PDA

View Full Version : How secure is this setup?


TheRudy
7th December 2005, 21:08
Hey

My first question here is: How secure really is this tutorial: http://www.howtoforge.com/perfect_setup_debian_sarge

By secure i mean, is there anything else someone might want to do before going public with that setup? Of course firewall settings are missing but besides that. Securing apache, php,...?

How many of you guys do actually use just this tutorial and goes public with server?

Why this questions? Well i'm about to set up a debian server and after a few days of looking and reading server setup tutorials, i kinda decided that i will go with this setup plus of course ISPConfig panel.

I'm not new to linux and of course i'm not super advanced user so sorry if this questions are kinda stupid ;)

And for example, i compared this tutorial with this one: http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer
and well, check it and you'll see what i mean... Lots of stuff about security while in this tutorial pretty much nothing unless i somehow missed to read that :)

And now for end, thanks for even making this tutorials!! It helps a lot of us who are not so pro with this stuff heh

falko
8th December 2005, 00:58
Of course firewall settings are missing but besides that.
The firewall comes with ISPConfig.

How many of you guys do actually use just this tutorial and goes public with server?I know some people who do...:D

Most current Linux systems are very secure out of the box, and you have to do a lot of customization to make them more secure which means you cannot use the distribution's regular update packages anymore - which is a major drawback.
If you only run the services you need (e.g. Apache, Postfix, SSH) and nothing more and have a firewall then it's already very secure. For Apache vhosts you can enable suExec and PHP Safe Mode in ISPconfig. Bind runs chrooted; FTP users are also chrooted. Postfix comes with SMTP-AUTH and TLS.
Never had any problems with this setup. :)

TheRudy
8th December 2005, 11:07
Well don't mention Safe Mode please ;) It's pure evil heh

I'm going to use this setup now :)
Of course i'll change some things like disable root login in ssh, disable some commands in php and so on... but this are the things that are missing in this guide. While i know for most of the stuff what to do, someone who's new might not.

Anyway, thanks for replying and whoever makes this ISPconfig and tutorials, keep up the good work!!

till
8th December 2005, 11:13
Currently most linux servers where hacked trough insecure scripts on webservers.

For security:

1) Update your debian frequently to make sure all known bugs are fixed:

apt-get update
apt-get -u upgrade

2) To be even more secure, partition your harddisk that you have at least separate /tmp and /var partitions.

3) Check your system frequently with rootkit scanners like rkhunter.
http://www.howtoforge.com/faq/1_38_en.html

4) You may run the PHP on your server as CGI and activate suExec if you think that you wont thrust the PHP safemode.

TheRudy
8th December 2005, 11:49
Currently most linux servers where hacked trough insecure scripts on webservers.
That am aware off


1) Update your debian frequently to make sure all known bugs are fixed:

apt-get update
apt-get -u upgrade
This won't override for example php configurations if there is newer PHP version or bug fix? I just downloaded ISPConfig to check it and i saw that most configurations come with ISPConfig. Or did i overlooked something here with config files?


2) To be even more secure, partition your harddisk that you have at least separate /tmp and /var partitions.

3) Check your system frequently with rootkit scanners like rkhunter.
http://www.howtoforge.com/faq/1_38_en.html
That i'm aware off and i also do that on my current test machine...


4) You may run the PHP on your server as CGI and activate suExec if you think that you wont thrust the PHP safemode.
It's not that i don't trust safe mode but it gives more problems (running scripts) then does good.
I read a nice discussion on some forum about how 'usefull' really is safemode plus how you can bypass it and so on...

till
8th December 2005, 11:53
This won't override for example php configurations if there is newer PHP version or bug fix? I just downloaded ISPConfig to check it and i saw that most configurations come with ISPConfig. Or did i overlooked something here with config files?

The PHP and apache that comes with ISPConfig are not the software that is used to serve your webpages. The ISPConfig php and apache is only for the controlpanel webserver on port 81. You can use the update mechanism from DEBIAN without overriding any ISPConfig settings.

TheRudy
8th December 2005, 12:52
Oh ok, so basically you have 2 apaches and 2 php's running, one for ISPConfig and 1 well for webserver ;)

Thanks for clearing that up!
So all config files that come with ISPConfig (webalizer and so on) are for ISPConfig usage only?

PS: sorry for being so curious but i want to know the software as much as i can before i use it.

till
8th December 2005, 14:02
Some of the config files are for ISPConfig, some for the services that are installed with DEBIAN. The binaries are only for ISPConfig.

themachine
10th December 2005, 16:39
Just make sure to 'apt-get update && apt-get install cron-apt' and you will have nighly security updates. You can also 'apt-get install chkrootkit' and have weekly/nightly root kit scans.