I want to run my own root server (directly accessible from the web without a hardware firewall) with debian lenny, apache2, php5, mysql, postfix MTA, sftp (based on ssh) and maybe dns server.
What measures/software would you recomend, and why, to secure this server down and minimalize the attack vector? Webapplications aside ...
This is what I have so far:
- iptables (for gen. packet filtering)
- fail2ban (brute force attack defense)
- ssh (chang default, port disable root access)
modsecurity - is really clumsy and a pain (any alternative here?)
?Sudo why should I use it? what is the advantage to normal user handling
- thinking about greensql for mysql www.greensql.net
- is tripwire worth looking at?
- snort?
What am I missing? What is hot and what is not? Best practices?
I like "KISS" -> Keep it simple secure, I know it would be nice!
Thanks in advance ...
For ssh, you can use both password and keys, but for root it is a good idea to only permit the root login using a key based auth, which is handfull (I like ssh root@host).
Do a port scan and leaves open only as needed. If you have IPv6 do not forget to check also. with http://www.ipv6scanner.com/ you can check the IPv4 and IPv6 ports simultaneously.
By default: SSH - SSH Keys only, Root login allowed. IPTables - Deny all by default. Only 80/443 is opened to the public. fail2ban - Disabled. Too much overhead on busy web servers. modsecurity - Pain in the ass. Don't use.
I also have a VPN setup w/IPSec to allow me to access the servers when I am not in the office. Any/All computers I use which have any SSH keys are encrypted. You could steal my computer and not get any of the information needed to get access to any of the servers or my VPN. I am the only one with the root key. Others may have sudo access to specific commands. Anyone with any SSH Key is required to encrypt their OS/Data.