I'm doing a Linux installation for one of our bigger clients tomorrow, a publicly traded company. I've done quite a few Linux installs before, but am fairly new to Suse, and have never been particularly methodical about hardening the server. Does anyone have a good checklist available that I can use? This install will be a network install from the boot CD of v9.1, the server's sole purpose (at first) will be as a mail server, but it is likely that they will want it to do more down the line. We will be using postfix, there will be very few users but a very high volume of incoming mail. I plan on installing the basic web server stuff in addition to postfix. Thanks Rob
Rob wrote regarding '[SLE] Hardening checklist for Suse 9.1' on Tue, Sep 28 at 23:12:
I'm doing a Linux installation for one of our bigger clients tomorrow, a publicly traded company. I've done quite a few Linux installs before, but am fairly new to Suse, and have never been particularly methodical about hardening the server.
Does anyone have a good checklist available that I can use? This install will be a network install from the boot CD of v9.1, the server's sole purpose (at first) will be as a mail server, but it is likely that they will want it to do more down the line. We will be using postfix, there will be very few users but a very high volume of incoming mail. I plan on installing the basic web server stuff in addition to postfix.
Use the firewall to drop incoming packets everywhere but port 25 (and 80/443 later on), read the postfix chroot docs on postfix.org, and keep the software up to date. Do a "netstat -lp" as root and set up anything that's listening where you don't expect it to not automatically run anymore (using the rc file editor and bootup config editor in yast) if you don't trust the firewall rules. Oh, and make user's shells /bin/false or /bin/true unless they're totally trusted admins. :) IMHO, that's about all you really need, SuSE or any other distro in the situation as I interpret it. When you get around to letting users upload files, etc, you'll need to focus on the daemon(s) that allow file uploads, but that's something you can worry about when the time comes. --Danny
participants (2)
-
Danny Sauer
-
Rob Brandt