Forum OpenACS Q&A: Response to How much time does it takes to set up bboard from scratch

I hope Jon Griffin will chime in, because I'm certainly no security expert. I'm not convinced that hardware firewalls can compensate for shortcomings in some of the applications they protect (or pass information to): things like executing arbitrary commands as root with buffer overflows. Hardware firewalls are not a panacea; they should be considered additional insurance above and beyond the regular security hardening you perform on a public server. Yes, you are paying a professionally run company whose livelihood is in protecting systems.

Certainly, there's no way that a Linux newbie can go out and buy a Sonicwall, and be done with it.

For Red Hat Linux, there are a significant amount of security work that needs to take place. I've been using Red Hat the past three years, and it has gotten better, but it's still designed for maximum hardware compatability and installation ease. Each time I install Red Hat from scratch, it takes me a couple of days to really lock down the box; there is no way to get around hardening your box every time you reinstall the OS.

In any case, security holes are discovered all the time. Even if you had a snapshot of an allegedly secure system from three months ago, today, it would not be as secure. The Bastille Linux hardening scripts might be of some use to you; basically, it's a checklist of stuff that a real UNIX sysadmin would consider anyhow, but by packaging it this way, you're less prone to forget something critical. Of course, the Bastille scripts aren't going to replace sendmail with qmail or BIND with djbdns.

I'd try the Bastille scripts, in conjunction with the nmap port scanner and Nessus vulnerability assessment utility. Naturally, you would still want a security guru to look at your firewall settings and your server's security anyhow. I don't know anything about any other Linux distributions (I tried Gentoo Linux once), but Red Hat needs a sizable amount of work before it could be considered as a fairly secure box.

New topic: installing Oracle and installing Postgres are like night and day. Oracle installation has gotten easier and there's a lot more user-contributed documentation nowadays. The very worst Oracle on Linux version was 8.1.5 (the original Oracle8i). Installing that was an absolute nightmare. The last version of Oracle8i I installed was Release 3 (8.1.7). That one went fairly smoothly, but even a straightforward Oracle installation could take half or all day (especially if you're using a journalled filesystem).