the attack surface (ranging from deemed-unsafe-for-use applications like any r.* services and use to misconfiguration to current vulnerabilities and ones yet to discover) and easier auditing, hardening and maintenance will be.

Quote:

Originally Posted by jlinkels

Make sure X doesn't start, and you almost have a lean system.

A headless, single purpose FTP server does not require development tools and X11 / Xorg to be installed.

Quote:

Originally Posted by jlinkels

You shouldn't care about whether foo or bar is installed or not. All those packages take up little space, and no CPU time. Even a full GUI installation with OpenOffice and all is about 4 GB, that is not something to worry about in 2011.

The "don't care" / "don't worry" reply is something we should guard against in almost all (security-related) issues as it avoids addressing facts or situations as presented and ultimately leaves the OP with no method to determine if it is an issue or non-issue for himself. Unnecessarily so as, unlike fuzzy human communication and behaviour, computing is binary in that it does not require interpretation: something either is or it is not. I hope you understand and agree.

anon091 · 04-01-2011, 05:28 AM

I was looking more to eliminate any unnecessary things as to lessen the areas that a possible attacker could get in.

thund3rstruck · 04-01-2011, 05:57 AM

Quote:

Originally Posted by rjo98

I was looking more to eliminate any unnecessary things as to lessen the areas that a possible attacker could get in.

That's the point @unspawn is making. Disabling services and preventing X from starting only marginally reduces your attack surface. If they exist on the machine then they can be enabled or turned on and exploited. Better to start out with essentially a single attack vector and try to secure it: the kernel, the tcpd, and the ftp server. That's a lot easier to monitor than 100 other services all with their own unique (potential) vulnerabilities.

anon091 · 04-01-2011, 05:58 AM

Right, and I was agreeing with his point :-)

jlinkels · 04-01-2011, 06:49 AM

Overlooked the security thing and I wasn't aware I was reading in the security forum. Sorry.

jlinkels

Reuti · 04-01-2011, 09:23 AM

Quote:

Originally Posted by thund3rstruck

Go download a server only OS without a desktop/window manager.

+1 You can also check FreeNAS and run it from CD.

thund3rstruck · 04-01-2011, 09:41 AM

Quote:

Originally Posted by Reuti

+1 You can also check FreeNAS and run it from CD.

I've got a few FreeNAS servers running actually, but I'd have to recommend installing it to hdd or flash drive because when its running off CD the admin web page takes EONs to process GET/POST requests (well at least it does on my PII 450 MHZ server)