[WBEL-users] Hardening a WBEL3 server?
Benjamin J. Weiss
benjamin at birdvet.org
Fri Mar 4 08:16:02 CST 2005
Eric B. wrote:
>Hi Guys,
>
>I'm finally getting my WBEL3 server to the point where I am almost ready to
>put it into production. It will be protected by a hardware firewall, but it
>doesn't have its own true DMZ (although I know it probably should - these
>things will be done at a later stage). So in the meantime, I need to figure
>out how I can harden this machine as best as possible.
>
>Can anyone point me to some good HowTo's for hardening a WBEL server? I
>found a few short resources for hardening Redhet 7.2, but was wondering if
>there might be anything more in depth and at the enterprise level server.
>
>
I don't use whitebox anymore, but I might be able to help a bit.
First of all, you need to ensure that you have your iptables firewall
configured and running. To ensure that it's running, type (as root):
service iptables status
if you get the reply 'Firewall is stopped', then type:
service iptables start
chkconfig iptables on
I won't go into proper iptables configuration in this email, it would
take too long. Just ensure that you only have the incoming ports
enabled that you want people to see, such as ssh or http.
Next, you need to see what services you're running that are listening to
ports. You can do this by typing:
netstat -taupn
Look for the lines that say either LISTEN or ESTABLISHED. These are the
services that are open to the world. You need to evaluate which ones
you really need, and remove the ones that you don't. For instance, if
you're running a web server, and you don't want to, you could turn it
off with the following:
service httpd stop
chkconfig httpd off
Typically, since I don't use NFS, I turn off all of the NFS services
(portmap, nfs, nfslock, netfs).
You can get a list of services and whether they start automatically or
not by typing:
chkconfig --list
HTH,
Ben
More information about the Whitebox-users
mailing list