RE: [Zope] Zope and Linux flavors
Actually, I burn a CD with the latest updates on it. Including autorpm. Install autorpm, then use autorpm to upgrade everything from the CD. I do all of this BEFORE connecting to the net. I've had boxes rooted within 60 minutes of connecting to the net, before I started doing the above. I know, had a similar nightmare. If that won't get you paranoid about security, nothing will. Gotta look into autorpm one of these days... Back to Zope! Cya Jonathan ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope and Linux flavors
Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server? Red Hat Linux 6.2 here. After a standard install, download and install latest release of SSH. Open '/etc/inetd.conf', comment out all services. Save and do a 'killall -HUP inetd'. Do 'ntsysv' and disable everything you are not going to use on that machine (typically sendmail, nfslock, identd, portmap etc.). Reboot after that. That's what I do first. After that, get all the Red Hat updates from a nearby mirror. Install all, make sure you've got at least a 2.2.16 kernel. Rebooting is not gonna hurt, check what services are started as the machine boots. Get Bastille Linux (http://www.bastille-linux.org) and lock down the box, leaving only 22 and 80 open to the outside world. Well, maybe not that extreme but you get the drift :) Check '/etc/hosts.allow' and '/etc/hosts.deny' to make sure that only the absolute minimum of hosts is allowed access to the server. The latter should contain something like 'ALL: ALL'. That catches most of the script kiddies. Still won't stop a real cracker though, for that you need more. Much more. Read the various docs, keep a tab on updates at Red Hat, SANS, Bugtraq etc. And remember, only the paranoid survive in network security :) Other Linux distros are similar, but this is the one I know :) HTH Jonathan ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and Linux flavors
Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server? We run a variety of RedHat 6.1, 6.2, and 7.0 and Debian 2.2, as well as Solaris. We apply all the latest updates, turn off services we don't use, and proxy Zope through Apache. We then block all but port 80 at the router. The servers are then firewalled off from the rest of the network. Simon -- - My opinions are my own, NIP's opinions are theirs -- Simon J. Coles Email: [EMAIL PROTECTED] New Information Paradigms Work Phone: +44 1344 753703 http://www.nipltd.com/ Work Fax: +44 1344 753742 === Life is too precious to take seriously === ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope and Linux flavors
Perhaps another option (for those with a load-balanced server setup), use an intel 7170 (not cheap, but cool) load-balaning appliance, and use the loadbalancer as a router; the 7170 has the abilitiy to set rules for where it sends the load to based upon expression-matching in the URL. This means that you could intercept all "/manage*" URLs with the load balancer and direct them to a box that returns nothing but error pages. I haven't done this (I have a 7140, this model's lower-end sibling), but I have looked extensively at the docs for this, and it might be an option for the cash inclined. Other than that, this doesn't get you out of securing your boxes. I would recomend traditional security strategies (putting servers proxied behind a DMZ), and a box-by-box audit of services using a port scanner. Other than that, I can recommend one of two realistic strategies in dealing with Linux (I dont' claim to be a security expert though) - either: build the distro yourself (i.e. LFS, www.linuxfromscratch.org), and keep tabs on what services are running, as well as monitoring the lwn (www.lwn.net) security page every week, or... Commit to a particular distribution/vendor and get on their security mailing list post-haste. Apply all patches before putting the box out on the net at large. And keep the box patched. Also, monitoring lwn's security page or bugtaq isn't such a bad idea. If you have the time to invest in it, consider a network intrusion-detection system and tripwire to watch the filesystem changes on your boxes. Sean -Original Message- From: Simon Coles [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 9:50 AM To: Ragnar Beer Cc: [EMAIL PROTECTED] Subject: Re: [Zope] Zope and Linux flavors Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server? We run a variety of RedHat 6.1, 6.2, and 7.0 and Debian 2.2, as well as Solaris. We apply all the latest updates, turn off services we don't use, and proxy Zope through Apache. We then block all but port 80 at the router. The servers are then firewalled off from the rest of the network. Simon -- - My opinions are my own, NIP's opinions are theirs -- Simon J. Coles Email: [EMAIL PROTECTED] New Information Paradigms Work Phone: +44 1344 753703 http://www.nipltd.com/ Work Fax: +44 1344 753742 === Life is too precious to take seriously === ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
