Centos + Ensim Web Server Hardening Question
Short and to the point,
In considering the application of the following " Hardening outline "
borrowed from our good friends at rack911.com/security.php,
is there A-n-y-t-h-i-n-g you can think of to add to the following list to
ensure Fort knox Security " + " easy of update managment.
( short of removing the nic cable
-v- Borroew Outline -v-
1 ) Limit compiler & fetch utilities access to root only.
2 ) Correct folder permissions to prevent directory transversal on unprivileged users.
3 ) Logwatch installation and configuration:
- Sends a detailed daily report of server events based on logs.
4 ) Host.conf & sysctl hardening:
- Basic spoof & dos protection.
5 ) Noexec, Nosuid temporary directory's:
- Directory's include /dev/shm, /var/tmp, /tmp prevents basic scripts from being executed.
6 ) Chkrootkit & RkHunter Installation:
- Checks for possible root kits on the server and sends you a daily report.
7 ) Installation and configuration of APF:
- Restricts access to unneeded ports.
8 ) Kernel update w/grsecurity.
9 ) Disable of dangerous php functions:
- Disabling of functions that could potentially cause harm to the server and/or its users.
10 ) BFD Installation:
- Checks for bruteforce attempts and automatically adds them to the firewall to block them.
11 ) NSIV Installation:
- Validates inodes against each LISTEN socket.
12) PRM Installation:
- Process Resource Monitor.
13) Update all server/control panel software.
14) Disabling Unused Services:
- Unused services are disabled which could be exploited, for example telnet.
15) Samhain Configuration:
- File integrity checking / host-based intrusion detection
16) Linux Socket Monitor:
- Monitors created sockets and compares against a database.
17 )Enforce LCAP limitations:
- Limits kernel capabilities.
18) Install and configure Mod_Security w/mildly aggressive ruleset:
- Used to prevent web attacks.
19) Email Virus Scanning Configuration:
- Setup some kind of email virus scanning depending on your MTA.
20) System Integrity monitor:
- Tracks downed services and attempts to restart them.
21) RPM Package Audit:
- Removal of unneeded rpm packages, which could sometimes bring a hole for exploitation.
22) Default User Audit:
- Removal of unneeded/unused default system users.
23) Default Group Audit:
- Removal of unneeded/unused default system groups.
24) Check/secure configuration defaults on common services.
25) Mod_dosevasive:
- Evasive maneuvers module for Apache to prevent dos type attacks on apache.
-^- Borroew Outline -^-
So once again, is there A-n-y-t-h-i-n-g you can think of to add to the following list to ensure Fort knox Security " + " easy of update managment.
Thanks everyone for taking the time to help.
