Quote:
1. Which is a secure & stable (& preferably simple) distro for running a web server? and a mail server?
|
No one would be safe answering this without mentioning BSD's first tho that aint Linux... IMO every distro has it weaknesses, it's the context in which u handle it tho that makes the difference. If u take Redhat, go for the .2 series, theyre supposed to be more "evolved" compared to the .0's, Debian isnt a frontrunner but is conservatively built with security in mind. Almost any distro will do IMO. What I mean with context is that u understand the risks and act on it.
1. Don't throw all ure eggs in one basket. Like on a firewall, *no* development should be done on these boxes, no SUID or user tools installed, no X, no user accounts and no unsecure mgmnt connections if u can!
Keeping the box clean will also give u a better overview to focus on applications with a higher patch/upgrade rate.
2. U asked for simple. That is a basic failure to comply with Linux :-p Linux aint simple, and it isn't ment to be. Learning to properly configure linux can be a pain, but only there ull learn from it instead of another case of GUI-button-clicking.
3. Compile kernel monolithic and disable loading modules to disable ppl using LKM-based rootkits. Use Bastille-Linux or equivalent to tighten basic post-install security.
4. Security is dynamic. Investing some time in setting up backups, IDS(Snort, Port/Hostsentry, remote logging) and integrity(Aide, Tripwire, Samhain, Cops, Tara, Chkrootkit etc) checking will help manage ure box(es) and can help signal anomalies in an early stage.
5. Keep ure eye on new releases/patches from both ure vendor and some independant sources.
Quote:
2. Will sendmail program be sufficient to run a decent enuff mail server?
|
Yes if properly configured (current is v8.11.4).
"Sendmail 8.11.4 is available; it fixes a signal race condition and includes bug fixes for 8.11.3"
Quote:
Any security holes with this?
|
---
Xforce-ISS: sendmail-bi-alias(3795)
Issued: Jan 2001
Topic: The Debian GNU/Linux 2.1 Sendmail application contains a problem with the code to regenerate the aliases database. Upgrade to Sendmail version 8.9.3-3slink1.0.1 or later.
---
Xforce-ISS: sendmail-elevate-privileges(6147)
Issued: Feb 2001
Topic: Sendmail -bt command could allow the elevation of privileges
Affected:
http://xforce.iss.net/static/6147.php
---
RAZOR advisory: Unsafe Signal Handling in Sendmail
Issue Date: May 28, 2001
Topic: Sendmail signal handlers used for dealing with specific signals are vulnerable to numerous race conditions.
Affected Systems: Any systems running sendmail (tested on sendmail 8.11.0, 8.12.0-Beta5) (Also look at
http://archives.neohapsis.com/archiv...1-05/0274.html)
---
To name just three.
Qmail, Postfix.
Quote:
3. How do I protect myself from attacks.. Some of the things I learnt are to close unwanted ports, pass all communication through a firewall...Any suggestions to add to it?
|
Read CERT and SANS on configuring basic unix. Search this board or AUSCERT for the unix checklist.
Good luck.