I posted this before on the security basics, but haven't recieved a response, and it worries me a bit, so I'm sending this to a few other groups in hopes that someone will have an idea about it.

---

Fairly recently I noticed my ftp client wouldn't list files in certain directories on my server any

[ more ]  [ reply ]

be careful with rp_filter=1 because it tends to silently drop packets
causing you to spend a good deal of time scratching your head wondering
where they've gone. A host with multiple routes can have problems with
that (It is very good for most machines, but any gateway with redundant
paths should be

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

For nitty gritty secure OS/Application configuration, I'd suggest
taking a look at the NSA's Security Configuration Guides,
(http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1), and DISA STIGS
(http://csrc.nist.gov/pcig/cig.html). There are of cou

[ more ]  [ reply ]

If you are considering MAC (Mandatory Access Control) features, have a
look also at RSBAC (http://www.rsbac.org/), it is a quite complete
modular MAC system [_personally_ I find it much better than Selinux,
with many more features and depending on your skills on setting it up,
it can give you a m

[ more ]  [ reply ]

>> I am trying develop a method to secure my servers. I'll list the steps I
>> am going to take. Can you please review and make any additional
>> suggestions. Thank you.
>>

take a look at this projects
http://www.rfxnetworks.com/proj.php

[ more ]  [ reply ]

<quote who="Cocobu">
> A good idea is patching the kernel with grsecurity
> (http://www.grsecurity.net/)
>
> Just my 2 cent.

That's the 2nd time I've heard that package suggested. I checked out the
web site and it looks very powerful. How easy is it to configure and
understand?

My major problem

[ more ]  [ reply ]

<quote who="Charles Heselton">
> Well, those kinds of things should be blocked at your gateway. It's
> much faster, and just as secure to handle this in a router's ACL,
> than it is on a per machine basis. This way, you only need to worry
> about configuring the host firewall for internal or "allo

[ more ]  [ reply ]

<quote who="Charles Heselton">
> Like I said, they all provide the same outcome. They all are
> glorified wrappers for iptables, so they all have the same ultimate
> effect. I believe shorewall is a little more "low-level", and may
> provide more of the granularity that you are probably looking fo

[ more ]  [ reply ]

<quote who="K. Jusupov">
>
> Nice (impressive) list...
>
> But wouldnt it be better first to classify the servers
> that you are going to secure?
>
> DB server might not neet spamassasin installed or mail
> server would not require for php related things and so
> on...
>
> And it would be easier lat

[ more ]  [ reply ]

<quote who="Charles Heselton">

> 4. Set up your firewall. I like firestarter (should come with FC4).
> Other people like shorewall. Ultimately, it's the same outcome.

I wasn't fond of the way Firestarter worked at all. I'll take a close
look at Shorewall. I was really worried about rolling m

[ more ]  [ reply ]

There is a quickstart paper on installing and configuring grsecurity
(http://www.grsecurity.net/quickstart.pdf)

AragonX a écrit :

><quote who="Cocobu">
>
>
>>A good idea is patching the kernel with grsecurity
>>(http://www.grsecurity.net/)
>>
>>Just my 2 cent.
>>
>>
>
>That's the 2nd time

[ more ]  [ reply ]

I Concur!
It's nice to see someone with a sense of sanity to security. Also
remember that these tools will need to be maintained. The logs reviewed
often.

Michael Hallager wrote:
> Hello.
>
> I suggest that rather then going in 'boots and all' that you take some time to
> study and carefully co

[ more ]  [ reply ]

<quote who="Syn Ack">
> Hello AragonX,
> I will add these steps to the list:
> - Only allow ssh V.2

I'm pretty sure this is the default. I haven't need to make this change
since FC2 I think.

> - Deny root ssh logins

This was implied by "only allow me to logon". What I should have written
is "On

[ more ]  [ reply ]