Thursday, January 25, 2001 - John wrote:
> 'Best Practices' list for ColdFusion-Linux users to follow, which would
> detail the steps (step...by...step) to take from default installations of
> supported OS's (RedHat 6.2, etc) to where a reasonably secure server should
> be. Wouldn't this make sense from a marketing standpoint for a company
> trying to sell a product on a specific platform?
I couldn't claim to be an expert at this.. I had to learn fast after a
couple of break-ins :/ My method goes something like this:-
1. Use the RedHat setup tool to turn off all the system services you
either
a) KNOW you don't need
b) Don't have a clue what they do :)
For a standard webserver this tends to include turning off things like
xfs, gpm, inet (or xinet), kudzu, linuxconf, lpd, netfs, named,
portmap, sendmail etc. Reboot and make sure the services you need
still work :)
2. Install SSH. I don't use telnet or ftp over public networks anymore :/
3. I downloaded a "skr!pt K!ddies l33t h4ckerZ" tool to do a portscan.
There are plenty of such things around... I found the one that
someone used to break into one of our boxes once :/
4. For extra peace of mind you can enable 'ipchains'. With RedHat 6.2
this reads the file /etc/sysconfig/ipchains on startup. Does
anyone have an example config?
5. An optional extra is to make the box unpingable by doing:-
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_all
6. Keep an eye on the news and apply any patches that are recommend.
I try to end up with a box that ONLY responds on port 80 (plus 443 if
required) and port 22 for SSH (sometimes restricted by IP).
If you need to run sendmail and named etc for your webserver then I
would seriously consider using ipchains to restrict external access to
them.
I've had 2 RedHat boxes hacked before I started doing all this.. and
none since. From what I've seen, the major threat is from the skript
kiddies. They seem to compromise a box, use it to portscan a range of
others and grep the results for known weaknesses using existing
tools... they don't have the know-how (or patience?) to invent a new
way of breaking in. If your box only responds on one or two ports, you
minimise the risk. There's always going to be a hundred other boxes
out there that light up like a christmas tree ;)
Regards,
Matt
------------------------------------
Broadband Communications Ltd.
+44 (0)115 924 7150
http://www.broadband.co.uk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
