OK...I've finally got my new RH 7.3 server installed and RIADed like I think I want. As I'm in the progress of making this my first self-hosted web server I'd like to know how best to configure security o this box? This server will serve as a web server, ftp server, mail server, gallery, and prolly an MP3 server. I plan on installing PostNuke and managing everything from there. This server sits on a DSL/w2k network but will not be accessed by any w2k boxes. I have a seperate laptop running RH 8.0 that I plan on using for file sharing and firewall access to this box and the network.
I'm rambling, but please follow me. I'm trying to be thorough.

So with that said what is the best method of linux security that I should implement on this box? Anyone have any steps or processes they follow for properly securing their hosted servers? Anyone care to recommend any good tools I should download and install before I start configuring apache? I've viewed the threads listed on the 3 pages in this forum, security, but I wanna ask this question anyway as I'm hoping it'll spawn some new questions or thought processes.
Please bear in mind that I am new to linux, especially security, so any responses are greatly appreciated.

Well, as you say, a good firewall is a good idea. Put one on the webserver so it only accepts connections for services it offers ie every machine should run a firewall; defence in depth.
Also, if you really want to tighten it up, see this link:
www.bastille-linux.org/
hardening scripts for linux that tell you what they do and i believe they are in perl, so you get the src. Good reputation.
Read up on dir perms/ownerships; i'm sure www.apache.org will have some good info/links.

hmm I was wondering whether it was necessary to configure a firewall on this server. Thanks for answering that.
Question: what type of firewall should I consider for this task? Should I look for something like smoothwall or astero, or should I be looking at something like firewall builder or firestarter? Or are they all the same? I don't want something that's going to need to be built from scratch or anything that's going to require a great deal of customizing. I simply want to ensure that users who access my site don't have the ability to access other parts of my server. Can anyone also recommend a firewall utility that will allow me to install a client portion onto a laptop or desktop and as well as the server and authenticate at the firewall on the server, similiar to Mandrake? This is simply a web server.

Hmm, well to be honest, i DO build my f/w from scratch, so i can't really recommend one, although a mate of mine (kedman on JL) uses Smoothwall and he seems fairly happy with that.
As for your 'client' qn, i'd say that if its a linux box, then use the same as the server. In linux, there's no real distinction between a client and server at the OS level; its the same code. Naming it a 'server', just depends on which one is 'serving'. You could have 2 boxes, one webserver, one ftp. Each would serve its service, and be a client to the other ;)
If the client is an MSWin box, I can recommend zonealarm. They do have a free version: http://download.zonelabs.com/bin/free/znalm/index.html

HTH

I would also recommend not running as root, and shutting down any service you don't need to have running, esp. telnet.
You could get someone you know and trust to run nmap on your IP and see what it comes up with.

Actually, I'm setting up a server of my own, as well. I was reading a suggestion, recently, that you try and get your hands on another computer (which can be VERY old and still be more than adequate), which serves as a dedicated firewall/router. This allows you to keep your other computer(s) the way you want them, while this computer handles your security stuff. On here, then, you would ONLY run your 'net stuff (deleting everything else).

(If you feel like that's a waste of a computer, http://www.distributed.net can put it to good use.)

The separate firewall machine is a good idea. Another idea is to buy a good firewall router. I spent $150 on my Netgear and I've been very happy with it.

Along with a restrictive Firewall, Stingy File Permissions, Bastille Script and not running the server as root ... you can also further secure your server by running it from within a chroot jail.

Basically it helps limit the damage an intruder can do if they gain access to your system through a vulnerability in your running server.

It allows the running server to see only the files it needs to run and serve to the clients connecting to your system. ie.. the server can't access any other system files (like the /etc directory) should your server be comprimised through a security vulnerability.

Do a search for chroot jail (your type of server) on www.google.com/linux and you will get lots of help.


Hope it helps
Kai

I guess I should've mentioned that I do have a linksys router on my home network that this server sits behind. I eventually plan on setting up a seperate firewall on dedicated system as I setup more linux systems, but for now I simply wanna secure this one as much as I can without limiting functionality. It's sole purpose is that of a web, ftp, email, CMS server.

Be careful with ftp. That's like the most unsecure protocol out there. First consider if you really need to do FTP. Or, you can do like I did and restrict FTP to only traffic within your own network (i.e. don't let it go through the router). Also, there are better solutions besides plain old FTP.

Depending on whether this is a public/anonymous ftp or not., i'd personally use scp (or sftp) if its just for your use (and a few trusted friends)

FTP isn't as important to me as gettting everything else properly installed and secured. That'll more than likely be the last thing I worry about.
Thanks for all of the responses.
Now on to my next question. MySQL.