[CentOS] securing centos 5.2 for public usage
Dear all, i Just finished setting up an apache service on a centos 5.2 VM machine. i need to secure this machine as i'm soon to be setting a public IP over it where i'd be opening up the following services: 1. http 2. https 3. ssh Things i've done so far: 1. stopped root ssh access in sshd.conf 2. tried configuring PAM so i get a more secure ssh passwords (dictionary wise) as well as tried setting up a 2 times authentication failure for the account to be disabled for 12 hours (i couldnl't succeed in setting this up) 3. disabled port forwarding (to deny outsiders to tunnel through the server inside my network) couldn't succeed with this either. Any help or advice would be greatly appreciated.. thanks, --Roland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] securing centos 5.2 for public usage
Am 18.09.2010 12:08, schrieb Roland RoLaNd: Dear all, i Just finished setting up an apache service on a centos 5.2 VM machine. i need to secure this machine as i'm soon to be setting a public IP over it where i'd be opening up the following services: 1. http 2. https 3. ssh Things i've done so far: 1. stopped root ssh access in sshd.conf 2. tried configuring PAM so i get a more secure ssh passwords (dictionary wise) as well as tried setting up a 2 times authentication failure for the account to be disabled for 12 hours (i couldnl't succeed in setting this up) 3. disabled port forwarding (to deny outsiders to tunnel through the server inside my network) couldn't succeed with this either. Any help or advice would be greatly appreciated.. thanks, --Roland First of all, you should really update to CentOS 5.5 plus all the additional package updates. And then, there is a nice wiki page http://wiki.centos.org/HowTos/OS_Protection with lots of helpful information about your topic. Read it carefully, and you will find a link to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf with further tips to secure your system. Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] securing centos 5.2 for public usage
On 09/18/10 12:08, Roland RoLaNd wrote: Dear all, i Just finished setting up an apache service on a centos 5.2 VM machine. i need to secure this machine as i'm soon to be setting a public IP over it where i'd be opening up the following services: 1. http 2. https 3. ssh Things i've done so far: 1. stopped root ssh access in sshd.conf 2. tried configuring PAM so i get a more secure ssh passwords (dictionary wise) as well as tried setting up a 2 times authentication failure for the account to be disabled for 12 hours (i couldnl't succeed in setting this up) 3. disabled port forwarding (to deny outsiders to tunnel through the server inside my network) couldn't succeed with this either. Any help or advice would be greatly appreciated.. thanks, --Roland Start by upgrading to the latest release... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] securing centos 5.2 for public usage
2010/9/18 Roland RoLaNd r_o_l_a_...@hotmail.com: Dear all, i Just finished setting up an apache service on a centos 5.2 VM machine. i need to secure this machine as i'm soon to be setting a public IP over it where i'd be opening up the following services: 1. http 2. https 3. ssh Things i've done so far: 1. stopped root ssh access in sshd.conf 2. tried configuring PAM so i get a more secure ssh passwords (dictionary wise) as well as tried setting up a 2 times authentication failure for the account to be disabled for 12 hours (i couldnl't succeed in setting this up) 3. disabled port forwarding (to deny outsiders to tunnel through the server inside my network) couldn't succeed with this either. try reading CIS RHEL 1.2 guide. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] securing centos 5.2 for public usage
+1 for bastille... On 9/18/10, m.r...@5-cent.us m.r...@5-cent.us wrote: Roland RoLaNd wrote: i Just finished setting up an apache service on a centos 5.2 VM machine. i need to secure this machine as i'm soon to be setting a public IP over it where i'd be opening up the following services: 1. http 2. https 3. ssh Things i've done so far: 1. stopped root ssh access in sshd.conf 2. tried configuring PAM so i get a more secure ssh passwords (dictionary wise) as well as tried setting up a 2 times authentication failure for the account to be disabled for 12 hours (i couldnl't succeed in setting this up) 3. disabled port forwarding (to deny outsiders to tunnel through the server inside my network) couldn't succeed with this either. Well, you could set selinux enforcing (AUGH!!!). Another possibility is run Bastille Linux on it to harden it. I really like the latter - I used it to harden an old system of mine, first Redhat 7.x, then Redhat 9 (yes, this is years ago), and used that as my firewall/router, and in something like 9 years online, on broadband, to the best of my knowledge, I never had an intrusion. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] securing centos 5.2 for public usage
On Sat, Sep 18, 2010 at 12:26:04PM -0400, m.r...@5-cent.us wrote: Well, you could set selinux enforcing (AUGH!!!). Another possibility is run Bastille Linux on it to harden it. I really like the latter - I used it to harden an old system of mine, first Redhat 7.x, then Redhat 9 (yes, this is years ago), and used that as my firewall/router, and in something like 9 years online, on broadband, to the best of my knowledge, I never had an intrusion. Bastille Unix (renamed quite some time ago) has not been updated in two years and is no longer supported to the best of my knowledge; they announced an impending release in 2008 which never occured and nothing has been heard since that I know of. And why AUGH!!!? Selinux is enabled by default for a reason and, quite frankly, has no need to be disabled except in the most rare of corner cases; learning to properly make use of selinux will, in the long run, make your life much easier. I would never consider running an internet-facing host without selinux in enforcing mode. John -- If man does find the solution for world peace it will be the most revolutionary reversal of his record we have ever known. -- George C. Marshall (1880 - 1959), American military leader and statesman, creator of the Marshall Plan, the only US Army general to receive the Nobel Peace Prize, Biennial Report of the Chief of Staff, US Army, 1 September 1945 pgpYrBUcNlMsj.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
