Really Secure Debian Squeeze Server

Discussion in 'Server Operation' started by l337dan, Sep 19, 2011.

  1. l337dan

    l337dan New Member

    Hello Community!

    I am creating a new Server for my company.

    Therefore, I went through the following two tutorials:
    http://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3 and
    http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-dovecot-ispconfig-3

    for setting up the base system.

    Now I have a great apache server with e-mail which is only accessible via SSL and FTP which only works via TLS.

    I also set up Icinga to monitor the server.

    Of course, aptitude checking for security updates every hour via cronjobs.

    However, I don't know what I can do to make the server really secure and I guess I'll need additional monitoring tools.

    What should be the next steps I should follow to make sure that the server won't be cracked ever?

    Intrusion Detection? More/Better Monitoring? How can I make the daemons more secure?
     
  2. falko

    falko Super Moderator ISPConfig Developer

    I think the best thing you can do next is set up fail2ban to block brute-force attacks. :)
     
  3. l337dan

    l337dan New Member

    Hello Falko, thank you for your Reply.

    I am already using fail2ban.

    However I am looking for additional ways so I can make sure nobody is cracking my system.

    For that reason, I went to the Debian IRC Channel.

    The guys there told me that Debian is very safe by default, and most intrusions are because daemons aren't right configured.

    After a longer discussion, in essence they advised me to do the following:

    - setup fail2bain
    - use a good firewall configuration. ufw should be a great tool to do so
    - use encryption
    - read http://www.debian.org/doc/manuals/securing-debian-howto
    - setup selinux
    - setup an intrusion detection system

    In the Secuding Debian Docs, I read about chrooting every daemon. Particularly bind.

    On this site I read that using SELinux won't be compatible with ISPConfig.

    Do you have advice on chrooting the daemons by creating chroot-jails for every one and setting up SELinux on a system, while continuing to use ISPConfig 3?

    Also, do you have advice on a good Intrusion detection system?

    I will try out the tutorial on aide from http://www.howtoforge.com/linux-security-notes-aide-file-integrity.
     
  4. falko

    falko Super Moderator ISPConfig Developer

    I would not use SELinux and also not chroot all your services. Both will cause you more trouble than you gain from it.

    ISPConfig comes with its own firewall, so there should be no need for an additional tool. Regarding PHP security, make sure you select suExec + FastCGi or suPHP for your web sites in ISPConfig.
     

Share This Page