Question for security management and overhead and concerns

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at baesystems.com
Tue Jun 6 13:14:25 UTC 2006 

Hi -

If you can avoid it, don't put the machine directly on the Internet.  Ideally,  use a combination of a router and firewall to create a DMZ.  The only traffic allowed into the DMZ should be the traffic you want.  By using separate layers of defense, you're protecting yourself from any single layer failing.


> I am inclined to turn-off ssh/ftp access.

Definitely turn of FTP, telnet, and any other "plain-text" protocols.  SSH can be locked down by username, source IP, etc... several good articles have been published in Linux Journal lately.  Unless you have easy access to the physical machine, you'll want some sort of access.

> 1. any good security management software tools ?

Use an intrusion detection system to analyse traffic. Snort and BASE are the defacto open-source leaders in the this space.  Tune the ruleset to the rules specific to the services you're running

Scan your own system with Nmap and Nessus.  The hackers will be doing this, so you might as well do it too.  Definitely do it before you go online, and then on a regular basis, and after any major upgrades. 

> 2. other concerns by owning a server in public domain beside security

Depending on what type of data your storing, you may have regulatory issues. Audit trails and regular backups are critical. Consider using some sort of RAID to protect against disk failures, and UPS/Generator to protect against power failures.

> 3. how many hours per day sys admin should expect to spend to
> mange such a machine

Hard to say... You can reduce the time needed by only reporting stuff you really care about.  For example... I have UNIX servers, no need for my IDS to report attacks focused on Microsoft servers.  Log everything, but create filters when you review the data.

> 4. any web resources to manage such a machine

Be careful with any web-based management tools... Make sure that they use HTTPS, and are restricted both by username/password and source IP (at a minimum).

More information about the redhat-list mailing list