How do you secure your server box

[sg313]

I am running a server on gentoo (for severaly years now, I am quite happy with it), and was wondering how you guys secure your boxes? What I do at the moment is

• hardened kernel without module loading support
  
• keeping the open ports to a minimum (only ssh/http/https) using iptables

In particular does it make sense to use something like a virus scanner?

[Gentoo64]

The virus scanner should only be for scanning Windows viruses if you will transfer files to Windows computers.

I think as you're running hardened etc (make sure you use the hardened toolchain as well) and minimal services you should be ok as long as the services are setup securely themselves. Make sure ssh has decent password with some sort of rate limiting, or maybe use key only auth if it's not inconvenient.
You could have a go with RBAC if you haven't already as that will turn root into a pretty limited user- I found it much easier to setup and work with than selinux, and it can be very powerful.

Keep the system up to date... not really sure what else to suggest :s

[tel]

Mine might be a bit of an overkill, but it's all automated, so what the heck.

1. No root login on ssh
2. Strong passwords
3. Non-standard ssh ports (debatable method)
4. I use fail2ban to limit ssh attempts
5. ClamAV as an antivirus, as my server also backs up local Windows machines
6. Daily chkrootkit with daily output emailed to me
7. Limited permissions for all my users
8. Daily email of all ssh attempted and actual logins

I don't use:
1. Key authentication for ssh, because users may log in from a variety of different machines
2. Local encryption, because if someone breaks in and steals stuff, I've got other things to worry about

[sg313]

Thanks for the replies, since I am not handling email or windows user data, I will not install a virus scanner. I've set up chkrootkit and denyhosts. My ssh system already forbid root login, but I have to check the password strength for the user accounts somehow (at least those which can su).

I've also skimmed the grsecurity and RBAC howto on gentoo, but I'll leave it for the weekend

[Hu]

Analyzing the password strength for users who are permitted to run /bin/su is a good step, but you should be aware that even users who cannot su to root can still run setuid binaries. Certain bugs can permit a malicious user to step up to the privileges of any setuid binary that he can execute. As far as I know, there are no publicly known unfixed bugs of this type in the latest kernels, but that is one more vector you should consider. Therefore, you should verify security on all users with login rights, even ones who are only guests on the system. Ideally, use the sshd Match directives to grant password-based login only to those users who cannot or will not use key-only login.

[cach0rr0]

[sg313]

Thanks again, I looked at the tutorial, and will see what I can implement on the box!