Need advice on security

[Chong Yu Meng]

Hi all,

So right now I'm more than a little confused about the subject of
securing servers -- specifically, UNIX/Linux mail servers -- in a data
center. I spoke to some friends who may have had a vested interest in
selling me equipment, and though we all agreed that security was
important, I could not understand how certain firewalls could actually
provide me with better security than a properly configured bastion host.

Here is my scenario: a few years ago, I setup a server for a friend that
would run your typical web and mail services, but because there was no
budget for an additional firewall, I was told to just try to make the
server as secure as possible. I read a few articles in magazines and
online, and I thought that I could make it reasonably secure if I just
did the following:
-- install ONLY what you absolutely need
-- turn off all unneeded services (in this case, only DNS, web, SSH,
SMTP and POP3 were running) 
-- block all ports in iptables except those that are absolutely needed 
-- change the default SSH port to something other than 22 to thwart
script-kiddies

Well, some friends informed me that I'd still need a firewall.
Considering that the server was not running Windows, and that I'd still
need to open the ports on the firewall anyway, I asked them what
possible benefit would a firewall have, that the UNIX/Linux OS would not
provide anyway? I don't believe that a firewall is some kind of talisman
that can ward off bad things just by being there.

Am I wrong? Did I do enough? What are the ways that UNIX servers can be
penetrated for a scenario like I outlined above? I need to know because
I am wondering if perhaps I should have advised my friend to find the
money for the firewall, somehow (bear in mind that it was not cheap to
host even a 1U server back then: SGD $1000/month, which is about USD
$750/month).

Thanks and regards,
pascal chong