Howdy Zopistas! These days I came to the conclusion that I might need to investigate a bit on Linux as an alternative base for running Zope. So far I've been using OpenBSD which is a real timesaver when it comes to setting up a secure server which is my first priority over anything else. What I'd like to know is: Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server? Ragnar
On Tue, 16 Jan 2001, Ragnar Beer wrote:
Which Linux distributions are you using for running Zope and how easy
I use Zope on Debian GNU/Linux. But also I run it on Sparc Solaris. And on FreeBSD. I really do not care of OS until it is unix. Debian 2.2r1 Solaris 2.5.1 FreeBSD 3.4-STABLE
it was for you to maximize security of your server?
Never did something special to Zope. Just a normal sysadmin's tasks - create logins with passwords and domains/IP restrictions. Make regular backup... Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server?
Red Hat Linux 6.2 here. After a standard install, download and install latest release of SSH. Open '/etc/inetd.conf', comment out all services. Save and do a 'killall -HUP inetd'. Do 'ntsysv' and disable everything you are not going to use on that machine (typically sendmail, nfslock, identd, portmap etc.). Reboot after that. That's what I do first. After that, get all the Red Hat updates from a nearby mirror. Install all, make sure you've got at least a 2.2.16 kernel. Rebooting is not gonna hurt, check what services are started as the machine boots. Get Bastille Linux (http://www.bastille-linux.org) and lock down the box, leaving only 22 and 80 open to the outside world. Well, maybe not that extreme but you get the drift :) Check '/etc/hosts.allow' and '/etc/hosts.deny' to make sure that only the absolute minimum of hosts is allowed access to the server. The latter should contain something like 'ALL: ALL'. That catches most of the script kiddies. Still won't stop a real cracker though, for that you need more. Much more. Read the various docs, keep a tab on updates at Red Hat, SANS, Bugtraq etc. And remember, only the paranoid survive in network security :) Other Linux distros are similar, but this is the one I know :) HTH Jonathan
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Jonathan (Listserv Account) Sent: Tuesday, January 16, 2001 11:21 AM To: Zope Mailinglist Subject: RE: [Zope] Zope and Linux flavors
Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server?
Red Hat Linux 6.2 here. After a standard install, download and install latest release of SSH. Open '/etc/inetd.conf', comment out all services. Save and do a 'killall -HUP inetd'. Do 'ntsysv' and disable everything you are not going to use on that machine (typically sendmail, nfslock, identd, portmap etc.). Reboot after that.
Actually, I burn a CD with the latest updates on it. Including autorpm. Install autorpm, then use autorpm to upgrade everything from the CD. I do all of this BEFORE connecting to the net. I've had boxes rooted within 60 minutes of connecting to the net, before I started doing the above.
Actually, I burn a CD with the latest updates on it. Including autorpm. Install autorpm, then use autorpm to upgrade everything from the CD.
I do all of this BEFORE connecting to the net.
I've had boxes rooted within 60 minutes of connecting to the net, before I started doing the above.
I know, had a similar nightmare. If that won't get you paranoid about security, nothing will. Gotta look into autorpm one of these days... Back to Zope! Cya Jonathan
Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server?
We run a variety of RedHat 6.1, 6.2, and 7.0 and Debian 2.2, as well as Solaris. We apply all the latest updates, turn off services we don't use, and proxy Zope through Apache. We then block all but port 80 at the router. The servers are then firewalled off from the rest of the network. Simon -- --------- My opinions are my own, NIP's opinions are theirs ---------- Simon J. Coles Email: simon@nipltd.com New Information Paradigms Work Phone: +44 1344 753703 http://www.nipltd.com/ Work Fax: +44 1344 753742 =============== Life is too precious to take seriously ===============
participants (5)
-
Jonathan (Listserv Account) -
Oleg Broytmann -
Ragnar Beer -
Simon Coles -
Steve Drees