--66.66.33.200, 15-Mar-2005
(not trying to be smartass)
Things I have configured on my ~100 user login server: - only allow ssh from known good ip's (firewall) or known ISP's netblocks/domains (easier with /etc/hosts.allow) - chroot every damn daemon you can: bind, apache, postfix (I couldn't chroot Apache, but you should be able to since you control all sites on your server) - add "AllowGroups ssh" to /etc/ssh/sshd_config, create group ssh and only add trusted users to that group (setting shell to /bin/false isn't enough for non-login users) - only allow zone transfers to your own dns servers - daily apt-get update && apt-get -u upgrade (or similar, in case you dumped Debian) - install mod_security (www.modsecurity.org) and configure it to be as strict as possible - only allow pop3 and imap over SSL (close ports 110 and 143) - install logcheck, and _read_ the reports - daily remote backups of /etc /var /usr /home (+ others you might have) - mount /tmp and /var with nosuid,nodev
And things I haven't done yet: - remote syslogging to a logserver that's not reachable from the logclient (ie. log A to B, close all other ports from A to B) - install file integrity checker (not sure if these are effective) - tripwires (ie. probe low unused port -> get firewalled automatically) - mount filesystems read-only (done this with nfsroot workstations, haven't tried on servers) - configure /etc/security/limits.conf (not sure if this is effective)
--Kim, 15-Mar-2005
Oh, forgot one more thing.
Setup HA-clustering (easy for Kuukkelit, not sure how easy it would be for for the wikis). This sounds stupid, but in case a machine gets compromised, you can just turn if off and no-one will notice.
I have this set up for the most important domains I host, so that I can take down the server for maintenance and not worry about the sites so much (since they won't be down).
--Kim, 15-Mar-2005
Glad to see that your back up and running.
One can only wonder why people would be stupid enough to break into a computer and then just delete everything. As if that would really cover their tracks from a good sysadmin ;).
--ramin, 15-Mar-2005
Miten toi muuten käytännössä toimii tuo kuukkelin javascriptautomaattitäydennys? Täydentääkö se automaattisesti kaikki pinserin blogilistassa olevan blogit vai ainoastaan ne, joita on ehdotettu.
(Mun blogi täydentyy, kaverin ei, voinko siis päätellä, että joku tykkää mun blogista?)
--Hämärä, 16-Mar-2005
Se täydentää vain ja ainoastaan ne blogit, jotka olivat Pinserin listalla joulukuun lopussa. Jos ei sentään ole oppiva :)
--JanneJalkanen, 16-Mar-2005
More info...
Add comment
Back to entry
|
"Main_comments_140305_1" last changed on 16-Apr-2005 01:02:46 EEST by JanneJalkanen. |