I discovered Lynis via this thread [3 security tools]. I installed it and fell in love. Lynis conducts a wide range of security tests and provides convenient suggestions to resolve whatever warnings. My question is this: Are there any known warnings from Lynis that, if resolved, conflicts with ISPConfig? (directory/file permissions, hardening php, removing old kernels, & so on... ) Are there any test that ISPConfig would recommend I disable in Lynis? Or am I free to eliminate all the warnings as recommended? My goal is Hardening index of 100 Thanks
It's good practice to secure your system, but most hacks occur through hacked websites because of a outdated CMS. So you should focus on that
The settings set by ISPConfig are set as they are for good reasons, so I would not change too much, especially if you don't know what it is.
I am good about reading tutoials and documentation.. If I run into specific Lynis / ISPConfig issues... I'll post... thanx.
Ok.. so I am back with a couple of "nitty-gritty" questions regarding Lynis 3.0.3 & ISPConfig. I am aware that I can simply execute these changes on my test server and see what happens. However, these changes involve a much longer testing cycle as to detect possible negative impacts, so I would highly appreciate it if one you gurus could save me a substantial bit of time with your knowledge. Lynis [HOME-9304] suggests: Code: chmod 750 /home/administrator \ chmod 750 /var/lib/spamassassin \ chmod 750 /var/vmail \ chmod 750 /var/www/apps \ chmod 750 /usr/local/ispconfig \ All of the above seem like harmless hardening measures, but I would appreciate a confirmation of their harmlessness... or if I am about to step on a landmine. Also there is one Lynis suggestion that seems very, very substantive: Code: # chown ispconfig /usr/local/ispconfig Lynis warns that /usr/local/ispconfig is owned by root rather than ispconfig user and makes the above suggestion. Can you provide a little affirmation / clarity for the noob? thx
This might be ok doing it without breaking something, so you can try that. If something does not works afterwards. This would open up a security hole, don't do that.