Linux Server Security

In light of another thread, I would like to discuss necessary security measures one should implement on any given Linux server. For the sake of argument, let's say we have several servers running a website, an sql database, a file server, and an email server.

I'm in the process of setting up my very first file server on a VLAN. It happens to be an Ubuntu 12.04 server, but I will also be installing a Centos server in the future. I will eventually set up an email, web, and sql server as well. Utlimately they will face the internet. But I want to learn the basics before I unleash them upon the world.

I'm interested in your personal opinions, links to articles, tutorials, horror stories. Pretty much anything because it's all brand new to me.

Thanks!

[Hungry Man]

Remove the UI =p

[Kyle1420]

Quote:

Originally Posted by Hungry Man

Remove the UI =p

What would that achieve?...

[Hungry Man]

Reduce attack surface a ton and avoid keylogging through X.

[Mrkvonic]

Brandi, do you plan on running all of the services on a single box?
Mrk

[Gentoo64]

Quote:

Originally Posted by Hungry Man

Reduce attack surface a ton and avoid keylogging through X.

I doubt it would reduce the attack surface by much, most people just don't have a UI on a server because it's not needed. Waste of resources.

[Hungry Man]

Do "sudo apt-get remove unity" (or whatever your DM is) and see how many dependencies it tries to remove.

[Gentoo64]

Of course, removing anything unneeded will improve the potential security. Didn't think Ubuntu Server came with a UI anyway?

[Hungry Man]

I don't think so but I believe brandi is running with a UI.

[NGRhodes]

I assume you mean GUI and not UI or else that include command line as well...

[Hungry Man]

I suppose.

OK that was just amusing.

I'm running an Ubuntu server without a GUI in fact. It does have a command line. It is not headless if that's what you meant Hungry Man.

Mr.Kvonic, your question is one of the things I was driving at. I presume that one would not want to run all the services on one machine, but I don't know if it's best practice to dedicate one machine per service or keep some of them on one device (or for that matter how I would decide one way or the other). Advice/links/tutorials in this regard would be appreciated.

[Mrkvonic]

Well, if you can, you might want to separate those.
It's easier for management, and more beneficial for security.
You will have more fine-grained control of what goes on your boxes.
Mrk

[mack_guy911]

sorry to ask but what wrong with these

Zentyal or clearOS

http://www.wilderssecurity.com/showthread.php?t=324873

[EncryptedBytes]

Here is a pretty good guide for RedHat 5, you can amend it to Ubuntu, some of the fields are outdated, though the principles addressed are still very relevant and can help you harden your linux server.

Quote:

Originally Posted by EncryptedBytes

Here is a pretty good guide for RedHat 5, you can amend it to Ubuntu, some of the fields are outdated, though the principles addressed are still very relevant and can help you harden your linux server.

That's exactly what I was looking for. Thanks!

@mack_guy911: I want to learn what needs to be configured and how to configure a server with security in mind. There are some other out-of-the-box secure servers out there that you may be interested in, I'll post those in the other thread.