discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: "Niels Dettenbach (Syndicat IT&Internet)" <nd AT syndicat.com>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] server security
- Date: Sat, 03 Mar 2012 07:02:28 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dale <dweide9 AT aim.com> schrieb:
>1. set uncomplicated firewall to deny all, then only open needed ports.
This is nonsense so far as Linux allows you to select which ports you want to
offer - why offer something just to deny it?...
A local firewall on a public internet server could (!) make sense if your
networking setup could not be realized without it - means you can't configure
that application based. But this is usually not the case. Btw.: a firewall on
the same machine as the sys you want to secure has by principle limited
effect too.
>2. using chkrootkit/rkhunter
Bind9 could be run in chroot environments very nice - there is no need for
any third party solution.
>3. using apparmor (+profiles)
On a server? hmmm
>4. using apache mod_security, mod_evasive & mod_qos
If you know what you're doing therey maybe...
>5. using logcheck /portsentry
Could make sense if you use it wisely...
>6. Had used webserver security testing apps, i.e. nikto & w3af, but not
>sure what is out there for DNS
You have to understand at least the basic concepts of DNS and bind - then
make shure that your config is "correct" by test it with i.e. dig /
bind-tools.
Your question seems to say - you still have not ;)
There is no general "this is an insecure DNS" for most cases...
But even for web servers testing tools byself are not very helpful to see
"how secure is my webserver". You have to plan, read (and test!) your
configurations in a very specialized way, otherwise such tools could help
nearly nothing...
You are going the completely wrong way - do it vice versa:
- - deinstall anything you did not need
- - open just ports you want to open
- - give just filesystem rights as really required
- - if you have two interfaces bind services to them just as needed
- - make your apps secure by their configuration as wide as possible and for
YOUR needs
- - watch logfiles
- - make updates
- - do read security lists
etc...
Ubuntu may be nice for new linuxianers and internet admins as "it is so easy
to setup an internet server" today - but even this effect (beside others) is
what many crackers made happy today...
There is no way around reading and understand configurations and internet
protocols / concepts you want to offer to the public.
best regards,
Niels.
- --
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8
iIEEAREIAEEFAk9Rs/Q6HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDZxrAJ9JxaZi9VkH
3fJbEUqBKnUH+gVxcgCdERqBlo5phpaGpvXy6CL0b54GXuQ=
=Grul
-----END PGP SIGNATURE-----
- [opennic-discuss] server security, Dale, 03/02/2012
- <Possible follow-up(s)>
- Re: [opennic-discuss] server security, Niels Dettenbach (Syndicat IT&Internet), 03/03/2012
Archive powered by MHonArc 2.6.19.