Re: [SLE] Hardening checklist for Suse 9.1

From: Danny Sauer (suse-linux-e.suselists_at_danny.teleologic.net)
Date: 09/29/04

Next message: Ken Schneider: "Re: [SLE] Low RAM & 9.1 (Re XFCE)"

Previous message: Gary: "Re: [SLE] Dial-up SMTP - Was Proper way to attach Spamassassin to Postfix?"
In reply to: Rob Brandt: "[SLE] Hardening checklist for Suse 9.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 29 Sep 2004 11:49:57 -0500
To: SuSE List <suse-linux-e@suse.com>

Rob wrote regarding '[SLE] Hardening checklist for Suse 9.1' on Tue, Sep 28 at 23:12:
> I'm doing a Linux installation for one of our bigger clients tomorrow, a
> publicly traded company. I've done quite a few Linux installs before, but am
> fairly new to Suse, and have never been particularly methodical about hardening
> the server.
>
> Does anyone have a good checklist available that I can use? This install will
> be a network install from the boot CD of v9.1, the server's sole purpose (at
> first) will be as a mail server, but it is likely that they will want it to do
> more down the line. We will be using postfix, there will be very few users but
> a very high volume of incoming mail. I plan on installing the basic web server
> stuff in addition to postfix.

Use the firewall to drop incoming packets everywhere but port 25 (and 80/443
later on), read the postfix chroot docs on postfix.org, and keep the software
up to date. Do a "netstat -lp" as root and set up anything that's listening
where you don't expect it to not automatically run anymore (using the rc file
editor and bootup config editor in yast) if you don't trust the firewall rules.

Oh, and make user's shells /bin/false or /bin/true unless they're totally
trusted admins. :)

IMHO, that's about all you really need, SuSE or any other distro in the
situation as I interpret it. When you get around to letting users upload
files, etc, you'll need to focus on the daemon(s) that allow file uploads,
but that's something you can worry about when the time comes.

--Danny

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

Next message: Ken Schneider: "Re: [SLE] Low RAM & 9.1 (Re XFCE)"

Previous message: Gary: "Re: [SLE] Dial-up SMTP - Was Proper way to attach Spamassassin to Postfix?"
In reply to: Rob Brandt: "[SLE] Hardening checklist for Suse 9.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

installation question?
... We are using Debian for a linux installation, ... NO need to setup a Server and all that ... The only instructions or "How to" guides we have instruct ... for a regular setup like this during installation? ...
(Debian-User)
Re: Standard way of graphics in Linux
... or a frame buffer device is available in any Linux installation? ... You can pretty much expect an X server. ... And SDL will try for you if you want, ...
(comp.os.linux.development.apps)
[SLE] Hardening checklist for Suse 9.1
... I'm doing a Linux installation for one of our bigger clients tomorrow, ... be a network install from the boot CD of v9.1, ... first) will be as a mail server, but it is likely that they will want it to do ... stuff in addition to postfix. ...
(SuSE)