LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-24-2012, 01:04 PM   #1
MIKCAweb
LQ Newbie
 
Registered: May 2012
Posts: 2

Rep: Reputation: Disabled
Configuring a perfect base server ISO


Hello -

We're provisioning a server to be used as a base VM ISO for several single-themed web sites. Each site will sit on it's own virtual server with additional programs specific to its purpose. We've started with a clean install of CentOS and Webmin. We intend to add a hand-full of programs common to most sites and then harden the server. Our list below reflects our current thoughts.

What do you think about this list? Are there better selections out there? What else do we need, what are we missing? Again , we want to end up with a minimal base server ISO that we can drop in a VM, then add a custom site/application - do whatever we want, knowing the base is solid.

PROGRAMS/SERVICES
Roundcube
Clamav
SpamAssassin
ProFTP
MySQL
phpMyAdmin
Webalizer
PHP

HARDENING
Ksplice
csf firewall
Linux Malware Detect
Change SSH port to non-standard
mount /dev/shm /tmp with noexec, nosuid
turn off unwanted services
Employ mod_security
hide apache info
deny browsing outside the document root

I guess the hardening list could go on and on.

Thank you
 
Old 05-24-2012, 05:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by MIKCAweb View Post
What do you think about this list? Are there better selections out there? What else do we need, what are we missing?
I'd say it depends. The loaded software versions will be outdated in weeks if not days. If you're handing over the VM to customers they will start using it, not updating it. I won't comment on your choice of software as you know best what you and your customers handle best but I have my doubts about web-based management panels. Due to low-cost hosting providers pushing them these tools usually end up in the hands of novice Linux users who in turn are more than eager to fsck up anything that comes with an "OK" button.


Quote:
Originally Posted by MIKCAweb View Post
Ksplice <- Does this really benefit your scenario?
csf firewall <- apart from his laudable LMD effort IMNHSO Rfx "products" are unnecessary and highly overrated.
Change SSH port to non-standard <- Instead deny root access, force pubkey auth and unprivileged accounts and add fail2ban.
mount /dev/shm /tmp with noexec, nosuid <- that helps in some cases. In others it simply wont.
turn off unwanted services <- Remove unnecessary subsystems and disable what remains?
Employ mod_security <- How about a reverse proxy as well?

Software to enable / add:
- Selinux: while no MAC is invincible it has proven its worth. Developers and users thinking it should be disabled have stopped paying attention after Fedora Core 3 :-]
- Audit: companion service. Logging is important wrt audit trails and can be used by other tools.
- Logwatch: should simply be installed on any machine.
- fail2ban: reads logs from a gazillion services and can actively block access.
- Some form of integrity verification. At least md5deep if you're not supplying Samhain or Aide.


Quote:
Originally Posted by MIKCAweb View Post
I guess the hardening list could go on and on.
No, not really. There's a relatively small set of measures and actions to take that will result in a much improved security posture. I'd like to introduce you to post #7 (feel free to read the whole thread ;-p) of a real world case of hardening a server as the SANS, OWASP and Cisecurity links will benefit you.
*Whatever you choose always test (GNU/Tiger, OpenVAS, Nessus, etc, etc) the effect of measures after implementing them.

Last edited by unSpawn; 05-26-2012 at 06:35 AM. Reason: //typo
 
Old 05-24-2012, 06:26 PM   #3
MIKCAweb
LQ Newbie
 
Registered: May 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks unSpawn, for the quick response -

Yes, we agree about the panel admin. We're trying to find some scripts that will allow a user to only be able to input email and ftp account info, yet have no access to the control panel. We may have to write that ourselves, I haven't seen anything like that. Yet.

We'll be responsible for doing updates for the site software.

We'd be happy to hear your thoughts on the "choice of software". These are just our first ideas and we're looking for input on what would help make the ideal base server.

And thank you for your software suggestions. We will look them over.

I will read the post #7 thread in it's entirety.

Appreciate your time.
 
Old 05-27-2012, 04:07 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by MIKCAweb View Post
I will read the post #7 thread in it's entirety.
Once you've read it list what you want to implement and we'll discuss that, OK?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring Zimbra mail server with MS AD user base using LDAP Lantzvillian Linux - Security 1 11-26-2007 01:35 PM
LXer: Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS LXer Syndicated Linux News 0 04-27-2007 08:33 PM
arch iso - base or not? doronunu Arch 3 02-22-2006 09:21 AM
woody install problem - failure while configuring base packages dongmin Debian 2 06-02-2004 10:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration