Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
How can I secure my Mandrake Linux based webserver?
Posted by: Philipp Esselbach on: 01/01/2004 06:00 PM [ Print | 0 comment(s) ]
Mandrake Linux comes with Bastille Linux, a powerful solution to securing your Mandrake Linux based server.
Open a terminal window and start the Bastille Linux setup wizard:
su -
interactivebastille
Now you need to answer a few questions to configure Bastille for a webserver:
Would you like to set more restrictive permissions on the administration utilities? <b>Yes</b>
Would you like to disable SUID status for mount/umount? <b>Yes</b>
Would you like to disable SUID status for ping? <b>Yes</b>
Would you like to disable SUID status for at? <b>Yes</b>
Would you like to disable SUID status for the r-tools? <b>Yes</b>
Would you like to disable SUID status for usernetctl? <b>Yes</b>
Would you like to disable SUID status for traceroute? <b>Yes</b>
Would you like to prohibit the clear-text r-protocols which trust IP addresses for authentication? <b>Yes</b>
Would you like to enforce password aging? <b>No</b>
Would you like to restrict the use of cron to administrative accounts? <b>No</b>
Should we disallow root login on tty\\\'s 1-6? <b>Yes</b>
Would you like to password-protect the LILO prompt? <b>No</b>
Would you like to reduce the LILO delay time to zero? <b>No</b>
Do you ever boot Linux from the hard drive? <b>Yes</b>
Would you like to write the LILO changes to a boot floppy? <b>No</b>
Would you like to disable CTRL-ALT-DELETE rebooting? <b>Yes</b>
Would you like to password protect single-user mode? <b>No</b>
Would you like to set a default-deny on TCP Wrappers and xinetd? <b>No</b>
Should Bastille ensure that Telnet service does <b>No</b>t run on this system? <b>Yes</b>
Should Bastille ensure the FTP service does <b>No</b>t run on this system? <b>No</b>
Would you like to display \\"Authorized Use\\" messages at log-in time? <b>No</b>
Would you like to disable the gcc compiler? <b>No</b>
Would you like to put limits on system resource usage? <b>No</b>
Should we restrict console access to a small group of user accounts? <b>No</b>
Would you like to add additional logging? <b>Yes</b>
Do you have a remote logging host? <b>No</b>
Would you like to disable apmd? <b>Yes</b>
Would you like to disable GPM? <b>Yes</b>
Would you like to deactivate the routing daemons? <b>Yes</b>
Do you want to stop sendmail from running in daemon mode? <b>No</b>
Would you like to disable the VRFY and EXPN sendmail commands? <b>Yes</b>
Would you like to chroot named and set it to run as a <b>No</b>n-root user? <b>No</b>
Would you like to deactivate named, at least for <b>No</b>w? <b>No</b>
Would you like to deactivate the Apache web server? <b>No</b>
Would you like to bind the web server to listen only to the localhost? <b>No</b>
Would you like to bind the web server to a particular interface? <b>No</b>
Would you like to deactivate the following of symbolic links? <b>No</b>
Would you like to deactivate server-side includes? <b>No</b>
Would you like to disable CGI scripts, at least for <b>No</b>w? <b>No</b>
Would you like to disable indexes? <b>No</b>
Would you like to disable printing? <b>Yes</b>
Would you like to install TMPDIR/TMP scripts? <b>No</b>
Would you like to run the packet filtering script? <b>Yes</b>
Do you need the advanced networking options? <b>No</b>
DNS Servers <b>0.0.0.0/0</b>
Public interfaces <b>eth+ ppp+ slip+</b>
TCP services to audit <b>telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh</b>
UDP services to audit <b>31337</b>
ICMP services to audit
TCP service names or port numbers to allow on public interfaces <b>20 21 22 25 53 80 110 443 10000</b>
UDP service names or port numbers to allow on public interfaces </b>53</b>
Force passive mode? <b>No</b>
TCP services to block 2049 2065:2090 6000:6020 7100
UDP services to block 2049 6770
ICMP allowed types: <b>destination-unreachable echo-reply time-exceeded</b>
Enable source address verification? <b>Yes</b>
Reject method DENY
Interfaces for DHCP queries
NTP servers to query
ICMP types to disallow outbound destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? <b>Yes</b>
Would you like to setup PSAD? <b>Yes</b>
psad check interval: 15
Port range scan threshold 1
Enable scan persistence? <b>Yes</b>
Show all scan signatures? <b>Yes</b>
Danger Levels 5 50 1000 5000 10000
Enable email alerts? <b>Yes</b>
Email addresses you@yourdomain.com
Email alert danger level: 1
Alert on all new packets? <b>Yes</b>
Enable automatic blocking of scanning IPs? <b>Yes</b>
Auto blocking danger level: 5
Should Bastille enable psad at boot time? <b>Yes</b>
Do you want to implement the choices <b>No</b>
Do you want to implement the choices now or continue making choices? <b>Yes</b>
Bastille is now ready to use.
