[sllug-members]: Fedora Core 5 help wanted

Kyle Waters unum at truecomputing.biz
Wed Sep 27 16:17:57 MDT 2006 

My number one rule for security is KISS.  Don't install anything you 
don't need. If this is a production box that you are concerned about 
being hacked don't use it to play with tools you don't understand.

You can run netstat -ltu to see what services are already running.  You 
should either disable or block(with a firewall) the services you are not 
using externally.
> Install Bind (named) in a chroot jail and secure it.
>   
I'd use something(like your firewall) to keep bind from talking to 
machines you don't want it to.
> Install the following servers and secure them:
>      Apache
>   
one of biggest threats with apache comes from using scripting languages 
with it so be careful of what you use with it.
>      some kind of secure FTP program
>   
I'm told vsftp is good, but you should evaluate your situation and see 
if you can use sftp, http, or webdav(I know it's http as well) instead.
>      Samba
>   
restrict it to your local network(your firewall can be used for this)
>      SendMail
>   
uuuuuh.  Didn't you say you wanted this to be secure, I'd recommend 
postfix, and keep it up to date.  You should be able to subscribe to a 
mailing list to get emails when there are security problems(so you know 
to update).
>      some kind of IMAP server (Cyrus?)
>   
I've used courier and it works for me.  I have the imap ports firewalled 
so users can only connect with imaps.
> Then I want to install the following application software:
>      Bluefish
>      Gimp
>      Lyx
>      SpamAsassin
>      FireFox
>      Thunderbird
>      Webmin
>   
I'd restrict webmin to only work from certain computers.
>      Webalyzer
>   
you'll want to make sure to keep this up to date as well
>      some kind of spam poisoner
>   
????
>      OpenOffice
>      Mambo or Joomla or equivalent content management system
>   
again keep it up to date


In an other part of this thread people have discussed selinux I always 
turn it off, but I'm not concerned about my fedora boxes.  If you are 
really concerned about security I'd recommend you learn and use se linux.

unum

More information about the sllug-members mailing list