Plesk install and security audit

[scott]

A separate dedicated hardware firewall probably isn't going to add any value to your environment. Theres nothing that they do that you dont get with firewalling in linux.

[laughingbuddha]

Ok, I'll drop there firewall. Saves a bit of cash.

When I do an install of CentOS of Plesk, I tend to disable the CentOS default firewall after install, and put SELinux into permissive mode is that right.

Should I instead leave the firewall on and leave selinux running enforcing mode?

I'm not sure about going ASL straight away on this first server, as it only has 4GB of memory and 2 x Xeon 2.8GHz processors. I heard that it puts a strain on resources and was worried about that, as I know I have an install of Magento going on the server, as well as 2 other SQL/database driven services going on there two.

Firewall wise, what do people recommend. Is APF that faris mentioned a good choice. Security is important, as with any web hosting and I don't want to leave myself open to hacks as I'm not talent with Linux and wouldn't know where to start if one occured.

Matt

[scott]

4G is a lot, so I dont see that being a problem with ASL. If you were on a 1G x86_64 box then you might need to cut back on some things.

Firewalling, in general, doesn't add much to a web hosting platform. Where you get the most value would be in using it to block attacks once they are detected, or preventing connections from known attackers.

[laughingbuddha]

I was hoping that by inforcing only 2 IPs to be able to access port 22 (SSH) it may prevent possbile attacks, as well as the over SSH securing as mentioned in this thread.

Is ASL a straight install and off you go (once subscribed), or is there configuration to do?

I have heard that Magento users have had issues with ASL, is this true?

Matt

[scott]

Not from any of the magneto users I know, Ive got one guy that sends me their updates every time one comes out (they have really weird versioning if youve noticed). Hes never said it didn't work. Then again he never actually said he was using it.

Theres an installer:

wget -q -O - http://www.atomicorp.com/installers/asl |sh

this takes you through all the installation questions, and sets it up.

[laughingbuddha]

Cool, I guess it includes the qmail and clamd in that.

What is the fee on ASL at the moment?

Matt

[scott]

It includes the kernel, ossec, rkhunter, unhide, skdet, psmon, mod_security, mod_evasive, clamav, etc. Its a mountain of stuff now, I see it ending up something like the Ximian desktop channel, with all sorts of different packages to support different environments.

Current price is $158 per seat.

[laughingbuddha]

I take it that's per year?

So if I was to added that to my list of install tasks, I would do in order:-

1. CentOS install
2. yum art channel install of plesk
3. yum install of asl

And just to check, if I change the ip address of the server along with the subnet, dns pri/sec, and default gateway, when it leaves my office to go and get hosted at the server house this won't effect ASL or Plesk?

Matt

[laughingbuddha]

Right, I'm doing my install at the moment....well in parts over the weekend.

Currently the server is at my home office so I'm working off my router using a local LAN IP, and I have pointed the server name to the static IP of my ADSL2+ line. I have also setup a firewall rule to point all incoming traffic to the local IP of my server.

I've done my CentOS 5 install, yum updated and installed Plesk through the ART channel. Which direction should I take next. Install the firewall, or subscribe/install ASL?

I'm also writting a step by step guide for installing a CentOS and Plesk. Written by a Linux newbie for Linux Newbies. So far I've done the following guides as well:-

* Plesk - Allowing Remote Access to MySQL Databases
* Plesk - Creating Wildcard Subdomains
* Plesk - How to Turn Safe More On or Off (Mainly for older versions of plesk that didn't have the option in the control panel)
* Plesk - Installing Mcrypt and Mhash (For magento)
* Plesk - Installing Qmail Scanner and Clam AV

The idea is the past on the knowledge I've learnt through the help of you guys, to other newbies. The guides are free and I'll sort out some site or blog to distro the guides.

Thanks,

Matt

[laughingbuddha]

Hi,

I've got SELinux back on to enforce mode after the Plesk install and yum update.

I'm at the point of firewalls and ASL.

Firewall wise, what do people recommend. The only Linux firewall I have ever used was the Plesk Firewall module, mainly because it came with the VPS I'm using at the moment, and it's easy to use. Is it any good? If not what should I be using?

With ASL, should I install this before or after installing the firewall? And also can ASL be installed whilst I'm using a local LAN IP remebering that Iwill be changing the IP address when the server is sent for hosting.

Thanks,

Matt

[breun]

I've got SELinux back on to enforce mode after the Plesk install and yum update.

I'm at the point of firewalls and ASL.

Just know that ASL uses grsecurity and disables SELinux.

[laughingbuddha]

Oh righty, so either way SELinux is going bye bye when ASL is on. Cool, thanks.

So with the Firewall, what do people recommend. Is Plesk Firewall just as good when your running ASL as well?

Matt

[laughingbuddha]

*bump* Firewall recommendations?

[Kalimari]

Firewall software is usually just a front-end to iptables/ipchains. If you can get your head around them, the real power & flexibility of Linux security lies in rolling your own. Here's good (albeit verbose) overview: http://iptables-tutorial.frozentux.net/ ... index.html

For more general information and links to further reading/software, try: http://wiki.linuxquestions.org/wiki/Firewall

APF is very popular: http://rfxnetworks.com/apf.php and is also in the atomic repo.

[scott]

Mike and I also wrote a book about it; Troubleshooting Linux Firewalls