Domino on Linux series: Server Hardening tips #1


Another quick tip for those out there that are still new to Linux – server hardening. Server hardening is an important part of putting your new Linux server into production, you can’t just set up a server, install Domino and then “just put it out there” – you need to do some more basic security first.

Here some tips:

Don’t use [root]

Do not use the root account for any normal work – create an admin user and use that account for your daily work. You can assign sudo rights and get all work done that you need done. I suggest to disable the root account – that is the safest solution.

Run only necessary software:

Every piece of software that is running and that you do not really need consumes system resources and also presents a potential security hole.  I always advise to strip off all unnecessary weight:

Red Hat:

yum list installed
yum list [packageName]
yum remove [packageName]

Debian:

dpkg --list
dpkg --info [packageName]
apt-get remove [packageName]

Linux Security Extensions:

I advise to use either SELinux or Apparmor. grsecurity is another program that is out there.  Personally I usually use SELinux and it comes installed default on Red Hat. With either of these programs you can set up some very good security that will help keep your server(s) safe. Seriously – you need to install one of these products and turn it on.

Password Policies and Password Aging

If yo are used to Active Directory and all the built-in password policies, then this is not a new issue.rules with minimum password length, special characters, restricting the use of previous passwords, lock-outs of accounts after multiple false log-ins, etc. .. you must have heard it all already.

You can use pam_cracklib.so to enforce password policies. Use programs such as [Jack the Ripper] to crack weak passwords.Alternatively you can look into adding your Linux servers (and Desktops if you have any) to AD and use the accounts there for authentication. I plan to blog no that specific feature sometime in the near future.

More on further ideas for server hardening will follow soon.

Advertisements

7 thoughts on “Domino on Linux series: Server Hardening tips #1

    • The problem is actually more with the java based installer and I turn off SELinux when I install Domino but I do turn it back on later. Also, up until Lotus Noptes 8.5.1 you could run into problems and had to change the bahavior of SELinux when it sdeals with the notes2 executable .. since 8.5.2 it is now fully supported.

      It looks like I have another blog post in the works in the future … SELinux is a great program but it does require some real forethought and a good set of expectations. I must admit I have not yet tried it with a 8.5.2 server that has Traveler turned on … so I guess I will be doing some testing and blog about it. In the meantime below is a great post by John Little on how to work on SELinux, it is from 2008 but the basics are spot-on.

      Like

    • Maybe next time around, I just don’t have the time to whip up anything right now and I don’t have a previously written bunny-rabbit-article to just pull out of my magical top hat … 😀 but when we have the next meet, by all means, I’ll be more than happy to present something on Linux

      Like

    • Adding to my list … I was thinking along those lines but I myself have not used Hexten.net much yet so I will have to look into it and figure it out. Thanks for reading my blog and contributing!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s