Re: FN-FORUM: secure sites, encryption etc

date posted 3rd August 2004 18:49

On Tuesday 03 Aug 2004 2:15 pm, nick b wrote:
> nick b wrote:
> > anyone done much work on secure websites - that hold sensitive
> > information? eg government / health / financial / military. I'm

I sysadmin one that handles credit card details - and that's good enough=20
reason to take security very seriously. No way would I call myself an ex=
pert,
but I'll share what I can.

> > looking for a few pointers / tips on best practices, what can be done
> > to lock down and encrypt at a file / database level, probably on a ph=
p
> > & *nix shared or dedicated server environment.

Shared? Secure? Not in the same sentence, or even paragraph, please.

> anyone? please? or perhaps some good books to read about server
> security, file / db encryption - that kind of stuff...

The basic server checklist is to install a firewall, only open up ports t=
hat=20
you absolutely need, and only turn on the services that you absolutely=20
need. Then keep all the stuff that you are running patched and up to=20
date. Don't run BIND if you can possibly help it. Your minimal list of=20
open ports / services is 22 (for SSH), 80 and 443. Use SSH version
2, disallow root login, only allow one username to SSH in, use secure
passwords that you keep rotating. Never login from anything but a=20
system that you keep as secure as the server itself. (That means=20
never ever logging in from a mates Windows box).

Oh, and consider using OpenBSD.

That should be enough for the list's sysadmins to start pointing out=20
where I'm wrong...

comp.risks is good reading. www.catless.ncl.ac.uk has an archive.

It's often said that the best way to prevent hacking is to understand how=
=20
it's done. "Hack Attacks Revealed" & "Hacking Linux Exposed" are books t=
hat
come recommended although I've not read either.

Have you got a specific problem or are you just doing research out of
interest?