how do you hardening a linux system?

especially, the web server, mail server, and the DNS server?

3 Responses to how do you hardening a linux system?

  1. Journeying through Yahoo!

    FireStarter for the Firewall

    ClamAV for the Anti-virus

    Both are available in Feisty Fawn ( Kubuntu 7.04 )

    Works for me….on Ubuntu Server…..

    Kubuntu 7.04 and Ubuntu flavors…

    Report Spam/Abuse

  2. 1) Install only the necessary services and minimal packages to run the services in question (that means no X-server or GUI programs) If you want to design using the GUI, do it offline on a different system then move the configuration files to the production system when you are certain it works
    2) Keep current on your patches (obviously)
    3) Use SSH and SCP when logging in and copying files, respectively
    4) Run local firewalls on each system that further restrict to the necessary services (80, 443, 25, 53, etc). Your firewall needs to be configured to prevent spoofed IP Addresses, allow only packets sent to the specific IP Address of the system, listens only to the necessary services, doesn’t respond (positive or negative) to other ports, and doesn’t allow anything to leave the server except the amount necessary to function (respond to DNS query, send email to internal mail server, etc)
    5) Separate your DNS into internal and external systems. Internal DNS servers should be done by either Windows systems DC for AD or a separate linux DNS. External DNS servers only serve to allow your presence on the Internet (dns, soa, web server, mx servers, etc). Optionally, the external DNS may recursively look up Internet addresses, but restrict this to your IP Addresses only (allow-recursion {; }; yada, yada)
    6) Keep a good backup of them in case you need to restore them. After all, they’re more expendable than your internal servers
    7) Create a properly designed DMZ and don’t run any of the mentioned servers inside your protected network. All of them go in the DMZ.
    8) Don’t allow internal users to connect directly to the DMZ servers or to trust them. Your potential exception is permitting a system to connect to them via ssh…
    9) Want to get crazy? Build your server and make it a live CD so nothing on the system can be modified or remains permanent. This obviously makes updates harder, as you’ll have to burn a new CD on each update.
    10) Don’t install any compilers or development tools (Kinda goes hand in hand with 1).

    I suggest either reading “Designing and Building Enterprise DMZs” or using it as a reference. Linked below.


    Report Spam/Abuse

  3. Firstly, disable any services you don’t need, such as FTPD, etc.

    Then, just make sure you have all the necessary patches and security fixes for the web and mail servers, etc.

    Of course, you need to check your web server config, etc, to see if it allows users to get to files/directories they shouldn’t, etc.

    I’d also run something like GRC’s shields-up to see what ports are open on the internet, and make sure only those you want are visible – the rest should be “stealthed”.

    Report Spam/Abuse

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree