Virtualmin Server Security
Virtualmin Server Security
Lets say we have centos 5.6 setup and virtualmin on it. thats all. What type of security steps are u suggesting?
http://www.wiredtree.com/supportservices/servershield.php this page have a good summary of checklists i think. which steps on these are required to do? or do you have better suggestions rather then those security hardenings:
Complete list of technical services:
APF – Configure both ingress and egress firewall protection.
BFD – Detect and prevent brute force attacks.
CPHulk – Detect and prevent brute force attacks.
Spam Prevention and Anti-Virus Protection:
ClamAV – Configure for e-mail scanning. Enable auto-updating anti-virus definitions.
Realtime Blackhole Lists (RBLs) – Configure email server with RBLs to prevent spam.
Harden Mailserver Configuration – Prevent against detection of valid e-mail address through brute-force attacks. Also enable HELO verification and other sanity checks.
Dictionary Attack Protection – Prevent spammers guessing email addresses on your server.
Checksum-based Collaborative Filtering – DCC and Razor to detect mass-mails.
OCR Technology – Optical Character Recognition engine to detect spam in email as images and PDF files.
Custom rulesets – Custom hand-selected SpamAssassin and ClamAV rulesets to increase spam detection.
HTTP Intrusion and DOS Protection:
Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.
PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.
Disable IP Source Routing – Enable protection against IP source route attacks.
Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
Harden Apache – Prevent module and version disclosure information.
Harden SSH – Allow only SSH version 2 connections.
Harden Named – Enable protection against DNS recursion attacks.
Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
Disable unused services – Disable services which are not used.
Disable unneeded processes – Disable processes which are not needed for server operation.
PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
PHP Hardening – Enable OpenBaseDir protection.
Optimize TCP/IP stack – Various changes to TCP/IP stack to increase buffers and optimize for server environment.
PHP Configuration – Enables widely used PHP modules for maximum compatibility.
MySQL Optimization – Optimizes MySQL performance for server configuration and enable query caching.
PHP Caching – Optimizes PHP performance through EAccelerator script caching.
FFMPEG and related software support – FFMPEG, Mencoder, flvtool2, and all related applications.
Graphic Applications – Installs widely-used graphic applications NetPBM and ImageMagick.
Monitoring Applications – Installs MyTOP, Iptraf, and Iftop utilities to easily monitor server performance.
Rootkit Hunter – Nightly scan to detect system intrusions.
Chkrootkit – Nightly scan to detect system intrusions.
Nobody Process Scanner – Scans for unauthorized "nobody" processes.