Also if i would configure samba 4 as a domain controller with active directory admin pack installed for a single domain. Hi, can you explain a bit, how the mileage would get affected, i mean symptoms where from i can identify lagging issues. Is it worth it.
This can be avoided by creating symbolic links in place of the configuration files, which authconfig recognizes and does not overwrite. D/password-auth configurations immutable so that they don’t get overwritten when authconfig is run”
But as per Red Hat’s hardening guide we should create symbolic links:
When modifying authentication configuration using the authconfig utility, the system-auth and password-auth files are overwritten with the settings from the authconfig utility. Hi Tomas,I saw the following:
If you’re using lighttpd, look for mod_security like rules. If you can, setup public-key auth for all SSH related crap. Most of these tips are pretty much ubiquitous. Prevent it before it occurs. Those found outside of hacker dictionaries), and mod_security or something similar for your webserver are truly key. When confronted with a linux/UNIX machine, hackers will first try to penetrate among common username/passwords and scan for vulnerabilities in common web applications.
The “metamhd” service can be disabled but this means you cannot share metadevices between systems. Conf) and stop rpcbind: The “metad” service can be disabled but this means the “metatool” will not work. Hardware RAID systems have the advantage that no special software like Disksuite is needed. Command line tools will work fine — and you should know them in any case for disaster scenarios with system disks. How can Disksuite security be improved. Run Disksuite but stop the associated RPC services (in /etc/inetd. See also the section Boot disk backup. This is my often choice. This is better for secure systems (simplicity) and in disaster scenarios you may find Disksuite isn’t all that easy to handle. For system disks (where data does not change often), I’ve written a script for backing up boot disks with cpio.
Server-side as Varnish or Redis but you have to configure the purge policy. I highly recommend using a cache system. Front-side (a caching plugin) as WP Rocket (disclaimer I’m the cofounder), and mounting the cache folder directly on the ram. With Varnish you can manage ESI (Edge Side Include) for partial caching.
I would suggest that instead of telling users to disable IPv6, let’s start learning about it, creating tools to deal with it and get our hands dirty using it. I’ve seen this advice all over the internet, and it will very soon be not such a good idea. Excellent article, however with the need for IPv6 fast approaching, telling users to disable it is like telling us to bury our heads in the sand.
You must protect Linux servers physical console access. Set BIOS and grub boot loader password to protect these settings. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server.
I can guarantee that a large majority of production servers are running software without these features compiled in. Where this becomes much more relevant however, is when you are activley running server software or services that have not been compiled with the latest kernel hardening features. Settings kernel flags becomes a MOOT POINT if the software it self has not been compiled to USE THEM. This often means compiling and installing software from a more security wise, or up to date repository. Sometimes it means recompiling the software on your own.
I later realised that my wordpress sites were getting a whacked via the login path. Today I had a lot of hacking on my vps server and I couldn’t access any of the sites. Anyway, I had to go in and kill apache via ssh and had to switch it off for 12 hours until the hacking went away. Hey thanks for writing up an article on securing server.
The idea is to create an automous system and security blanket that detects emerging threats, responds to events in real time, and alerts system administrators based on policy and threshold. In fact, it should lessen any noise generated by a constant barrage of botnets and rouge hosts (that which constantly probe any system). The ideal IDS is a combination of a generic firewall policy, file integrity checksum database software, brute force detection software, web and application firewall software, and automatic log file analysis software. This system should be able to manipulate the firewall to respond to immediate threats. And once this system is tuned for a specific use case scenario, it should be generate almost NO “noise” for the system administrator. IDS software essentially takes the place of all those people who used to monitor forensic logging components. Combined with remote logging, this can be done with fairly low over head, and can be maintained with fairly low overhead. #3 Intrusion Detection or Prevention Software is of CRITICAL importance. To claim that these things add to the “noise” is just an excuse, and lazyness, on the side of the system administrator.
And so many administrators are working in dual modes (LINUX and UNIX). Really these are very excellent sessions. So, if the send an article based on linux and unix(solaris) then, so many administrators feel much better. Really Am so happy and we are improving our confidential levels by following your articles. Because now a days, both unix and linux are growing popular across the world. Hi Sir, Am fan to your article. One small request, Why dont you keep an article on Solaris server issues. We never get this from any other books.
Install the end user bundle (or even better only the core packages which take only 110MB), set hostname, terminal, IP parameters, timezone, etc. Don’t enable any naming services like NIS or NFS. Don’t enable power management, or mount any remote file systems (NFS).