Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Protecting a server 1

Status
Not open for further replies.
franklin97355

franklin97355

Technical User
Jul 11, 2002
3,753
US
I am planning on putting a server on the internet. Right now it's behind a Linksys router with nat but I plan to move it into the DMZ. My question is, what should I do to protect the server from outside mischief? I'm running RH9,Apache 2.x is the http server and at the moment I don't need anything else open (except port 8080 until I figure out mod-rewrite/mod-proxy)

Thanks for the help,
Stephen
 
Sort by date Sort by votes
VERY LARGE QUESTION there franklin, let's take a stab at it.

1) IPTables on your machine will be a hugely useful effort to ensure that you or someone doesn't "accidentally" open a port/service that you didn't intend to be accessible via the internet. I often recommend a couple of easily config'd scripts to help with this task

2) Shutdown every service you don't need and tell xinetd to piss off or otherwise don't answer requests for other ports. 'chkconfig --list' on RedHat boxen is an easy way to figure out what services will be started. This also sublists the daemons that xinetd will answer on behalf of - very important!

3) Update, patch, secure, stay current. I don't know if you built from source or .RPM, but DO NOT FALL BEHIND in patches. Since you are running Apache, I MUST encourage you to stay up on openssl, openssh, perl, apache, php, mod_ssl, and other modules that you need. Only a few weeks ago there was a flurry of activity related to a rootable vuln in the openssl libs.

4) Use the security services that you can enable. Use 'tripwire' to catalog the binaries on the machine to notice if they get changed. Use an IDS such as 'snort' to detect when you are under attack. Use off-machine logging to ensure that your logs cannot be tampered with if you do get hacked.

Remember the first rule of every firewall is "deny all". Start there and you'll be much safer.
Good luck.


"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MP2023
  • Locked
  • Question
mail Server
Replies
0
Views
303
MP2023
MP2023
MP2023
  • Locked
  • Question
Mail Server zimbra
Replies
0
Views
314
MP2023
MP2023
SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
879
gbaughma
gbaughma
bk Patel
  • Locked
  • Question
Openscape 4000 Eco Server
Replies
3
Views
544
bk Patel
bk Patel
Phi_1.618
  • Locked
  • Question
Linux server
Replies
2
Views
387
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top