| 1 |
On Thu, 2004-06-03 at 18:25 +0300, Andrei Maxim wrote: |
| 2 |
> Hi, |
| 3 |
|
| 4 |
Hi! |
| 5 |
|
| 6 |
> In the last 3 weeks I have discovered a lot about Gentoo and its ease of |
| 7 |
> use made me try using my Gentoo Linux box as a web server. |
| 8 |
> After this first successful experience, I have configured Postfix and |
| 9 |
> Squirrelmail and even made some accounts for my friends. |
| 10 |
> |
| 11 |
> Right now my #1 concern is related to the security of my computer: it |
| 12 |
> has a static IP address and it gets scanned a couple of hundred times |
| 13 |
> per day (and I'm not kidding!). Having a mail server at hand might be |
| 14 |
> just asking for trouble and I really don't want to spread spam without |
| 15 |
> knowing. |
| 16 |
|
| 17 |
Two major items: |
| 18 |
First, make sure all hosts that are exposed to the network are properly |
| 19 |
firewalled. You might have a router with a built in firewall, I'd |
| 20 |
research iptables and run it on the server anyway (call me paranoid). |
| 21 |
Second, if you run an open relay on your mail server, we will break your |
| 22 |
legs. Make sure you arent by limiting connections to the mail server |
| 23 |
either to local subnets only, or setting up authentication to use the |
| 24 |
server (preferably with SSL). Lots of howtos on the web for both |
| 25 |
iptables and SMTP auth/SSl with Postfix. |
| 26 |
|
| 27 |
> I have a really small network of 3 computers (two of them being laptops) |
| 28 |
> and the so-called server is also my personal computer which I use on a |
| 29 |
> daily basis. |
| 30 |
> I was wandering if I should switch to Hardened Gentoo on my server (and |
| 31 |
> I am already planning to switch the laptops from Debian to Gentoo) as I |
| 32 |
> know it will make things more secure, but also it might be quite an |
| 33 |
> overkill for such a small network. |
| 34 |
|
| 35 |
At the moment we choose not to support Hardened Gentoo on "desktop" |
| 36 |
machines, which is essentially what we are talking about here. Alot of |
| 37 |
desktop apps, Xfree, mplayer, xine, all misbehave. They have a bad |
| 38 |
security track record, and really dont get along with our toolchain |
| 39 |
modifications either. If at all possible, I'd recommend getting yourself |
| 40 |
a cheap dedicated server to play with, and run only server-type apps. |
| 41 |
This also limits the number of exploitable apps on a single box. |
| 42 |
|
| 43 |
> Switching to Hardened Gentoo might mean that I will lose a rather big |
| 44 |
> amount of time to reconfigure everything on my computer, so I really |
| 45 |
> don't want to switch unless it's absolutely necessary. |
| 46 |
|
| 47 |
Nothing here is necessary, we just deliver the best security and |
| 48 |
hardening options we can find. |
| 49 |
|
| 50 |
> I want to run (as a server) Apache, Postfix/Qmail, mailman (or ezmlm?), |
| 51 |
> Squirrelmail and SSH. |
| 52 |
|
| 53 |
Fair enough. |
| 54 |
|
| 55 |
> Thanks, |
| 56 |
> Andrei |
| 57 |
> |
| 58 |
> -- |
| 59 |
> gentoo-hardened@g.o mailing list |
| 60 |
|
| 61 |
|
| 62 |
-- |
| 63 |
gentoo-hardened@g.o mailing list |
Archives