question about hardened linux

Discussion in 'Computer Security' started by Tom Forsmo, Mar 17, 2008.

  1. Tom Forsmo

    Tom Forsmo Guest


    I am setting up a small private server which will run services like
    smtp, imap, webserver, news and webmail on Debian. I have been reading,
    among other things, the Gentoo hardening documentation and it explains
    different hardening techniques, such as PaX, GrSecurity and hardened
    toolchain and sources. I am a little bit confused now and are looking
    for some help to clarify some questions I have.

    My main question is, what of all that is relevant for me to do to harden
    my server? Since my server is only going to run a few security minded
    services, my thinking is that a lot of what the gentoo hardening
    doucmentation describes does not apply as much to my scenario.

    - As I see it, MAC is mostly of interest if users has login access to
    the server.
    - hardened toolchains and sources (i.e. use of ASLR and SSP) are mostly
    of interest to servers/programs which do not care that much about
    security, i.e. they have lots of buffer overrun problems

    On the contrary, Bastille is important, so is probably parts of GrSecurity.

    The way I see it is that if I run a server, the most important things I
    have to focus on is:
    - only use servers that are designed for security, such as dovecot,
    postfix, apache2, ssh, openvpn
    - configure them properly and securely, including applying chroot and
    only accepting ssl connections with certificates.
    - only start the services I actually use
    - setup a proper firewall
    - perform environment security setup, including things such as
    - using bastille,
    - basic linux security setup, such as hosts.deny etc
    - read-only partitions
    - tripwire
    - secure system logs
    - regularily perform security maintenance and updates.

    Is this enough to fend of 99% of the security issues, or am I entirely
    mistaken? My aim here is to keep away even the seasoned hackers, but
    probably not the best of them. DDOS is not an issue yet, its more about
    making sure things stored on the server are kept private.


    Tom Forsmo, Mar 17, 2008
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick de Graeve

    Importing TB mail from linux in linux

    Nick de Graeve, Oct 4, 2004, in forum: Firefox
    Nick de Graeve
    Oct 4, 2004
  2. Adrian de los Santos

    Linux-Cisco-ADSL-Cisco-Linux Connection hangs....

    Adrian de los Santos, Jul 22, 2003, in forum: Cisco
    David Van Cleef
    Jul 22, 2003
  3. JSH
  4. Have a nice cup of pee

    Linux... yeah linux.. Linux

    Have a nice cup of pee, Apr 12, 2006, in forum: NZ Computing
    Bette Noir
    Apr 17, 2006
  5. ├čodincus

    Here's one for the hardened techies!

    ├čodincus, Jan 17, 2008, in forum: UK VOIP
    Phil Reynolds
    Jan 18, 2008