On Sat, 2005-02-19 at 13:29 -0700, Craig White wrote:
--- I don't think the daemons that serve pop3 or imap are likely to be running as root but I guess that would probably depend upon which one you are using.
No. Pop and imap run as dovecott. Our FTP is anonymous download only so there's nothing to hack. Apache seems adequately protected with per- directory permissions.
David:
Apache servers have been 'cracked' and taken over for purposes other than intended. Never run httpd as root unless you really, really need to.
As far as using SELinux and given your situation, I would HIGHLY recommend it. It is another layer of host based security. You can have a firewall, and it can be breached, leaving your system vulnerable. It is sorta like adding another lock to your front door. Sure they can be picked open by a professional, but they will move on if they realize it is too much trouble to gain access and will definitely scare away the amateur (read: script kiddie.) As long as security will not prevent you from doing your job, more is better. If adding SELinux adds too much of a load on your server, then you might want to reduce the items protected by it to only those you feel could be breached. Add this to security best practices, and you should have a machine that only the determined professional can breach and those should be far between and few.
--
James McKenzie
With assistance, Now running 2.6.11rc3, Software Suspend 2
and ibm-acpi .1
Need a home for my .rpm