#1  
Old 7th December 2005, 21:08
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default How secure is this setup?

Hey

My first question here is: How secure really is this tutorial: http://www.howtoforge.com/perfect_setup_debian_sarge

By secure i mean, is there anything else someone might want to do before going public with that setup? Of course firewall settings are missing but besides that. Securing apache, php,...?

How many of you guys do actually use just this tutorial and goes public with server?

Why this questions? Well i'm about to set up a debian server and after a few days of looking and reading server setup tutorials, i kinda decided that i will go with this setup plus of course ISPConfig panel.

I'm not new to linux and of course i'm not super advanced user so sorry if this questions are kinda stupid

And for example, i compared this tutorial with this one: http://www.harrysufehmi.com/phpwiki/...gUpLinuxServer
and well, check it and you'll see what i mean... Lots of stuff about security while in this tutorial pretty much nothing unless i somehow missed to read that

And now for end, thanks for even making this tutorials!! It helps a lot of us who are not so pro with this stuff heh
Reply With Quote
Sponsored Links
  #2  
Old 8th December 2005, 00:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Quote:
Originally Posted by TheRudy
Of course firewall settings are missing but besides that.
The firewall comes with ISPConfig.

Quote:
Originally Posted by TheRudy
How many of you guys do actually use just this tutorial and goes public with server?
I know some people who do...

Most current Linux systems are very secure out of the box, and you have to do a lot of customization to make them more secure which means you cannot use the distribution's regular update packages anymore - which is a major drawback.
If you only run the services you need (e.g. Apache, Postfix, SSH) and nothing more and have a firewall then it's already very secure. For Apache vhosts you can enable suExec and PHP Safe Mode in ISPconfig. Bind runs chrooted; FTP users are also chrooted. Postfix comes with SMTP-AUTH and TLS.
Never had any problems with this setup.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 8th December 2005, 11:07
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Well don't mention Safe Mode please It's pure evil heh

I'm going to use this setup now
Of course i'll change some things like disable root login in ssh, disable some commands in php and so on... but this are the things that are missing in this guide. While i know for most of the stuff what to do, someone who's new might not.

Anyway, thanks for replying and whoever makes this ISPconfig and tutorials, keep up the good work!!
Reply With Quote
  #4  
Old 8th December 2005, 11:13
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,213 Times in 4,088 Posts
Default

Currently most linux servers where hacked trough insecure scripts on webservers.

For security:

1) Update your debian frequently to make sure all known bugs are fixed:

apt-get update
apt-get -u upgrade

2) To be even more secure, partition your harddisk that you have at least separate /tmp and /var partitions.

3) Check your system frequently with rootkit scanners like rkhunter.
http://www.howtoforge.com/faq/1_38_en.html

4) You may run the PHP on your server as CGI and activate suExec if you think that you wont thrust the PHP safemode.
Reply With Quote
  #5  
Old 8th December 2005, 11:49
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Quote:
Originally Posted by till
Currently most linux servers where hacked trough insecure scripts on webservers.
That am aware off

Quote:
Originally Posted by till
1) Update your debian frequently to make sure all known bugs are fixed:

apt-get update
apt-get -u upgrade
This won't override for example php configurations if there is newer PHP version or bug fix? I just downloaded ISPConfig to check it and i saw that most configurations come with ISPConfig. Or did i overlooked something here with config files?

Quote:
Originally Posted by till
2) To be even more secure, partition your harddisk that you have at least separate /tmp and /var partitions.

3) Check your system frequently with rootkit scanners like rkhunter.
http://www.howtoforge.com/faq/1_38_en.html
That i'm aware off and i also do that on my current test machine...

Quote:
Originally Posted by till
4) You may run the PHP on your server as CGI and activate suExec if you think that you wont thrust the PHP safemode.
It's not that i don't trust safe mode but it gives more problems (running scripts) then does good.
I read a nice discussion on some forum about how 'usefull' really is safemode plus how you can bypass it and so on...
Reply With Quote
  #6  
Old 8th December 2005, 11:53
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,213 Times in 4,088 Posts
Default

Quote:
Originally Posted by TheRudy
This won't override for example php configurations if there is newer PHP version or bug fix? I just downloaded ISPConfig to check it and i saw that most configurations come with ISPConfig. Or did i overlooked something here with config files?
The PHP and apache that comes with ISPConfig are not the software that is used to serve your webpages. The ISPConfig php and apache is only for the controlpanel webserver on port 81. You can use the update mechanism from DEBIAN without overriding any ISPConfig settings.
Reply With Quote
  #7  
Old 8th December 2005, 12:52
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Oh ok, so basically you have 2 apaches and 2 php's running, one for ISPConfig and 1 well for webserver

Thanks for clearing that up!
So all config files that come with ISPConfig (webalizer and so on) are for ISPConfig usage only?

PS: sorry for being so curious but i want to know the software as much as i can before i use it.
Reply With Quote
  #8  
Old 8th December 2005, 14:02
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,213 Times in 4,088 Posts
Default

Some of the config files are for ISPConfig, some for the services that are installed with DEBIAN. The binaries are only for ISPConfig.
Reply With Quote
  #9  
Old 10th December 2005, 16:39
themachine themachine is offline
Senior Member
 
Join Date: Oct 2005
Location: Texas, USA
Posts: 109
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Just make sure to 'apt-get update && apt-get install cron-apt' and you will have nighly security updates. You can also 'apt-get install chkrootkit' and have weekly/nightly root kit scans.
__________________
themachine
5dollarwhitebox.org
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Server Setup Behind a Router/Firewall/Cable Modem kisong Installation/Configuration 2 1st August 2010 17:05
Fedora Core 4 - The Perfect Setup nandhu HOWTO-Related Questions 27 10th January 2006 12:23
Attempting The Perfect Setup (To Some Extent) PsyVision HOWTO-Related Questions 3 3rd November 2005 11:50
setup autoresponder and delete incoming mail ManuelW Installation/Configuration 1 22nd October 2005 23:06
Suse 9.3 setup probs with php5 hyperclock Tips/Tricks/Mods 0 21st September 2005 02:34


All times are GMT +2. The time now is 18:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.