[WBEL-users] Hardening a WBEL3 server?

[Benjamin J. Weiss]

Eric B. wrote:

>Hi Guys,
>
>I'm finally getting my WBEL3 server to the point where I am almost ready to 
>put it into production.  It will be protected by a hardware firewall, but it 
>doesn't have its own true DMZ (although I know it probably should - these 
>things will be done at a later stage).  So in the meantime, I need to figure 
>out how I can harden this machine as best as possible.
>
>Can anyone point me to some good HowTo's for hardening a WBEL server?  I 
>found a few short resources for hardening Redhet 7.2, but was wondering if 
>there might be anything more in depth and at the enterprise level server.
>  
>
I don't use whitebox anymore, but I might be able to help a bit.

First of all, you need to ensure that you have your iptables firewall 
configured and running.  To ensure that it's running, type (as root):
service iptables status

if you get the reply 'Firewall is stopped', then type:
service iptables start
chkconfig iptables on

I won't go into proper iptables configuration in this email, it would 
take too long.  Just ensure that you only have the incoming ports 
enabled that you want people to see, such as ssh or http.

Next, you need to see what services you're running that are listening to 
ports.  You can do this by typing:
netstat -taupn

Look for the lines that say either LISTEN or ESTABLISHED.  These are the 
services that are open to the world.  You need to evaluate which ones 
you really need, and remove the ones that you don't.  For instance, if 
you're running a web server, and you don't want to, you could turn it 
off with the following:
service httpd stop
chkconfig httpd off

Typically, since I don't use NFS, I turn off all of the NFS services 
(portmap, nfs, nfslock, netfs).

You can get a list of services and whether they start automatically or 
not by typing:
chkconfig --list

HTH,

Ben