Hi Jackson,
> -----Original Message-----
> From: Jackson Ching [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 15, 2000 7:43 AM
> To: [EMAIL PROTECTED]
> Subject: [plug] Server Security
>
>
> Hi Pluggers,
>
> I'm trying to setup my own server (Apache+JServ, FTP,
> PostgreSQL, Mail, Firewall, etc)... What is the best way for
> me to go about it, so that i can make the server secure? thanks.
>
There are two types of security, physical and software. When you you say
physical, eto yung place kung saan mo ilalagay ang server. You should have a
location na only you and authorized employees are allowed to go inside this
area. When it comes to software security, eto na yung software. Software
security is a bit more hard to maintain because you will have to check sites
for your os's vulnerabilities and also applications that we download. Check
out www.rootshell.com. So what do I mean here, apply patches. Hindi lang
kasi isang beses ang pagsecure ng machine, it's really everyday. You check
logs for attemps, altered files and so on. But hardening the box really
helps. Check out www.securityfocus.com. What do we mean by hardening then?
Ibig sabihin nito ay, you will have to correct permissions of files. Marami
kasing file na installed by default (linux) na very open siya for read. I've
found a site before which corrects the perms but the problem is, couldn't
remember the site. One tip, change the owner of su to user root and group
wheel and change mode to 550 of su. Now, assign users who can do su to the
group wheel. I guess, that's very basic.
Next is, by stopping unneeded daemons. Siguro, enough na e-exposed mo sa
internet ang port 22, 25, 53, 80 at 443. You can check your box's open ports
with different utilities like nmap. I love this tool very much. It's a MUST.
You will not believe this, 80% of the attacks come from the inside. So
beware. BEING PARANOID is the way to victory.
Of course, since your users will be able to receive mails, you are not aware
sa mga nare-receive nila. Baka merong mga .exe attachment na nag a-act as
benign but then trojan pala. I suggest you block ports of this trojan on the
firewall. So the comprised host will not be able to get outside your
network. Next thing you do is, check workstations.
Going back to the server, I don't know of a good firewall for linux but I am
very satisfied with ipchains. Try iptables but you will have to use kernel
2.3.X or later. It's stateful. I also suggest you download portsentry.
Another one of the best tool that I've used and it's really useful is
Nessus. It has the concept of client/server. Anyways, 1 linux box is enough.
Meron siyang mga 100 or more attacks to test the vulnerability of a host or
hosts. HATAW, kasi mag sa-suggest siya kung anong dapat gawin na paraan para
masecure yung tinetest mong host.
Right now, I'm trying out other tools here to bypass firewall's acl. This is
done through the value in Time-To-Live. Although it's really hard, it's
worth it kasi, it will be able learn your internal network topology via a
firewall coming from an outside host. Ok's di ba?
Apache? I would suggest you add modssl, openssl and have your certificate
signed by Verisign or thawte. Siya nga pala, can anyone teach me on how to
create a client/personal certificate using openssl tool that I can import
from my web browsers? I enabled SSLVerifyClient require kasi. And I guess,
this is totally a secure transaction.
Mail? Find an smtp program that does not implement ETRN and VRFY. You can
try telneting to mail-abuse.org to check if your smtp server rejects
SPAMming.
hth
--
.-------------------------------------------------------.
o^o | Ronneil Camara | [EMAIL PROTECTED] |
/V\ |--------------------| +632 6354086 +63917 5326993 |
// \\ | "The only way to `----------------------------------|
/( )\ | stop a hacker is to think like one." |
^^-^^ | ...brilliant misguided youth |
`-------------------------------------------------------'
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
