mailing list archives
Re: big security questions the deny access guy return
From: Volker Kindermann <ml () ps102 de>
Date: Tue, 07 Dec 2004 10:00:01 +0100
about dns what bind do you recomend and how can i protect it i would
like to install snort to see if somebody is trying to attack in my
server so should i use bind 8 or bind 9 and should i use a chrooted
schema or not? what other security risk do i have to address?
regarding dns you should consider two things:
- is it possible for you to switch from bind to djbdns? The later is
more secure, simpler, but has a totally different "mindset".
Configuration is different but easier. You should check if the
functionality of djbdns is sufficient for you.
- if you can't switch to djbdns please take bind 9. Do not use bind 8.
And of course you shoud chroot bind.
about mail i was thinking in using postfix in place of sendmail is this
a good idea?
Yes. Again, postfix configuration is simpler, the program was written
with security in mind and is very performant. No negativ experiences
with postfix here.
for gathering mail i was thinking in cyrus-imap and
authentication tools but what would recomend me?
I wouldn't take cyrus because of it's proprietary mail storage format. I
would stick to dovecot or courier-imap. Courier-imap has a companion web
mail program called sqwebmail.
should i use snor in every server or just one ?
Depends on your infrastructure. Snort is a network intrusion detection
tool so it is important that it "sees" all network traffic. If you have
the servers on a hub, put a snort machine (sensor) on that hub.
Generally I wouldn't install snort on any of the servers but on one or
more sensor-machines with nics in listening mode without own
ip-addresses. You should only attention that the sensors are really
seeing all network-traffic.
iptables are good enough?
If you are aware of it's limits (only packet-filtering, no application
gateway), it's ok. You should consider taking a separate machine for
firewalling, perhaps a non-linux one (self-built or appliance). OpenBSD
is very good suited for this purpose.