Hi folks, As a breather from the "thread-now-wider-than-my-headers-window-in-thunderbird" conversation re: mixing repos, I have a question regarding a machine I'm about to put online. :) I run a web hosting company and my secondary (primary to the world) DNS box died from a massive rootkit/hack last night. It was running an old Slackware 9.1 installation and I will be completely cleaning those drives sector-by-sector. After which I'll be installing CentOS 5 on that hardware. As it will be a production server and this is my first foray into CentOS/SELinux in a production environment I was hoping to get a recommended list of what to include and, more specifically, what *not* to include from the distro CDs I will be doing a text based install, hoping to avoid the installation of X. Other than BIND and vsftpd, I don't think I need much. This machine will be pulling zone files from my primary web server and storing some archive files and backups for me. I'm dilligently R`ingTFMs, and will continue to.... I'd sure be appreciative of any jumpstart help and/or any pitfalls of which to be cognizant. TIA, ~Ray
Hi folks, As a breather from the "thread-now-wider-than-my-headers-window-in-thunderbird" conversation re: mixing repos, I have a question regarding a machine I'm about to put online. :) I run a web hosting company and my secondary (primary to the world) DNS box died from a massive rootkit/hack last night. It was running an old Slackware 9.1 installation and I will be completely cleaning those drives sector-by-sector. After which I'll be installing CentOS 5 on that hardware. As it will be a production server and this is my first foray into CentOS/SELinux in a production environment I was hoping to get a recommended list of what to include and, more specifically, what *not* to include from the distro CDs I will be doing a text based install, hoping to avoid the installation of X. Other than BIND and vsftpd, I don't think I need much. This machine will be pulling zone files from my primary web server and storing some archive files and backups for me. I'm dilligently R`ingTFMs, and will continue to.... I'd sure be appreciative of any jumpstart help and/or any pitfalls of which to be cognizant. ----------------------------------------------------------------- Sorry for my broken ass webmail, but I don't have access to a real mail client at the moment. Personally I would recommend against installing any service that isn't absolutely necessary. Such as FTP. On a DNS server, if that's all it is going to be, there is no need for FTP services. If you need to upload things to the server, use scp, which is a part of SSH. The install is going to add alot of services that you probably won't need on the server, such as sendmail. Shut down any service that you don't need. The fewer services running the fewer attack vectors. You will never get it "hack proof". What you will get is something that "script kiddies" may not bother with in favor of easier targets. Like the old saying goes, "You don't have to run faster than the cheetah. You just have to run faster than the man running next to you." I would also, if possible, disallow root logins to the server via SSH. Configure it so that you have to log in as a normal restricted user and then su to root. ------------------------------------------------------------------ TIA, ~Ray _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> As it will be a production server and this is my first foray into > CentOS/SELinux in a production environment I was hoping to get a > recommended list of what to include and, more specifically, what *not* > to include from the distro CDs > > I will be doing a text based install, hoping to avoid the installation > of X. Other than BIND and vsftpd, I don't think I need much. This > machine will be pulling zone files from my primary web server and > storing some archive files and backups for me. >Custom install and remove every package that you can except for bind, openssh-server, vsftpd and whatever you use for archiving and backups should do the trick.
On 8/2/07, Ray Leventhal <centos at swhi.net> wrote:> I'm dilligently R`ingTFMs, and will continue to.... I'd sure be > appreciative of any jumpstart help and/or any pitfalls of which to be > cognizant.2 recent pitfalls for bind on RHEL5. 1st being that upstream has removed the default configs for bind. This was apparently intentional. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234508 for more information also, the last bind update modified some file permissions such that ldap doesn't start correctly afterwards, so if you're running bind and ldap on the same box, beware. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell
Ray Leventhal wrote:> As a breather from the > "thread-now-wider-than-my-headers-window-in-thunderbird" conversation > re: mixing repos, I have a question regarding a machine I'm about to put > online. :) > > I run a web hosting company and my secondary (primary to the world) DNS > box died from a massive rootkit/hack last night. It was running an old > Slackware 9.1 installation and I will be completely cleaning those > drives sector-by-sector. After which I'll be installing CentOS 5 on > that hardware. > >CentOS 5 is a .0 release, you might be better served using CentOS 4.5 which has had much more tme to prove itself as a DNS Server. 4.5 also has a good bit of time left on updates to (till Feb 29th, 2012) so you shouldn't worry to much about it becoming obsolete.> As it will be a production server and this is my first foray into > CentOS/SELinux in a production environment I was hoping to get a > recommended list of what to include and, more specifically, what *not* > to include from the distro CDs > >As others have said, start with a bare minimal install and add as you need to. Unless you do a custom kickstart, you'll certainly want to go through and remove some of the packages that are in the default install but aren't really necessary for a single task server (e.g. bluez-utils, NetworkManager, etc).> I will be doing a text based install, hoping to avoid the installation > of X. Other than BIND and vsftpd, I don't think I need much.Why do you need vsftpd? Plain text FTP could prove very dangerous. Maybe you should take this chance to switch over to something more secure like SFTP. The nice thing about sftp is it's up and running straight out of the box since SSH is enabled by default.> This > machine will be pulling zone files from my primary web server and > storing some archive files and backups for me. > > I'm dilligently R`ingTFMs, and will continue to.... I'd sure be > appreciative of any jumpstart help and/or any pitfalls of which to be > cognizant. >Good luck, Jay -- Jay Lee <jlee at pbu.edu> Network/Systems Administrator Information Technology Department Philadelphia Biblical University --
On Thursday 02 August 2007 16:56:46 Ray Leventhal wrote:> As it will be a production server and this is my first foray into > CentOS/SELinux in a production environment I was hoping to get a > recommended list of what to include and, more specifically, what *not* > to include from the distro CDs > > I will be doing a text based install, hoping to avoid the installation > of X. Other than BIND and vsftpd, I don't think I need much. This > machine will be pulling zone files from my primary web server and > storing some archive files and backups for me. > > I'm dilligently R`ingTFMs, and will continue to.... I'd sure be > appreciative of any jumpstart help and/or any pitfalls of which to be > cognizant. >Apart from installation, I would suggest using PowerDNS as a secondary DNS. It's not only robust, fast and secure, but also has very interesting capability of automated zones depolying (espacially usefull for secondary NS). I'm using it on all my secondary nameservers, and that's saving me lot of time. Regards, -- Tomasz Napierala System Administrator Allegro Team http://www.allegro.pl/