Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLinuxLinux server security?


Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 4

Mod Emeritus
Trusted
Subscriber

Topic # 112213 30-Nov-2012 15:23
Send private message

Getting my previously dip-my-toe-in-the-water level Linux server and cli skills up to scratch.

Starting with some learn-by-doing in a VM, with Ubuntu Server (LTS), and getting all basic services installed, configured, working and secured (LAMP, mail, SSH, file, print, etc).

Beyond IPTables+UFW, deny everything, allow specifically whats needed, from where it's needed, disabling unused services, changing SSH port, using strong passwords, users/groups configured well, root disabled, using DenyHosts and fail2ban, a/v, antispam, and generating/analyzing/reading reports from logs, what else should I be investigating?

I have a bunch of websites lined up to read, many of which rehash the same information, but some of which have more information or avenues for security (or failure as the case may be).

Would be good to get some info straight from some of the knowledgable people around here.




Visit http://www.thecloud.net.nz for New Zealand based Hosted Exchange, Virtual Servers, Web Hosting, FTP Backup & more.
(1GB free FTP storage, or larger plans from $5.75)
 
 - Setup your own mailserver at home on Ubuntu Server - full step by step howto here.
 - Have you seen this: Nathan "KFC4LIFE" Dunn.

Create new topic


Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 4

Mod Emeritus
Trusted
Subscriber

  Reply # 725290 30-Nov-2012 19:44
Send private message

Changes to the server relating to security only (e.g. haven't listed applications/services that are non-security related, or customisations to increase performance/reduce load).

So far:
Done:
Using LTS version of Ubuntu.
Automatic updates from Ubuntu activated.
Iptables denied all incoming, and allowed http, webmin, ftp, SSH (custom port)
Secured shared memory in /etc/fstab
SSH - disabled root login and changed port in sshd_config
Protected SU by limiting access only to new admin group and added my limited user account.
Prevented source routing of incoming packets, ignore ICMP broadcast reqs/redirects, block SYN attacks & log malformed IPs in /etc/sysctl.conf
Added 'nospoof on' to /etc/host.conf
php.ini edits: disable_functions = exec,system,shell_exec,passthru / register_globals = Off / expose_php = Off / magic_quotes_gpc = On
Installed DenyHosts (currently on stock config other than activating reporting)
Installed Fail2Ban and enabled SSH monitoring and reporting on bans made
Installed CHKRootkit and RKHunter
Installed nmap and scanned entire range for open ports - found only expected ports
Installed logwatch
Installed Tiger security audit and intrusion detection

Todo:
Restrict some services in iptables by IP address range (SSH etc)
Install antivirus software
Install apache2 mod_security and mod_evasive modules
Add ignoreip ranges to Fail2Ban, and configure DenyHosts and Fail2Ban correctly (investigate securing other services with them)
Install PSAD to detect and report port scans etc
Config CHKRootkit and RKHunter to avoid known false positives
Config or script installed tools to run and report automatically if not already setup to do so
Config logwatch
Config Tiger
Check apparmor config
There is nothing relating to mail yet, as I haven't installed any mail software yet.

Am I on the right track? What else should I be looking at doing? Anything superflous there?

Some of this is straight from advice in random internet guides.

I'm sticking with iptables for now, as I'm comfortable with allow/deny rules and the concepts of firewalling. Would I get any benefit from Shorewall et al?

Really I am wanting as basic a system as possible, to minimise the craziness if something goes wrong, or if I need to enlist outside help, but don't want to skimp on anything if it's needed.




Visit http://www.thecloud.net.nz for New Zealand based Hosted Exchange, Virtual Servers, Web Hosting, FTP Backup & more.
(1GB free FTP storage, or larger plans from $5.75)
 
 - Setup your own mailserver at home on Ubuntu Server - full step by step howto here.
 - Have you seen this: Nathan "KFC4LIFE" Dunn.



Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 4

Mod Emeritus
Trusted
Subscriber

  Reply # 725303 30-Nov-2012 20:22
Send private message

Tiger report is very informative. A ton of warnings about things that are ultimately ok, so I'll have to learn how to filter the report that is generated. Tiger runs CHKRootkit and reports on its findings - great.

