1 |
On Thu, 2004-06-03 at 18:25 +0300, Andrei Maxim wrote: |
2 |
> Hi, |
3 |
|
4 |
Hi! |
5 |
|
6 |
> In the last 3 weeks I have discovered a lot about Gentoo and its ease of |
7 |
> use made me try using my Gentoo Linux box as a web server. |
8 |
> After this first successful experience, I have configured Postfix and |
9 |
> Squirrelmail and even made some accounts for my friends. |
10 |
> |
11 |
> Right now my #1 concern is related to the security of my computer: it |
12 |
> has a static IP address and it gets scanned a couple of hundred times |
13 |
> per day (and I'm not kidding!). Having a mail server at hand might be |
14 |
> just asking for trouble and I really don't want to spread spam without |
15 |
> knowing. |
16 |
|
17 |
Two major items: |
18 |
First, make sure all hosts that are exposed to the network are properly |
19 |
firewalled. You might have a router with a built in firewall, I'd |
20 |
research iptables and run it on the server anyway (call me paranoid). |
21 |
Second, if you run an open relay on your mail server, we will break your |
22 |
legs. Make sure you arent by limiting connections to the mail server |
23 |
either to local subnets only, or setting up authentication to use the |
24 |
server (preferably with SSL). Lots of howtos on the web for both |
25 |
iptables and SMTP auth/SSl with Postfix. |
26 |
|
27 |
> I have a really small network of 3 computers (two of them being laptops) |
28 |
> and the so-called server is also my personal computer which I use on a |
29 |
> daily basis. |
30 |
> I was wandering if I should switch to Hardened Gentoo on my server (and |
31 |
> I am already planning to switch the laptops from Debian to Gentoo) as I |
32 |
> know it will make things more secure, but also it might be quite an |
33 |
> overkill for such a small network. |
34 |
|
35 |
At the moment we choose not to support Hardened Gentoo on "desktop" |
36 |
machines, which is essentially what we are talking about here. Alot of |
37 |
desktop apps, Xfree, mplayer, xine, all misbehave. They have a bad |
38 |
security track record, and really dont get along with our toolchain |
39 |
modifications either. If at all possible, I'd recommend getting yourself |
40 |
a cheap dedicated server to play with, and run only server-type apps. |
41 |
This also limits the number of exploitable apps on a single box. |
42 |
|
43 |
> Switching to Hardened Gentoo might mean that I will lose a rather big |
44 |
> amount of time to reconfigure everything on my computer, so I really |
45 |
> don't want to switch unless it's absolutely necessary. |
46 |
|
47 |
Nothing here is necessary, we just deliver the best security and |
48 |
hardening options we can find. |
49 |
|
50 |
> I want to run (as a server) Apache, Postfix/Qmail, mailman (or ezmlm?), |
51 |
> Squirrelmail and SSH. |
52 |
|
53 |
Fair enough. |
54 |
|
55 |
> Thanks, |
56 |
> Andrei |
57 |
> |
58 |
> -- |
59 |
> gentoo-hardened@g.o mailing list |
60 |
|
61 |
|
62 |
-- |
63 |
gentoo-hardened@g.o mailing list |