Atomic Team,

I am about to lease a new server from my ISP. I currently have a CentOS 5.8 server with Plesk 8.6.0.

I just purchased your ASL product, but would like to prepare the new server correctly.

I've seen "The Perfect Server" help docs over on http://www.howtoforge.com/howtos/linux/centos but was hoping you could "steer" me in the right direction with a perfect minimal LAMP server install. (http://www.howtoforge.com/perfect-serve ... spconfig-3 for instance)

Some questions are:

-- should I install CentOS 6.3 version x86 or x86_64
-- Postfix or not
-- Sendmail or not
-- Dovecot or not
-- su_php or not
-- etc...

I've installed/managed linux servers for years, but hope you could guide me toward the most secure installation options.

Thx so much!!
Jim

My rough guide here:

1) I use centos 6, x86_64
2) 2G minimum
3) x2 disks, in a raid mirror. Partitioned as md0 (/boot, 512MB), sda2 / sdb2 (swap, x2 of ram, set at priority -1), md1 (/, all remaining space). Dont bother with /tmp, /var, /home, etc. They just cause problems later
4) Install plesk first, 11 is the latest, we use 9.5-11. This is personal preference
5) install ASL last (after all other stuff), boot into the ASL kernel, ensure you have the dazuko module installed
6) add the T-WAF to the plesk port
7) use mod_ruid2 (not completely supported in ASL yet, but use it anyway). Dont bother with fcgi, suphp, etc. These are all slower. Con's to mod_ruid2 if you are using cloudlinux I dont think its compatible with LVE.
Use incremental backup systems to a live (browsable) filesystem. We use rdiff-backup here. This is important because it lets you do compares & restores in realtime. Our backups are nightly. The backup server is both mirrored to a local filesystem, and mirrored to another offsite backup server in a different physical location.


(Optional)Conduct regular security assessments. My assessment platform is:
Fedora 17 (you could use centos 6, but fedora has more utilities)
1) install openvas, this is your *network* vulnerability scanner. We scan DAILY. Do not scan quarterly. Do not scan yearly. Do not be that guy.
2) install w3af and arachni, these are your *application* scanners. As in the web applications. Scan each application DAILY or WHENEVER YOU MAKE A CHANGE. Again, do not follow the PCI DSS standard here. Thats the low bar.

Hi Scott,

could go into more details with these topics used with just one rootserver?
1) install openvas, this is your *network* vulnerability scanner. We scan DAILY. Do not scan quarterly. Do not scan yearly. Do not be that guy.
2) install w3af and arachni, these are your *application* scanners. As in the web applications. Scan each application DAILY or WHENEVER YOU MAKE A CHANGE. Again, do not follow the PCI DSS standard here. Thats the low bar.

Thanks

Scott, thanks so much for the reply... I forgot to say that I AM PLANNING ON NO LONGER USING PLESK.

I hope to use VirtualMin or ISPConfig instead of Plesk.

I will assume that I should still install ASL last.

(I have attached what I have so far, since I was unable to "post" it)

So the point of a vulnerability scanners is that they become a part of your QA process, they arent a complete replacement for a skilled technical assessment, but its going to help with creating your security program. We run these daily, and in some cases multiple times a day. Certainly every time we make a change.

Yes, installing it last is best because that way it can harden your final environment more easily, and configure itself to what your final environment will be.