Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] RHEL 6 security hardening

On Fri, Mar 07, 2014 at 10:35:46AM -0500, John Malloy wrote:
> Does anyone have recommendations for RHEL 6 security hardening?
> I am building a new RHEL 6 server  and am using the tools from *cisecurity*
> .org
> CIS RHEL 6 Benchmark v1.2.0
> OCI8 is the bridge between PHP and our Oracle databases

Do you have a threat model? And do you know how much it will
cost you if you are successfully attacked?

Without those, you don't know how much time and money to spend
on security.

Are you building a special snowflake server? If there's ever
going to be two or more of them, I recommend starting with
Puppet or Chef or bcfg2 or any of the other automation tools
from the beginning.

And there's going to be a dev server, right? So that's two.

Next. Make sure the Oracle servers are firewalled off from the
app servers in every way except what is absolutely necessary.
The SQLNET protocol (1521) is unencrypted. If you pay for
Enterprise, you can use Advanced Security (TM) which encrypts
it, but you probably don't have a client-side implementation.

So, if you can, use a tunnel. SSH or SSL. Yes, inside your own

Next, consider running your PHP code behind a web-services
security proxy, Apache with mod_proxy and mod_security, or other
similar system.

Finally, destroy all your data when you're done with it. If you 
don't know when you're done with it, you have to figure that


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /