On 08/08/2010 09:34 PM, Jim Tarvid wrote: > The point is passing Credit Card compliance tests. OOB, Ubuntu doesn't do so > well. Spent the last two weeks getting through the process. I'll write it up > in some detail but the key points were: > > - ciphers > - protocols > - ip separation > - NameVirtualHosts > - no default directory paths > - modsecurity > - TRACE - took rewrite rules to get rid of it > - server isolation (smtp, pop, imap, dns, ntp) > - utility isolation (phpmyadmin, phpinfo, cacti, webmin) > - secure ftp >
Jim, I advise you to check out puppet. I can't even begin to explain the amount of time I have saved by encapsulating all of this in puppet modules. > >> >> I do not really see the point. Since the client and the server will >> negotiate the strongest cipher they both support, what exactly would we >> gain by removing cipher considered weak? >> >> >> -- >> Etienne Goyer >> Technical Account Manager - Canonical Ltd >> Ubuntu Certified Instructor - LPIC-3 >> Etienne: Right, but it's actually for the security of your users. If the server says no to all weak ciphers, a weak client can't connect. It's effectively saving your users from shooting themselves in the foot by getting MitM'd or something. And, as Jim has said, you need it to pass PCI. -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L'ennui est contre-révolutionnaire -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam