Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Tom Forsmo
March 17, 2008, 4:15 pm
rate this thread
I am setting up a small private server which will run services like
smtp, imap, webserver, news and webmail on Debian. I have been reading,
among other things, the Gentoo hardening documentation and it explains
different hardening techniques, such as PaX, GrSecurity and hardened
toolchain and sources. I am a little bit confused now and are looking
for some help to clarify some questions I have.
My main question is, what of all that is relevant for me to do to harden
my server? Since my server is only going to run a few security minded
services, my thinking is that a lot of what the gentoo hardening
doucmentation describes does not apply as much to my scenario.
- As I see it, MAC is mostly of interest if users has login access to
- hardened toolchains and sources (i.e. use of ASLR and SSP) are mostly
of interest to servers/programs which do not care that much about
security, i.e. they have lots of buffer overrun problems
On the contrary, Bastille is important, so is probably parts of GrSecurity.
The way I see it is that if I run a server, the most important things I
have to focus on is:
- only use servers that are designed for security, such as dovecot,
postfix, apache2, ssh, openvpn
- configure them properly and securely, including applying chroot and
only accepting ssl connections with certificates.
- only start the services I actually use
- setup a proper firewall
- perform environment security setup, including things such as
- using bastille,
- basic linux security setup, such as hosts.deny etc
- read-only partitions
- secure system logs
- regularily perform security maintenance and updates.
Is this enough to fend of 99% of the security issues, or am I entirely
mistaken? My aim here is to keep away even the seasoned hackers, but
probably not the best of them. DDOS is not an issue yet, its more about
making sure things stored on the server are kept private.
- » USENIX Announces Open Access to Conference Proceedings
- — Previous thread in » General Computer Security