[WBEL-users] Hardening a WBEL3 server?

Eric B. ebenze at hotmail.com
Fri Mar 4 15:05:33 CST 2005 

"Benjamin J. Weiss" <benjamin at birdvet.org> wrote in message 
news:42286DA2.9020102 at birdvet.org...
> Eric B. wrote:
>
>>Hi Guys,
>>
>>I'm finally getting my WBEL3 server to the point where I am almost ready 
>>to put it into production.  It will be protected by a hardware firewall, 
>>but it doesn't have its own true DMZ (although I know it probably should - 
>>these things will be done at a later stage).  So in the meantime, I need 
>>to figure out how I can harden this machine as best as possible.
>>
>>Can anyone point me to some good HowTo's for hardening a WBEL server?  I 
>>found a few short resources for hardening Redhet 7.2, but was wondering if 
>>there might be anything more in depth and at the enterprise level server.
>>
> I don't use whitebox anymore, but I might be able to help a bit.
>
> First of all, you need to ensure that you have your iptables firewall 
> configured and running.  To ensure that it's running, type (as root):
> service iptables status
>
> if you get the reply 'Firewall is stopped', then type:
> service iptables start
> chkconfig iptables on
>
> I won't go into proper iptables configuration in this email, it would take 
> too long.  Just ensure that you only have the incoming ports enabled that 
> you want people to see, such as ssh or http.
>
> Next, you need to see what services you're running that are listening to 
> ports.  You can do this by typing:
> netstat -taupn
>
> Look for the lines that say either LISTEN or ESTABLISHED.  These are the 
> services that are open to the world.  You need to evaluate which ones you 
> really need, and remove the ones that you don't.  For instance, if you're 
> running a web server, and you don't want to, you could turn it off with 
> the following:
> service httpd stop
> chkconfig httpd off
>
> Typically, since I don't use NFS, I turn off all of the NFS services 
> (portmap, nfs, nfslock, netfs).
>
> You can get a list of services and whether they start automatically or not 
> by typing:
> chkconfig --list

Thanks Ben,

That's pretty much what I've done already.  Have also used nmap to scan for 
any listening ports as well and cleaned all those up similarly.  The other 
stuff that I have left though, is wondering how to harden the server to be 
able to securely run Apache and Tomcat without worries of security breaches, 
etc.  Was considering running apache in a chroot jail, but it just looks 
like that is a pain to setup without any real advantages.  Am open to 
suggestions though... :)

THanks!

Eric

More information about the Whitebox-users mailing list