Quote:
Originally Posted by MIKCAweb
What do you think about this list? Are there better selections out there? What else do we need, what are we missing?
|
I'd say
it depends. The loaded software versions will be outdated in weeks if not days. If you're handing over the VM to customers
they will start using it, not updating it. I won't comment on your choice of software as you know best what you and your customers handle best but I have my doubts about web-based management panels. Due to low-cost hosting providers pushing them these tools usually end up in the hands of novice Linux users who in turn are more than eager to fsck up anything that comes with an "OK" button.
Quote:
Originally Posted by MIKCAweb
Ksplice <- Does this really benefit your scenario?
csf firewall <- apart from his laudable LMD effort IMNHSO Rfx "products" are unnecessary and highly overrated.
Change SSH port to non-standard <- Instead deny root access, force pubkey auth and unprivileged accounts and add fail2ban.
mount /dev/shm /tmp with noexec, nosuid <- that helps in some cases. In others it simply wont.
turn off unwanted services <- Remove unnecessary subsystems and disable what remains?
Employ mod_security <- How about a reverse proxy as well?
|
Software to enable / add:
- Selinux: while no MAC is invincible it has proven its worth. Developers and users thinking it should be disabled have stopped paying attention after Fedora Core 3 :-]
- Audit: companion service. Logging is important wrt audit trails and can be used by other tools.
- Logwatch: should simply be installed on
any machine.
- fail2ban: reads logs from a gazillion services and can actively block access.
- Some form of integrity verification. At least
md5deep if you're not supplying Samhain or Aide.
Quote:
Originally Posted by MIKCAweb
I guess the hardening list could go on and on.
|
No, not really. There's a relatively small set of measures and actions to take that will result in a much improved security posture. I'd like to introduce you to
post #7 (feel free to read the whole thread ;-p) of a real world case of hardening a server as the SANS, OWASP and Cisecurity links will benefit you.
*Whatever you choose always
test (GNU/Tiger, OpenVAS, Nessus, etc, etc) the effect of measures after implementing them.