...
On Fri, 19 Jan 2007 11:23:19 +0800, Edwin Casimero wrote:
> - APF Firewall
Yes! Iptables in combination with a automatic too-many-failed-password-tempts
blocker such as fail2ban or snort.
> - Mod Security
Definitely, if you need http at all. If you're not doing webmail then disable
apache!
Also mod_evasive!
> - PHP.ini hardening, disallowing certain functions
PHP Cgi/FastCGI + suexec if possible.
> - making /tmp noexec
This is pretty useless since the script can still be executed by running:
/bin/bash /tmp/myevilscript
A few other ideas...
- Disable all unused services.
- Keep everything patched and updated.
- Don't install anything that you can't keep patched and updated.
- Read your log files daily! Use a log summary tool like logwatch.
- Use a service that monitors all services in < 5-minute intervals with SMS
alerts.
- Regularly run rkhunter and chkrootkit, and test for open ports that shouldn't
be there.
- Learn to use tripwire effectively and/or if it's an RPM based system run rpm
-Va and check for changed files.
Quinn
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
