I think that I would disagree with you. The things you mention are good, but I would do some other things first. With security, I have often found that it pays to state the obvious because something simple that is overlooked can be fatal. In security, what you don't know can kill you. At the risk of stating the obvious, here goes.
The very first thing to do is to uninstall anything you don't acutally need. This should be done before the machine is acutally put on the live network. Many things that install by default on many of the Linux distro's (like X-windows, text editor, update features, games, etc.) have their own root exploits. It's best to remove them before you even put the server behind firewall. I HIGHLY recommend stipping every server that's going to be in a DMZ down to the absolute bone. If it isn't running, it isn't a risk - not to mention that its less work for you because it less software for you to keep up with. The next thing to do is to make sure that you have all your kernel patches, service patches (sendmail, apache, etc.) in place. This simple step will go a long way to hardening your box. Third, before placing the machine in the DMZ, we always uninstall all the text editors (VI, EMACS, etc.). This way even if the box is hacked, they have a LOT of work in front of them to actually DO anything to it. (Can you imagine having to run "ed" on the httpd.conf or html pages?) We also uninstall any compilers and browsers as well (gcc, lynx, etc.). Fourth, learn to use chroot and sudo. They are your friends. As is encryption. Encrypt everything you can. Never use any protocol that sends passwords in clear text (ftp or telnet). Make your users use SSH and SCP. It isn't difficult and the free clients are out there even for windows boxes. Fifth, run a SAINT scan on your server yourself before you turn it out to fend for itself. You can be sure that they hacker will be doing this. Make sure that you understand what ports are open and why they are open. Close up everything you can. DO NOT depend on your firewall. Sixth, RUN TRIPWIRE, do logging and perform due diligence on those logs. There is an excellent book from SANS about Intrusion Detection Signatures. Using the information in this book, it should be relatively simple task to write some log scripts that wash the logs and look for these signatures. Seventh, have a repsonse plan in place. I have witnessed much scrambling because "Ohmigod, we've been hacked....WHAT DO WE DO NOW?" Develop a sane and resonable plan to deal with the incident. Trying to prevent being hacked is one thing, but deal with the aftermath is another issue entirely. I have seen many companies that had good up front policies in place that totally lacked anything on the backend. HTH, Jimi -- __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
