Any tips on securing a server?
R. Mattes
rm at mh-freiburg.de
Wed Jan 19 01:39:18 UTC 2005
Jeff Waugh wrote:
><quote who="Ben Hodgson">
>
>
>
>>I have set up an internet server running qpopper, exim, webmin, apache and
>>ProFTPd and have finished configuring the servers themselves. Now i'm
>>trying to move onto security and protecting the machine from potential
>>attacks.
>>
>>
Well, if you're really after security i think you should get a few good
books
about server administration and security (yes, a few. This isn't easy
ground).
While a bit outdated i liked L. Stein's book about web security and the
Spafford-
Garfinkel security book by O'Reilly. I'd stay away from anything that
has the
word "Hacker" or "Hacking" in its title :-)
Subscibe to the security mailing lists, esp. to the Debian Security
Anoncements
at debian-security-announce at lists.debian.org and, of course, the
ubuntu-security-announce
mailing list.
Try to keep as vew services running as possible. Ask yourself several
times whether
a given service can't be left out or substituted with a more secure service.
Why FTP? For download-heavy sites use HTTP and a secure upload protocol like
scp or sftp (there are enough good and free Win/Mac clients out there.
Insisting on
ftp in the 21 centry is so, oh, old-fashioned :-)
Or use rsync with pub/private keys - nice because it'll save you bandwidth!
Why POP? Imap over an (encrypted) tunnel might be better etc.
Keep the number of login accounts as low as possible. Even so you might
be very
security aware some of your users might not (and "lend" passwords to
friends etc.).
A single sloppy user might open up a carefully crafted fortess :-/
Security isn't a one-time thing - allways keep an eye on your
logfiles/system activity
(io-stat etc.). Keep reading and monitoring, test your open ports (scan
then regulary
and be curious whenever an unexpected port/network connection shows up [use
nmap and netstat, sometimes tcpdump to a file and examine it with ethereal.
Compile your own kernel. Dissable loadable module support! You'll hardly
ever
change the core hardware of your server but Joe Cracker will be glad to
hide all
his tracks with a small kernel module (kernel modules are _scarry_! The
can give an
intruder absolute stealth mode [nota bene: it's harder with 2.6 kernels
but i wouldn't
take any chances).
Just my 0.03 $
RalfD
>First thing is to choose security supported packages in Ubuntu main, such as
>dovecot (to replace qpopper), vsftpd (to replace proftpd) and apache2 (to
>replace apache, in case you've installed 1.3). We do support exim, but don't
>support webmin. :-)
>
>
Hmm , could you enlighten us about the problems with Apache 1.3.n? I don't
really see any problems security wise (as opposed to proftp - one
eternal source
of problems ...)
>- Jeff
>
>
>
More information about the ubuntu-users
mailing list