Lets say we have centos 5.6 setup and virtualmin on it. thats all. What type of security steps are u suggesting?
this page have a good summary of checklists i think. which steps on these are required to do? or do you have better suggestions rather then those security hardenings:
Complete list of technical services:
APF – Configure both ingress and egress firewall protection. BFD – Detect and prevent brute force attacks. CPHulk – Detect and prevent brute force attacks.
Spam Prevention and Anti-Virus Protection:
ClamAV – Configure for e-mail scanning. Enable auto-updating anti-virus definitions. Realtime Blackhole Lists (RBLs) – Configure email server with RBLs to prevent spam. Harden Mailserver Configuration – Prevent against detection of valid e-mail address through brute-force attacks. Also enable HELO verification and other sanity checks. Dictionary Attack Protection – Prevent spammers guessing email addresses on your server. Checksum-based Collaborative Filtering – DCC and Razor to detect mass-mails. OCR Technology – Optical Character Recognition engine to detect spam in email as images and PDF files. Custom rulesets – Custom hand-selected SpamAssassin and ClamAV rulesets to increase spam detection.
HTTP Intrusion and DOS Protection:
Mod_security – Install and configure mod_security for Apache with auto-updating ruleset. Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache. PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.
Disable IP Source Routing – Enable protection against IP source route attacks. Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks. Enable syncookie protection – Enable protection against TCP Syn Flood attacks. Enable ICMP rate-limiting – Enable protection against ICMP flood attacks. Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks. Harden Apache – Prevent module and version disclosure information. Harden SSH – Allow only SSH version 2 connections. Harden Named – Enable protection against DNS recursion attacks. Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks. Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts. Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks. Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space. Disable unused services – Disable services which are not used. Disable unneeded processes – Disable processes which are not needed for server operation. PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks. PHP Hardening – Enable OpenBaseDir protection.
Optimize TCP/IP stack – Various changes to TCP/IP stack to increase buffers and optimize for server environment. PHP Configuration – Enables widely used PHP modules for maximum compatibility. MySQL Optimization – Optimizes MySQL performance for server configuration and enable query caching. PHP Caching – Optimizes PHP performance through EAccelerator script caching. FFMPEG and related software support – FFMPEG, Mencoder, flvtool2, and all related applications. Graphic Applications – Installs widely-used graphic applications NetPBM and ImageMagick. Monitoring Applications – Installs MyTOP, Iptraf, and Iftop utilities to easily monitor server performance.
Rootkit Hunter – Nightly scan to detect system intrusions. Chkrootkit – Nightly scan to detect system intrusions. Nobody Process Scanner – Scans for unauthorized "nobody" processes.