On Tue, Sep 16, 2003 at 11:59:34AM -0700, TongKe Xue wrote: > Hello, Hi, > On a slightly off topic note, I'm thinking about running an > ftp/http/ssh server for personal use in college. What precautionary > measures should I take, or rather can I take? From reading over the > various Slashdot posts, I'm thinking that beyond > > (1) making sure system isn't running any unnecessary servers > (Debian seems pretty good in this by default) > (2) making sure all software is up to date > and > (3) since it's a college campus, possibly being able to ask > technical support for the subnet (correct word?) of all campus IP > addresses, and only allowing access IP addresses on that subnet > > beyond all of that, there really isn't much that I can do is there? Well, like everything else it depends how much time you want to spend on security. Is it an anonymous-only ftp? If not, encrypt the traffic to protect the usernames and passwords. Are you the only one that's going to connect with ssh? If not, consider chroot()ing the other accounts. Public webserver? If not, only allow certain addresses and use SSL/TLS if needed. Also consider building a custom kernel with, for example, PaX. Grsecurity (www.grsecurity.org) is a good kernel patch with PaX and a simple ACL among other things. If you're building your own packages, consider using the SSP (http://www.research.ibm.com/trl/projects/security/ssp/) patch for GCC. /Thomas -- == thomas@northernsecurity.net | thomas@se.linux.org == Encrypted e-mails preferred | GPG KeyID: 114AA85C --
Attachment:
signature.asc
Description: Digital signature