Greetings, everybody I've browsed around a bit, but there seems to be no single practical list of this kind. What would you do to make a new Centos server which must run apache, IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains as secure from attacks as possible, using only standard RPM packages as much as possible? (Please note that choice of other IMAP and SMTP servers is not possible in my case, for a lot of reasons really not pertinent on the list, so let's not go there, please) Here's a first absolutely uncomplete draft off the top of my head: - remove as many unnecessary packages as possible (best way to find them?) - install dovecot (not included in centos, IIRC) and other extra packages you do need - run yum update - enable long passwords - set up only ssh2 on a non standard port - set up Single Packet Authorization? - set up itables (what would the safest iptables script to do all and only the services listed above? - what else? Feel free to rearrange, cut, add, give links, whatever: personally, I'm interested in securing the whole box, meaning how to glue things together in the safest possible way, without forgetting anything, while things like how to make Postfix not an open relay, for example, are already covered in detail in the Postfix docs. TIA, Marco -- The Family Guide to Digital Freedom: digifreedom.net
Stephen John Smoogen
2007-Jul-20 21:12 UTC
[CentOS] Security checklist for new Centos server?
On 7/20/07, M. Fioretti <mfioretti at mclink.it> wrote:> Greetings, everybody > > I've browsed around a bit, but there seems to be no single practical > list of this kind. >My first point is going over the long list iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf and figuring out what meets the local environment.> What would you do to make a new Centos server which must run apache, > IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains > as secure from attacks as possible, using only standard RPM packages > as much as possible? > > (Please note that choice of other IMAP and SMTP servers is not > possible in my case, for a lot of reasons really not pertinent on the > list, so let's not go there, please) > > Here's a first absolutely uncomplete draft off the top of my head: > > - remove as many unnecessary packages as possible (best way to find > them?) > > - install dovecot (not included in centos, IIRC) and other extra > packages you do need > > - run yum update > > - enable long passwords > > - set up only ssh2 on a non standard port >Depending on the environment, I have found that this is not a useful tool. The problems I have encountered is that it just turns off some of the attacks. But if the target is considered worthwhile it does nothing as a slow nmap will point out that SSH is running on another port. The problems I have with security through obscurity is that too many people rely on it too much. [Oh I will put ssh on the telnet port as no one would explain that.. and that way I can use a 5 letter password.] Other issues are that it can flag other security tools that might be used in an environment looking for non-standard traffic.> - set up Single Packet Authorization? >I do not know enough about this to answer, but its name does not imbue trust in me :). [E.G. I would believe more in a 3-5 packet approach. Query, ReverseQuery, Answer-To-RQuery, Authorization]> - set up itables (what would the safest iptables script to do all and > only the services listed above? >I think that if security is essential, then one should know iptables first.. then use a script. Not knowing iptables and relying on a script usually ends up with lots of email to some firewall list about why I cant talk to my remote server anymore.> - what else? > > Feel free to rearrange, cut, add, give links, whatever: personally, > I'm interested in securing the whole box, meaning how to glue things > together in the safest possible way, without forgetting anything, > while things like how to make Postfix not an open relay, for example, > are already covered in detail in the Postfix docs. > > TIA, > Marco > -- > The Family Guide to Digital Freedom: digifreedom.net > _______________________________________________ > CentOS mailing list > CentOS at centos.org > lists.centos.org/mailman/listinfo/centos >-- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
M. Fioretti wrote:> - install dovecot (not included in centos, IIRC) and other extra > packages you do needdovecot is included in CentOS - so no need to get it from somewhere else.> - set up itables (what would the safest iptables script to do all and > only the services listed above?Depends on from where you want to connect to your imap server. From everywhere? And ssh? The same? If you only run sshd, imap, postfix and apache I don't really see a need for iptables. But you might want to restrict access to sshd to a few ip addresses if you can.> - what else?Don't turn off SELinux. Cheers, Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <lists.centos.org/pipermail/centos/attachments/20070721/cddfc04e/attachment.sig>
On Sat, Jul 21, 2007 10:33:14 AM +0200, Ralph Angenendt (ra+centos at br-online.de) wrote:> > - set up itables (what would the safest iptables script to do all and > > only the services listed above? > > Depends on from where you want to connect to your imap server. From > everywhere?yes. More exactly, dovecot must serve both local webmail via squirrelmail and my (and other users) home boxes> If you only run sshd, imap, postfix and apache I don't really see a > need for iptables. But you might want to restrict access to sshd to > a few ip addresses if you can.Unfortunately, this is not an option. Sorry I forgot to specify it in the initial message.> > - what else? > > Don't turn off SELinux.Hmmm... I had also forgotten this side of the package. I will be running on a rented VPS, can SELinux be used in such contexts? Also, frankly I am not up to date on this, but I do remember reading a lot of "Just turn off selinux, isn't worth it" and "selinux isn't mature/ documented enough yet" in relatively recent times, both on Fedora and Centos lists. Is this still the case? Thanks! Marco -- The Family Guide to Digital Freedom digifreedom.net
> Feel free to rearrange, cut, add, give links, whatever: personally, > I'm interested in securing the whole box, meaning how to glue things > together in the safest possible way, without forgetting anything, > while things like how to make Postfix not an open relay, for example, > are already covered in detail in the Postfix docs.I have found that the checklist/scripts/documents at cisecurity.org are a pretty good starting point. Craig ======================================================================Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. =======================================================================