Hello -

We're provisioning a server to be used as a base VM ISO for several single-themed web sites. Each site will sit on it's own virtual server with additional programs specific to its purpose. We've started with a clean install of CentOS and Webmin. We intend to add a hand-full of programs common to most sites and then harden the server. Our list below reflects our current thoughts.

What do you think about this list? Are there better selections out there? What else do we need, what are we missing? Again , we want to end up with a minimal base server ISO that we can drop in a VM, then add a custom site/application - do whatever we want, knowing the base is solid.

PROGRAMS/SERVICES
Roundcube
Clamav
SpamAssassin
ProFTP
MySQL
phpMyAdmin
Webalizer
PHP

HARDENING
Ksplice
csf firewall
Linux Malware Detect
Change SSH port to non-standard
mount /dev/shm /tmp with noexec, nosuid
turn off unwanted services
Employ mod_security
hide apache info
deny browsing outside the document root

I guess the hardening list could go on and on.

Thank you

I'd say it depends. The loaded software versions will be outdated in weeks if not days. If you're handing over the VM to customers they will start using it, not updating it. I won't comment on your choice of software as you know best what you and your customers handle best but I have my doubts about web-based management panels. Due to low-cost hosting providers pushing them these tools usually end up in the hands of novice Linux users who in turn are more than eager to fsck up anything that comes with an "OK" button.



Software to enable / add:
- Selinux: while no MAC is invincible it has proven its worth. Developers and users thinking it should be disabled have stopped paying attention after Fedora Core 3 :-]
- Audit: companion service. Logging is important wrt audit trails and can be used by other tools.
- Logwatch: should simply be installed on any machine.
- fail2ban: reads logs from a gazillion services and can actively block access.
- Some form of integrity verification. At least md5deep if you're not supplying Samhain or Aide.


No, not really. There's a relatively small set of measures and actions to take that will result in a much improved security posture. I'd like to introduce you to post #7 (feel free to read the whole thread ;-p) of a real world case of hardening a server as the SANS, OWASP and Cisecurity links will benefit you.
*Whatever you choose always test (GNU/Tiger, OpenVAS, Nessus, etc, etc) the effect of measures after implementing them.

Thanks unSpawn, for the quick response -

Yes, we agree about the panel admin. We're trying to find some scripts that will allow a user to only be able to input email and ftp account info, yet have no access to the control panel. We may have to write that ourselves, I haven't seen anything like that. Yet.

We'll be responsible for doing updates for the site software.

We'd be happy to hear your thoughts on the "choice of software". These are just our first ideas and we're looking for input on what would help make the ideal base server.

And thank you for your software suggestions. We will look them over.

I will read the post #7 thread in it's entirety.

Appreciate your time.

Once you've read it list what you want to implement and we'll discuss that, OK?