Firewall Wizards mailing list archives
Custom Unix server installations -- to harden extensively ?
From: Julian Gomez <kluivert () tm net my>
Date: Tue, 13 May 2003 22:21:04 +0800
Hi,
What is the relative opinion of hardening general purpose Unix servers
(general == mail, web, db hosts). Obviously, wherever possible, I'd like to
get most of the unwanted packages stripped and removed; but very frequently
-- this is extremely time consuming and is alot of documentation work
(which btw, no one ever bothers to read).
Alas, this usually conflicts in the future when there is a need for
additional software to be implemented, the whole compiling + installation
steps, but the relevant packages have been removed as per the hardening
work done in the above paragraph.
So, what do most of you all do :
a) Leave the possibly-relevant future packages, intact on the
system, and just perform permission tweaks ?
b) Remove the packages, and when the need arises, reinstall the
packages -- I have to note here that alot of cross-dependencies
make this hell. At least on RH, if there is opinion on different
distributions which make this somewhat painless, closest thing
which might be relevant, I think is FBSD's ports system (though
I haven't used it myself) ?
c) Leave the server, its screwed anyway because local users have
access :-)
I'm beginning to really wish for a CD which would have all this spare
software which can be loaded, do its work, and then unloaded directly,
without having any permanent storage on the host's filesystem.
The only commercial product which comes to mind which I think is to cater
for this would be Guardian Digital's offering, though I haven't played with
it yet.
Just to clarify, I don't want a product which offers every service under
the sun by default, I'd like something I can tweak to my specific needs
(half the software installed on most systems by default suck peanuts
really, I'm not sure whether this is for a compatibility or just a
preference for architecturally flawed stuff :)
Thanks!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
(Thread continues...)