 
 
 
 


2352 posts

Uber Geek
+1 received by user: 95


  Reply # 725308 30-Nov-2012 20:52
Send private message

Note changing the SSH port doesn't increase security. Infact, it decreases it if you put it above port 1024. (Since a local user could cause you sshd to crash and restart a trojaned sshd on the same port)

2385 posts

Uber Geek
+1 received by user: 286
Inactive user


  Reply # 725310 30-Nov-2012 20:58
Send private message

kyhwana2: Note changing the SSH port doesn't increase security. Infact, it decreases it if you put it above port 1024. (Since a local user could cause you sshd to crash and restart a trojaned sshd on the same port)


I use to run mine on the default port 22. The script kiddies were hitting it many times a day. I have since moved it to port 443 and its not taken a hit since.

As added security I have switched off password login and setup sshd to accept keys only.





Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 4

Mod Emeritus
Trusted
Subscriber

  Reply # 725314 30-Nov-2012 21:04
Send private message

I read a lot on shifting the SSH port number, and general consensus seems to be simply stopping the annoyance of script kiddies constantly checking low ports (or port 22 in particular), and acknowledging that the actual security benefit is virtually nil - and that's fine.

Will look into SSH keys - but is this an issue if SSH is only accessible in the local network?

Why is the risk of a local user crashing SSHd and running a naughty one in it's place any worse on a higher port?




Visit http://www.thecloud.net.nz for New Zealand based Hosted Exchange, Virtual Servers, Web Hosting, FTP Backup & more.
(1GB free FTP storage, or larger plans from $5.75)
 
 - Setup your own mailserver at home on Ubuntu Server - full step by step howto here.
 - Have you seen this: Nathan "KFC4LIFE" Dunn.

2352 posts

Uber Geek
+1 received by user: 95


  Reply # 725315 30-Nov-2012 21:09
Send private message

tonyhughes: I read a lot on shifting the SSH port number, and general consensus seems to be simply stopping the annoyance of script kiddies constantly checking low ports (or port 22 in particular), and acknowledging that the actual security benefit is virtually nil - and that's fine.

Will look into SSH keys - but is this an issue if SSH is only accessible in the local network?

Why is the risk of a local user crashing SSHd and running a naughty one in it's place any worse on a higher port?


You can force sshd to only allow users with public keys, which makes bruteforcing attempts pointless.

If sshd is running on port 22 (or <1024) then you require root access to bind it to that port. Ports over 1024 can be bound to by any user.



Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 4

Mod Emeritus
Trusted
Subscriber

  Reply # 725320 30-Nov-2012 21:17
Send private message

So it sounds like a shift in port to anything free <1024 is probably a good avoidance of the script kiddies, without introducing risk of binding to it if someone manages to kill off the daemon.

Surprised I havent seen this written anywhere else if thats the case.

I didn't realise about the root access required below 1024.




Visit http://www.thecloud.net.nz for New Zealand based Hosted Exchange, Virtual Servers, Web Hosting, FTP Backup & more.
(1GB free FTP storage, or larger plans from $5.75)
 
 - Setup your own mailserver at home on Ubuntu Server - full step by step howto here.
 - Have you seen this: Nathan "KFC4LIFE" Dunn.

2385 posts

Uber Geek
+1 received by user: 286
Inactive user


  Reply # 725323 30-Nov-2012 21:22
Send private message

tonyhughes:

Will look into SSH keys - but is this an issue if SSH is only accessible in the local network?


Thats a question that probably only you can answer. Do you own or have full control to configure the local network including firewalls? If not then personally I would want to setup the system security as strong as possible.





2242 posts

Uber Geek
+1 received by user: 353

Trusted
Subscriber

  Reply # 725347 30-Nov-2012 23:35
Send private message

Security is about layers of defence, as it only takes one mistake or vulnerability to leave you wide open. You've covered most of the things to look at on the server, but look at placing a FW in front of that server to stop unwanted traffic from ever reaching it to start with.


2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 738103 28-Dec-2012 18:23
Send private message

One piece of software I can't recommend enough is CSF (ConfigServer Security & Firewall - available from http://configserver.com/cp/csf.html).

It's free, and will do such stuff as autobanning (with iptables) anyone who attempts to port scan you, brute force sshd, and that sort of thing. It will also alert you to any ssh logins and su usage (not sudo though).

I'd also recommend making sure that ACL support is enabled on your machine, and set up ACLs so your limited user doesn't have to su to root just to update websites. This took me a long time and a lot of trial and error, so I'll suggest that Google can probably explain it better than me.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chow brothers plan to invest NZ$100 million in technology
Posted 24-Sep-2017 16:24

Symantec protects data everywhere with Information Centric Security
Posted 21-Sep-2017 15:33

FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53

Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51

Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39

If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54

Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07

OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56

Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48

Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37

Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45

Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40

Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27

NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16

Windows 10 Fall Creators Update coming Oct. 17
Posted 4-Sep-2017 14:10


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.