What do servers need?

[iago]

I'm working on rebuilding my servers right now. I've done a stripped down install of Slackware 12.1. Right now, I'm working on setting up the base image that I'll copy to make the other images.

Besides default software/services (hard to provide a list..), I've installed:
- hping3 (troubleshooting)
- nmap (troubleshooting)
- vmware tools
- automatic time updating
- back up tools/accounts

Any other ideas for things that are required across the board? I want to get this set up right before I finalize it.

[Joe]

Lamp?

[iago]

Linux is obvoius.

Only the Web server needs Apache/PHP

Only the database server needs MySQL

[rabbit]

cron?  Also, don't forget ssh for the database and site servers, and FTP on the website server.  You also can't forget about RCRS (or can you?)  Maybe ident too, though I'm not sure.

[iago]

ssh is there, that's a default. I don't (and won't) use FTP, so that's a non issue.

RCRS, I'm not worried about.

What good is ident? I've never installed that, but I wouldn't be opposed to it if it could be useful.

[Sidoh]

I know you're trying to keep this lightweight, but it seems uses for quick perl scripts pop up in tons of situations.  If you think this might be the case, I'd install CPAN on all of your servers.

I'd be shocked if Slackware didn't come with the Python stuff, but you'd want that too.

I'd also look into something that monitors and takes action on failed login attempts via SSH.  I have a python program running on my server that watches for failed login attempts in the log files and blocks IP addresses after they fail some number of times (I think it's 7 by default).  It also removes the blocks after a set amount of time.

There's another cool concept called "graylisting" where you block every attempt to connect via SSH the first time, and allow all other attempts through.  This makes most brute force bots give up.

I'm pretty sure you already know about those things, but I figured I'd throw them out there since they seem pseudo-important from a security standpoint.

[iago]

I know you're trying to keep this lightweight, but it seems uses for quick perl scripts pop up in tons of situations.  If you think this might be the case, I'd install CPAN on all of your servers.

Came with Slackware

I'd be shocked if Slackware didn't come with the Python stuff, but you'd want that too.

Ditto, I installed all the dev tools.

I'd also look into something that monitors and takes action on failed login attempts via SSH.  I have a python program running on my server that watches for failed login attempts in the log files and blocks IP addresses after they fail some number of times (I think it's 7 by default).  It also removes the blocks after a set amount of time.

Not a bad idea, I thought about doing that before, but hadn't gotten around to it.

There's another cool concept called "graylisting" where you block every attempt to connect via SSH the first time, and allow all other attempts through.  This makes most brute force bots give up.

Obscurity. It only works till lots of people do it.

I'm pretty sure you already know about those things, but I figured I'd throw them out there since they seem pseudo-important from a security standpoint.

Heh, yeah.

Speaking of security, I was thinking of putting traffic monitoring software on each server, and pulling the stats back to one server (possibly the backup server). Not sure if I'm going to bother, though.

[Newby]

Some sort of data encryption on the hard-disk? I dunno. I'd say NetHack but you couldn't take me seriously.

[Sidoh]

Obscurity. It only works till lots of people do it.

Obviously, but as long as you don't rely on it, I don't see the harm in exploiting it.

[iago]

I'm not sure that hard disk encryption would buy me anything on a vmware image. The only real attack avenue is somebody hacking the server, encryption wouldn't help much if they had physical access (could just pause/resume vmware images).

Here is the list of things so far:
- iptables with default deny all (I'm already firewalling at the router, but an extra layer couldn't hurt)
- ntop (traffic monitoring), if it works (wouldn't really work for me before)
- a way to update software (I'm thinking a folder that they'll install packages from if it's filled.. maybe require the packages to be signed by me? We'll see)
- deny hosts (ban ssh brute forcers)
- locked down root account (can't log in remotely as root, will make a different default account)
- nightly portscans scheduled, from the trusted zone, so I can see when services change
- empty /usr/local and /home folders, ready to have separate drives mounted

Other suggestions are good, I'm probably going to build this image this weekend.

[Chavo]

rsync is nice if you have a good place to put the backups

[while1]

Let's see.  I don't see any porn on your list.  No server can live without porn!  It serves you, but do you service it?

[Warrior]

a server most of all requires tender love and care, someone to hug him when he's feeling blue..perhaps an occasional bedtime story.
when he's running a fever be sure to keep him nice and cool, he's forgetful so make backups of his data regularly

at times he may become frustrated with the amount of load he's put under, dont be mad at him he's trying his best.

[mynameistmp]

I always used to install svn. I'd host one server on my LAN, and then install the client on all other machines I frequented. I used to have 4 or 5 machines that I'd switch between, so it eliminated redundancies. I would log in to desktop A as tmp, hack around for an hour or two on a variety of different things. Then I'd commit to the server repository and log out. svn would automatically tabulate all of the files modified during the session and store them for me. I could leave for lunch, log in via laptop from the restaurant, check a copy of my home directory out, and be exactly where I left off; down to the wall paper and xmms volume. Rinse, repeat. I was always surprised how few people it seemed exploited this functionality.

Another is vtund, but depending on which version of the kernel you selected you may not have the necessary module.

[iago]

Good call at svn, I meant to make sure that was installed. It came by default, but it won't run because I'm missing libldap. Will take care of that!

vtund doesn't sound like something I need, at least for this.