没有合适的资源?快使用搜索试试~ 我知道了~
Step-By-Step Installation Of A Secure Linux Web, DNS, And Mail S...
需积分: 3 24 下载量 177 浏览量
2008-04-18
12:45:22
上传
评论
收藏 2.79MB PDF 举报
温馨提示
试读
74页
Step-By-Step Installation Of A Secure Linux Web, DNS, And Mail Server 2004
资源推荐
资源详情
资源评论
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46.
John Holbrook
Step by Step Installation of a Secure Linux Web, DNS and Mail Server
Feb 10, 2004
GIAC GSEC Practical – Version 1.4b, Option 1
1
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46.
Table of Contents
Abstract...............................................................................................................................4
Introduction.........................................................................................................................4
Current Setup..................................................................................................................4
Reasons for new install ..................................................................................................4
Sudo...............................................................................................................................5
Security Comparison of Redhat 9.0 and Openna 1.0..........................................................7
Default Installed Services...............................................................................................7
Configuration Notes............................................................................................................8
The New Setup...............................................................................................................8
Layers of Protection........................................................................................................9
Verifying Integrity of Downloaded Files...........................................................................9
RPMs..........................................................................................................................9
Md5sums..................................................................................................................10
PGP/GPG Keys........................................................................................................11
A Word About Passwords.............................................................................................12
Openna Linux 1.0 Installation............................................................................................12
Adding a User ..............................................................................................................13
OpenSSH Configuration...............................................................................................14
MySQL Installation............................................................................................................16
Securing MySQL ..........................................................................................................18
BIND Installation...............................................................................................................20
Chroot Jailing BIND......................................................................................................23
Qmail Installation...............................................................................................................24
Vpopmail Install.............................................................................................................32
Apache Installation............................................................................................................34
Mod_security Installation..............................................................................................39
Mod_Dosevasive Installation........................................................................................40
PHP Installation................................................................................................................41
Giptables Installation.........................................................................................................43
Giptables Customization...............................................................................................45
Snort Installation...............................................................................................................46
MySQL Snort Configuration .........................................................................................48
ACID Installation...........................................................................................................49
ADODB.....................................................................................................................49
PHPLOT...................................................................................................................50
JPGRAPH.................................................................................................................50
ACID Installation.......................................................................................................50
Authenticated access to the acid pages...................................................................52
Time Synchronization........................................................................................................53
AIDE..................................................................................................................................53
Final Cleanup....................................................................................................................56
Chattr of key files..........................................................................................................56
2
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46.
Remove Development RPMs........................................................................................56
Removal of Downloaded Files......................................................................................56
Autoupdate ...................................................................................................................56
Mailing Lists and other sources of information..............................................................57
Appendix A BIND Configuration File – named.conf...........................................................59
Appendix B – named Initialization Script...........................................................................61
Appendix C – Apache configuration options......................................................................63
Appendix D Apache Initialization File ...............................................................................65
Appendix E – Apache Initialization file..............................................................................67
3
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46.
Abstract
This paper will show how the author configured a Linux based web and e-mail server for a
small company. This server is co-located at a local ISP.
Because of budget limitations, the company can only locate one physical box at the ISP
which limits what security measures that can be installed. The author will seek to explain
the choices made. The paper will include instructions on how to build a secure web and e-
mail server with an emphasis on two key security areas:
)1 Keeping crackers out
)2 Detecting any signs of cracker activity and limiting the changes a cracker can make
This document expects the reader to have a good understanding of installing Linux and
the various tools included for text editing, configuration etc.
Introduction
Current Setup
The currently configured server is a Red Hat 7.2 box running several externally available
services:
➔ Apache 1.3.x Web Server (hosting approximately 10 domains)
➔ Bind 9.x
➔ qmail
➔ Openssh
Reasons for new install
The current server has been in service for approximately 30 months. When it was
originally configured the author's knowledge of securing Linux was somewhat limited.
Specifically the following items were not installed on the server or configured correctly:
1) Firewall
2) Intrusion Detection System
3) Bind was not configured in a chroot jail
The author has since set up several Linux servers and has standardized on locations for
configuration files, etc which make it easier to administer. This wasn't done on the
existing server and has caused several problems over the last year or so when updating
software.
Another reason for an upgrade is Red Hat has announced the end of life for Red Hat 7.2
4
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46.
as of December 31, 2003 and is discontinuing their freely available download distribution
in favor of a commercially packaged version.
Their new free version is now called the “Fedora Project” (http://fedora.redhat.com/
) but
this version is intended for 'bleeding edge' type development, not for a stable, secure web
server.
The author looked at several Linux distributions including Mandrake (
www.mandrake.com
) SuSE ( www.suse.com ), Debian ( www.debian.org ) and Openna
(www.openna.com). After comparing these distributions, the decision was made to use
Openna Linux 1.0 which is available as a free download or can be purchased in a retail
package.
Why the author chose Openna Linux:
➔ Secure distribution. What isn't needed isn't installed by default. With Red Hat the
author usually spends several hours disabling unneeded services and removing
unnecessary packages.
➔ All software packages for Openna Linux are compiled for the i686 processor which
gives us better performance on newer CPUs
➔ Prior experience with the creator of Openna Linux – Gerhard Mourani. Gerhard has
written several books on securing and optimizing RedHat Linux and Openna Linux
which the author has used in the past.
Sudo
Instead of using 'su' (super user) to gain root access Openna uses Sudo.
"Sudo (superuser do) allows a system administrator to give certain users (or groups of
users) the ability to run some (or all) commands as root or another user while logging the
commands and arguments."
1
Here's an example of how you can fine tune Sudo. I have a user named “bob” who I want
to allow to start and stop Apache and make changes to the Apache configuration files
under /etc/httpd. Normally, I would have to give “bob” root access by making him a
member of the 'wheel' group, give him the root password, and trust that he does not do
anything beyond administering Apache. With sudo here's what I can do:
# visudo
visudo is the administration tool for the sudo configuration file - /etc/sudoers.
Note: Never directly edit /etc/sudoers. Always use 'visudo'.
This is what my /etc/sudoers file will look like on Openna:
5
剩余73页未读,继续阅读
资源评论
morre
- 粉丝: 187
- 资源: 2337
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功