Open a terminal window and start the Bastille Linux setup wizard:
su -
interactivebastille
Now you need to answer a few questions to configure Bastille for a webserver:
Would you like to set more restrictive permissions on the administration utilities? <b>Yes</b>
Would you like to disable SUID status for mount/umount? <b>Yes</b>
Would you like to disable SUID status for ping? <b>Yes</b>
Would you like to disable SUID status for at? <b>Yes</b>
Would you like to disable SUID status for the r-tools? <b>Yes</b>
Would you like to disable SUID status for usernetctl? <b>Yes</b>
Would you like to disable SUID status for traceroute? <b>Yes</b>
Would you like to prohibit the clear-text r-protocols which trust IP addresses for authentication? <b>Yes</b>
Would you like to enforce password aging? <b>No</b>
Would you like to restrict the use of cron to administrative accounts? <b>No</b>
Should we disallow root login on tty\\\'s 1-6? <b>Yes</b>
Would you like to password-protect the LILO prompt? <b>No</b>
Would you like to reduce the LILO delay time to zero? <b>No</b>
Do you ever boot Linux from the hard drive? <b>Yes</b>
Would you like to write the LILO changes to a boot floppy? <b>No</b>
Would you like to disable CTRL-ALT-DELETE rebooting? <b>Yes</b>
Would you like to password protect single-user mode? <b>No</b>
Would you like to set a default-deny on TCP Wrappers and xinetd? <b>No</b>
Should Bastille ensure that Telnet service does <b>No</b>t run on this system? <b>Yes</b>
Should Bastille ensure the FTP service does <b>No</b>t run on this system? <b>No</b>
Would you like to display \\"Authorized Use\\" messages at log-in time? <b>No</b>
Would you like to disable the gcc compiler? <b>No</b>
Would you like to put limits on system resource usage? <b>No</b>
Should we restrict console access to a small group of user accounts? <b>No</b>
Would you like to add additional logging? <b>Yes</b>
Do you have a remote logging host? <b>No</b>
Would you like to disable apmd? <b>Yes</b>
Would you like to disable GPM? <b>Yes</b>
Would you like to deactivate the routing daemons? <b>Yes</b>
Do you want to stop sendmail from running in daemon mode? <b>No</b>
Would you like to disable the VRFY and EXPN sendmail commands? <b>Yes</b>
Would you like to chroot named and set it to run as a <b>No</b>n-root user? <b>No</b>
Would you like to deactivate named, at least for <b>No</b>w? <b>No</b>
Would you like to deactivate the Apache web server? <b>No</b>
Would you like to bind the web server to listen only to the localhost? <b>No</b>
Would you like to bind the web server to a particular interface? <b>No</b>
Would you like to deactivate the following of symbolic links? <b>No</b>
Would you like to deactivate server-side includes? <b>No</b>
Would you like to disable CGI scripts, at least for <b>No</b>w? <b>No</b>
Would you like to disable indexes? <b>No</b>
Would you like to disable printing? <b>Yes</b>
Would you like to install TMPDIR/TMP scripts? <b>No</b>
Would you like to run the packet filtering script? <b>Yes</b>
Do you need the advanced networking options? <b>No</b>
DNS Servers <b>0.0.0.0/0</b>
Public interfaces <b>eth+ ppp+ slip+</b>
TCP services to audit <b>telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh</b>
UDP services to audit <b>31337</b>
ICMP services to audit
TCP service names or port numbers to allow on public interfaces <b>20 21 22 25 53 80 110 443 10000</b>
UDP service names or port numbers to allow on public interfaces </b>53</b>
Force passive mode? <b>No</b>
TCP services to block 2049 2065:2090 6000:6020 7100
UDP services to block 2049 6770
ICMP allowed types: <b>destination-unreachable echo-reply time-exceeded</b>
Enable source address verification? <b>Yes</b>
Reject method DENY
Interfaces for DHCP queries
NTP servers to query
ICMP types to disallow outbound destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? <b>Yes</b>
Would you like to setup PSAD? <b>Yes</b>
psad check interval: 15
Port range scan threshold 1
Enable scan persistence? <b>Yes</b>
Show all scan signatures? <b>Yes</b>
Danger Levels 5 50 1000 5000 10000
Enable email alerts? <b>Yes</b>
Email addresses you@yourdomain.com
Email alert danger level: 1
Alert on all new packets? <b>Yes</b>
Enable automatic blocking of scanning IPs? <b>Yes</b>
Auto blocking danger level: 5
Should Bastille enable psad at boot time? <b>Yes</b>
Do you want to implement the choices <b>No</b>
Do you want to implement the choices now or continue making choices? <b>Yes</b>
Bastille is now ready to use.
