Firewall Wizards mailing list archives
Custom Unix server installations -- to harden extensively ?
From: Julian Gomez <kluivert () tm net my>
Date: Tue, 13 May 2003 22:21:04 +0800
Hi, What is the relative opinion of hardening general purpose Unix servers (general == mail, web, db hosts). Obviously, wherever possible, I'd like to get most of the unwanted packages stripped and removed; but very frequently -- this is extremely time consuming and is alot of documentation work (which btw, no one ever bothers to read). Alas, this usually conflicts in the future when there is a need for additional software to be implemented, the whole compiling + installation steps, but the relevant packages have been removed as per the hardening work done in the above paragraph. So, what do most of you all do : a) Leave the possibly-relevant future packages, intact on the system, and just perform permission tweaks ? b) Remove the packages, and when the need arises, reinstall the packages -- I have to note here that alot of cross-dependencies make this hell. At least on RH, if there is opinion on different distributions which make this somewhat painless, closest thing which might be relevant, I think is FBSD's ports system (though I haven't used it myself) ? c) Leave the server, its screwed anyway because local users have access :-) I'm beginning to really wish for a CD which would have all this spare software which can be loaded, do its work, and then unloaded directly, without having any permanent storage on the host's filesystem. The only commercial product which comes to mind which I think is to cater for this would be Guardian Digital's offering, though I haven't played with it yet. Just to clarify, I don't want a product which offers every service under the sun by default, I'd like something I can tweak to my specific needs (half the software installed on most systems by default suck peanuts really, I'm not sure whether this is for a compatibility or just a preference for architecturally flawed stuff :) Thanks! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
(Thread continues...)