I'd like to have my server locked down and I *could* do this but I'm lazy and have Cisco work that doesn't give me enough time.
dual core Xeon system (3060)
2GB of RAM
2x 250GB HDs (not in RAID)
CentOS 5 64bit edition, Apache 2.2.6, PHP 5.2.5, MySQL 5.0.45
APF 0.96.1 and BFD 0.9 installed
Zend (3.28 I think) installed
Exim at version 3.48, SpamAssassin at 3.23, ClamAV at 0.97.1 (I think...)
DirectAdmin 1.3.11 (which affects httpd, php, mysql, exim, dovecot, proftpd and others)
Concerns:
OpenSSL at 0.9.8B-<something> which is the CentOS flavor. Would strongly prefer 0.9.8G mainline.
OpenSSH at 4.3p7 and like OpenSSL, would like the mainline version of 4.7p1 if possible
Kernel is out of date (doesn't need to be GRSec, but would rather have GRSec)
I'd LOVE to have Suhosin installed. I've failed twice. I clearly suck.
The long list of items I'd want done:
Get Mod_Security installed and working for Apache 2.2
Installation of eAccelerator (and making it work w/ Zend and Suhosin)
Installation of LibSafe
Limit access to select system binaries
Limit Compiler and Fetch Utilities Access to Root Only
Installation of Process Resource Monitor
Correct permissions on select system directories
Installation of rootkit checking utility (rootkit Hunter and chkrootkit)
Removal of insecure packages and unnecessary software
Disable unused & potentially vulnerable services
Default system users removal
Implement increased logging functions
Harden system shared memory
Harden temporary system directories
Tune/harden the IP Stack via sysctl variables
Harden host.conf
Recursive DNS removal
Install SPRI and tune it for a LAMP install
Optimize and harden MySQL (I've already disabled networking, removed temp, changed root password, etc...I'm sure I missed something)
(insert important things I've missed here)
Gotchas:
I'm using "custombuild" version of apache for DirectAdmin which means the php.ini (might be now after Zend) and httpd.conf are not in their usual places (I did an updatedb earlier so you can locate them) when compared to a plain jane LAMP install.
Things I'm not too keen on:
SIM - it's ok but way too chatty and I have other programs that monitor individual service availability
mod_evasive - too prone to false positives, especially in forum environments. Too often I've DOS'sed myself with it even though it's only a 10 second ban, it's pretty annoying. I would not be amused to find this loaded.
Let me know if the above is workable and what the anticipated costs will be (like for updating OpenSSL and OpenSSH, which will require a rebuild of custombuild in the directadmin folder..../usr/local/directadmin/custombuild/build all d...at a minimum after the OpenSSL upgrade ). PM me if you feel you can do this. I'm not looking for the lowest price, I'm looking for someone who can do this right, do it the first time and do it w/o mucking everything up in the process and hopefully complete it within a respectable timeframe. I'd prefer someone with heavy experience doing this and not from someone looking to learn on the job. Paypal or well known escrow service required.
Linear Mode
