A network is only as secure as the weakest host connected to it. Therefore, it follows that a host is only as secure as the weakest service that it’s running. After all, the only way into a system from the network (barring esoteric kernel-level network stack vulnerabilities) is through the services that it offers. Because of this, a large part of network security involves ensuring that your services are configured securely. This entails configuring services to provide only the functionality that’s required of them to accomplish the tasks they need to perform. Additionally, you should give services access to only the bare minimum of system resources needed.
That’s just part of the solution, though. If a network service operates in clear-text, all of your work spent locking it down can be for nothing. In most cases, all an attacker has to do to gain access to such a service is use a packet sniffer to capture the login details of a user authenticating with the service.
This chapter shows how to deploy IMAP, POP3, and SMTP servers that are protected with encryption, in order to prevent your users from accidentally disclosing their login credentials and keep their data safe from prying eyes. You’ll also learn how to securely deploy DNS services and MySQL. In addition, you’ll learn how to deploy Apache with SSL support and how to keep your users’ CGI scripts from accessing files that they normally wouldn’t be able to access.