Re: [qmailtoaster] Securing a QmailToaster ONLY dedicated server
... On Fri, 19 Jan 2007 11:23:19 +0800, Edwin Casimero wrote: - APF Firewall Yes! Iptables in combination with a automatic too-many-failed-password-tempts blocker such as fail2ban or snort. - Mod Security Definitely, if you need http at all. If you're not doing webmail then disable apache! Also mod_evasive! - PHP.ini hardening, disallowing certain functions PHP Cgi/FastCGI + suexec if possible. - making /tmp noexec This is pretty useless since the script can still be executed by running: /bin/bash /tmp/myevilscript A few other ideas... - Disable all unused services. - Keep everything patched and updated. - Don't install anything that you can't keep patched and updated. - Read your log files daily! Use a log summary tool like logwatch. - Use a service that monitors all services in 5-minute intervals with SMS alerts. - Regularly run rkhunter and chkrootkit, and test for open ports that shouldn't be there. - Learn to use tripwire effectively and/or if it's an RPM based system run rpm -Va and check for changed files. Quinn - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Securing a QmailToaster ONLY dedicated server
ModSecurity! I have modsecurity in one of my boxes which is a mixed server with qmailtoaster and other web sites. Anyone using Mod_Security in their dedicated qmailtoaster only server? Positive / Negative experience? Yay or Nay? --- Eric Shubes wrote: Edwin Casimero wrote: Hello, I want to setup a dedicated QmailToaster only box. I want to exchange notes with how you suggest to go about securing this qmailtoaster only box. My current resources point to: - Bastille Linux - APF Firewall - Mod Security - PHP.ini hardening, disallowing certain functions - making /tmp noexec - http://www.michael-and-mary.net/intro/node/12 Any other tips? TTBOMK (which isn't exhaustive by any means), the stock toaster is fairly (adequately in most instances) secure. It includes a nice iptables firewall configuration. Since a dedicated QmailToaster box has no real users, many traditional security concerns are avoided. If you come up with any changes to the stock toaster which would make it more secure, please be sure to share them here. They would likely be integrated in the stock toaster. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Securing a QmailToaster ONLY dedicated server
Edwin Casimero wrote: Hello, I want to setup a dedicated QmailToaster only box. I want to exchange notes with how you suggest to go about securing this qmailtoaster only box. My current resources point to: - Bastille Linux - APF Firewall - Mod Security - PHP.ini hardening, disallowing certain functions - making /tmp noexec - http://www.michael-and-mary.net/intro/node/12 Any other tips? TTBOMK (which isn't exhaustive by any means), the stock toaster is fairly (adequately in most instances) secure. It includes a nice iptables firewall configuration. Since a dedicated QmailToaster box has no real users, many traditional security concerns are avoided. If you come up with any changes to the stock toaster which would make it more secure, please be sure to share them here. They would likely be integrated in the stock toaster. -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[qmailtoaster] Securing a QmailToaster ONLY dedicated server
Hello, I want to setup a dedicated QmailToaster only box. I want to exchange notes with how you suggest to go about securing this qmailtoaster only box. My current resources point to: - Bastille Linux - APF Firewall - Mod Security - PHP.ini hardening, disallowing certain functions - making /tmp noexec - http://www.michael-and-mary.net/intro/node/12 Any other tips? - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]