Secure Server
Todd Zullinger
tmz at pobox.com
Wed Aug 5 16:31:34 UTC 2009
Alejandro Rodriguez Luna wrote:
> I just wanted ask about the security of services like ssh, dns,
> etc, what is the best way to secure this services?, perhaps
> /etc/hosts.allow and /etc/hosts.deny?, or perhaps with a superserver
> inetd or xined?,
Well, the 'best way' is quite subjective. IMO, disabling any services
that are not used is the first step. For sshd, I disable password
access and only allow authentication via keys. I also disable root
login via ssh. Then I limit the users allowed to login via AllowUsers
in the sshd config file. Some people also use denyhosts or similar
methods to lock out IP addresses that make numerous unsuccessful login
attempts. Overall, I don't spent a lot of time worrying about
openssh. The OpenSSH project has an excellent security record.
DNS is a little more worrying, as BIND has had more problems over the
years. It has been much better in recent years though. By default,
the named service is run as a non-root user. It's also confined by
SELinux. It can optionally be run in chroot jail, that might further
limit a successful exploit of the service.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Even moderation ought not to be practiced to excess.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090805/2ea00423/attachment-0001.bin
More information about the users
mailing list