What are the security ramifications that one should be aware of when considering using WebDAV? How does one go about securing it? What else should I know about it?
We have just setup a lovely little nfs share / client for the first time.
a) The UID for files on the client side, is showing up as 4294967294 when listed via ls, but the client is able to create and remove files / dirs in the share. Files and folders created on the client end, show up with the correct username (and uid) on the server side. We made sure that the users writing to the share have the same UID on the server end.
The following shows up for all files / folders on the client side:
drwxr-xr-x 6 4294967294 4294967294 4096 Feb 23 16:04 foldername
Is this ok?
b) Does anything need to be done with portmap / the nfs daemons to completely disable any nfs (or rpc*, as it was not installed prior to this) services from running on our external interface? Ideally we would like to bind the services just to our lan and vpn subnets.
c) What is the ideal way to make the nfs client side as aggressive as possible on reconnection attempts? Ideally, if the network connection is lost at any time, the nfs client side would keep trying often, and indefinitely. Is it possible to accomplish this via fstab? Or does nfs client by default already do this? The LAN side, where the nfs shares are shared, is a 1GBit connection.
d) Anything else?
Over and out.
I am working on building some new CentOs 6 servers and creating documentation for the installation of said servers. I would like to create a base CentOS 6 server install that would be light on the packages to reduce bloat by default. Additionally, I am looking for some common or industry practices in which to harden the server so that it can be used in production and online facing to the world. I am curious if there are any best practice guides, techniques, or steps that you use in performing such a task? Later, I would look at adding servers and sections to the documentation about using the server for web serving, database hosting, etc. For now, I am looking for a base server install.
I know most of the general advice: "turn off unnecessary services", "no really, turn off unnecessary services", "least privilege", etc. I've also seen a few guides and/or tools, e.g., Bastille, for hardening Linux boxes, but nothing that seems tailored to NetBSD.
Assume for the sake of this list that I've already made sure root doesn't have SSH access, but that I haven't installed any server software.
What are your first steps for securing a new NetBSD box?
UPDATE: To be clear, I'm looking for specific steps. I'm entirely self-taught when it comes to server admin, but I feel I have a decent grasp of the general principles. I'm looking for details for two reasons:
- To see if there is anything NetBSD-specific that I've overlooked.
- To see if other people have better methods for putting the general principles into practice.
Thanks.
In a farm of virtualized Red Hat servers, there's the need to install a minimal system for security reasons. Minimal installs have several advantages (even no security related):
- Less exposure to vulnerabilities (if you don't need it, don't install it)
- Better update process (less packages to update, less probability of breaking the system)
- Better performance (no unneeded daemons or processes)
- The less software you have the easier it is to harden the system
Unfortunately, this is not easy because the "Minimal Installation" on Red Hat contains lots of unnecessary packages.
There is an added challenge as the farm is running Oracle iAS. I've been told that iAS has dependencies with local graphical environment. So finally every server in the farm has gnome, X, etc.
I've been searching the web and one solution seems to be making a kickstart script that will install only the necessary packages. But I find this difficult and have several doubts about how to maintain the system dependencies afterwards.
How do you install minimal Red Hat servers? Is it OK to use kickstart or will I have dependency problems in the installation or in updates? Is there any way to avoid installing the graphical environment for iAS?