Find the answer to your Linux question:
Results 1 to 7 of 7
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Setting up my first linux server, tips and security requirements?

    Hello everyone,

    So the price and superior hardware options of cloud hosting have reeled me in i think. As most these options are un-managed, i thought i would come her to get some advice oh how to get this done right.

    So im going to be running centos 6.3 64 bit, with webmin. I am using clipbucket CMS. I have a article on how to setup the server initially and install the required programs like ffmpeg, phpmyadmin, etc etc.

    After that I was wondering what i should install to be secure and make sure everything runs smooth. I can install anything i want.

    I dont have much experience with linux but so what should i install for a firewall and AV?

    i heard about mod security, clam av, ip tables? do some of those overlap?

    what advice would you give to a noob running his first server? i want to make sure it is secure and minimize the chance of something going wrong, if it does i want to be notified so i can fix it, maybe a monitoring service like rackspace cloud monitoring?

    any advice?

  2. #2
    hello and welcome, deafBoyzAudio!

    i heard about mod security, clam av, ip tables? do some of those overlap?
    If you mean the mod_security module for Apache, then it is not related to virus scanning (clam av) or iptables (firewall). it should come with the Apache packaged for your distro. Anti-virus is never a bad idea, but it wold be last on my list of things to do. first off is the firewall (iptables). be sure to get that going first.

    also, disable Root logins in your SSH server config file.

    if you want to be hard-core, you can enable SELinux (if your distro supports it - e.g., RHEL/CentOS/Fedora).

    If you want to stop script kiddies and hackers from trying to break in, check out DenyHosts (possibly also packaged for your distro).

    For general system monitoring, i would l recommend Xymon. It is simple, but effective. There is also Nagios, amongst others.

  3. #3
    ok thanks a lot. so got ip tables setup, is there anything else i should look at for a firewall?

    Ill implement the deny hosts and xymon, is there anything else i should do to make sure everything is good?

    So should i use clam av? is it just for email or everything?

  4. $spacer_open
  5. #4
    Just Joined!
    Join Date
    Feb 2013
    don't start sshd on port 22

  6. #5
    Quote Originally Posted by Rumata View Post
    don't start sshd on port 22
    Ok yea I heard that, what port would be better? Or should I ask what port range is acceptable?

  7. #6
    Quote Originally Posted by deafBoyzAudio View Post
    Ok yea I heard that, what port would be better? Or should I ask what port range is acceptable?
    The thing about 'not port 22' is that it is a bit 'security through obscurity', so if, for example, some other numbered port became popular, that would be pointless as the attacks would just transfer to that port (or would try both port numbers).

    I'm not a great enthusiast for this as the only extra security measure; if someone can port scan you, then it adds about 30 seconds worth of protection, and that isn't much. What actually happens is it filters out a lot of dumb scripted attacks, and so just leaves the competent ones. Probably not the bargain that it initially seems...although it does give you cleaner log files (but cleaner log files is not equal to security).

    The options are summarised at samhain on the brutessh page (sorry; not allowed to post links here - you'll have to use a search engine).

    If it was me, I'd choose two things that were likely to work, in a 'belt and braces' kind of approach (but then, I'm a kind of 'belt and braces' kind of person). So, if you move the port, combined with fail2ban/denyhosts, etc, etc that should be good. (Or go passwordless - passwordless is good, too.)

    Obviously, then you don't allow root logins (you can maybe restrict thing even further to only allowing login on a few nominated accounts), have strong passwords, don't allow version 1 of the protocol (that should be the default for any sane install anyway) and you are set.

    with webmin. I am using clipbucket CMS...
    Never heard of clipbucket, but do check about past security incidents, how soon patches get out and what you have to do to be informed ASAP about patches (is there a security mailing list? or are there just general updates?). Keep it up to date. If this means that you have to run a spare machine with a test install that you can use to try stuff out when new versions become available, then it means that you have to use a spare machine with a test install.

    webmin, and all of the various consoles continue to be popular in spite of issues on the security front; again, keep the thing up to date.

    While, by default, Centos ought to be pretty decent, there is no harm in running a 'hardening script' such as Bastille.

  8. #7
    clipbucket is basically a you tube clone, they come out with updates etc and its currently supported by a team of devs and of course a open source community.

    ok lots of good stuff, i am able to block ssh access to only my ip addy, for now. Ill spend some time researching what you guys suggested and go from there. thanks a lot, wouldnt of known where to look without it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts