Security Basics
Linux Web Server Hardening (LAMP + Wiki) Jan 25 2013 09:31PM
Jeffrey Walton (noloader gmail com) (7 replies)
RE: Linux Web Server Hardening (LAMP + Wiki) Jan 29 2013 03:58PM
Tommy Thomas (webmaster ocaladesigns com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 29 2013 06:44AM
Jeffrey Walton (noloader gmail com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 03:56PM
Michael Peppard (mpeppard impole com) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 30 2013 01:11AM
Tracy Reed (treed ultraviolet org)
On Mon, Jan 28, 2013 at 07:56:52AM PST, Michael Peppard spake thusly:
> You will need to get up to speed on selinux. ACLs, chroot jails and iptables
> alone don't cut it.

I second the use of SELinux. It is a while new security system and rather
complex but well worth learning. I think of it like firewalls for my
applications.

I have compiled the following list of resources for securing RHEL/CentOS:

http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf

http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark
_v1.1.2.pdf

http://web.nvd.nist.gov/view/ncp/repository

Use something like puppet to automate implementation of this stuff
network-wide. That last NIST link even has an awesome puppet config for all of
this! I've been reading through the code for the puppet modules and learned
some neat things, including stuff I had no clue about previously such as how
augeas works and what it is good for.

> LAMP is well supported by the default selinux rules on every major Linux
> distro. You will have to learn how to tighten the security rules, such as
> type enforcement yourself though.

If using SELinux (which I recommend) be sure to know about the booleans related
to http. A simple flip of a setting from off to on can solve most http related
problems and avoid frustration or writing custom SELinux policy:

# /usr/sbin/getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

--
Tracy Reed

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]
Re:Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 02:45PM
forgaoqiang (forgaoqiang gmail com) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 30 2013 08:23PM
gremlin gremlin ru
RE: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 09:40AM
Balakrishnan Nadar (balakrishnan nadar tatacommunications com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 08:39AM
Henri Salo (henri nerv fi)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 08:19AM
Eric Furman (ericfurman fastmail net) (10 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 06:48PM
James Thomas (jim nimblesec com) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 29 2013 02:40PM
Michael Peppard (mpeppard impole com)
RE: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 04:32PM
Ulm, Matt (Matt Ulm edelman com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 04:19PM
Jason M (jmillette datavalet com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 04:09PM
Littlefield, Tyler (tyler tysdomain com)
RE: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 02:43PM
Emre Tugriceri (emre tugriceri com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 12:53PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 31 2013 06:39AM
Eric Furman (ericfurman fastmail net) (2 replies)
RE: Linux Web Server Hardening (LAMP + Wiki) Feb 03 2013 01:25AM
Steve Elkins (stevee epits com au) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Feb 04 2013 08:53PM
Jeffrey Walton (noloader gmail com)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 31 2013 04:20PM
Ansgar Wiechers (bugtraq planetcobalt net)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 12:23PM
Michael Zoet (Michael Zoet zoet de)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 12:09PM
DragonSlay3r (gdragonslay gmail com) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 30 2013 07:57PM
gremlin gremlin ru (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Feb 02 2013 02:11AM
Eric Furman (ericfurman fastmail net)
Re: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 10:48AM
Joerg Stephan (johe stephan ymail com)
RE: Linux Web Server Hardening (LAMP + Wiki) Jan 28 2013 08:46AM
Arie Claassens (arie_claassens hotmail com) (1 replies)
Re: Linux Web Server Hardening (LAMP + Wiki) Feb 03 2013 06:53AM
Juan F. Campos - Computalleres.com (jfcampos computalleres com)


 

Privacy Statement
Copyright 2010, SecurityFocus