TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:11577] Security Concerns:
On Tue, 28 Dec 1999, Jonathan Kline wrote:
> In about a week I'll be building an extreamly secure system.
In about two weeks you'll be rebuilding your secure system. ;) That's how
it is.
> Foir a base OS it will Run Mandrake 6.5, With A Bare Install.
OpenBSD is a shoe-in for this, more so than a Linux distribution.
> The Main Services which are to run on it will Be Compiled by me. I plan
> to Install Apache 1.3.9, PHP 4, and The Latsest version of Qmail.
Compare Qmail with Postfix. Both are good; don't choose one before you've
tried both.
> TCPWrappers and a IPChanis firewall will protect the whole thing.
Conventional wisdom is that the firewall should be a seperate system, and
I agree. The crackable services (ssh, Apache and Qmail) will be open
anyway.
> I plan to make a admin group which owns the fiels such as su, startx, X,
> and mc.
Why have X on a secure system at all?
> For Hard Drive Partitions I am
> Planning:
> /tmp :: 45MB, nosetuid
> /var/log :: 50MB,
> /var/qmail :: 200MB, Qmail Home Dir
Does Qmail need a homedir that large? Why are you putting it on its own
partition at all?
> /var/spool :: 136MB, Spool FIles
Bigger.
> /usr/local/apache :: 1GB, Apache Home and HTDOCS Root
Don't put Apache's files where regular users can get to them.
> /usr/local/software :: 200MB, nosetuid
See below.
> /home :: 136MB, nosetuid
Bigger.
> / :: 1GB
Way too big. This could be 50MB and be about right.
> swap = A Total of 128MB, in 2 Partitions.
More.
What I would do is to mount the partition(s) containing / and /usr/
read-only.
Install Tripwire.
What is your plan for cracking into the box?
-- Chris
Christopher Reid Palmer : www.innerfireworks.com