deregular

Thought Id throw this up there as of late Ive come into a situation where I need to be very security conscious of one of my servers.

Since I guess this is a fairly important thing for some, i figured a thread listing tips and things you can do to add extra levels of security would be a good idea.

Heres just a couple of things besides the norm that Ive incorporated of late that I can think of...

- Simply Become very anal about file permissions.
- HostsDeny - running in order to block ips of bad ssh attempts.
- RKHunter - A root kit hunter, emails me the results of a test run everyday.
- RootKitChk - Another root kit hunter.
- Moving port of SSH to avoid bloated logs because of various ssh login attempts - Not done yet....
- Disable Root Login (can only ssh in with a user and then su'ing to root)
-Locked down ports that dont need to be open.
- Have all file backups run twice a week, databases everyday, crossed over with another server, that syncronises every second day for altered files. (previously I didnt backup this often)

Add your little server security tips here.

nutballs

close every port that is not needed, and move every port that is not required to be standard. cant move 80, but can move mysql and ftp if needed.
unfortunately the web vectors are the bigger issue, XSS and SQLinjections.

dink

Good post dereg.

Just in the midst of a fresh

debian

  install and need to look closely at what you've suggested.

jammaster82

I know how to forward a port, in the NAT table for instance.

but how do you 'close ports that arent needed?' , specifically?

nutballs

generally, even the simplest firewall/portcontrol/ipsec systems have the ability to set a deny-all rule. then you allow only the ports you want.
not sure in

linux

 , but i am sure its built in.

dink

Found some info on this jammer:
http://wiki.vpslink.com/index.

php

 ?title=HOWTO:_Quick_n%27_Dirty_IPTables-Based_Firewall

Then put the following in /etc/init.d/firewall.sh, and edit to fit your needs:

#!/bin/sh
#
## Quick n Dirty Firewall
#
## List Locations
#

WHITELIST=/usr/local/etc/whitelist.txt
BLACKLIST=/usr/local/etc/blacklist.txt

#
## Specify ports you wish to use.
#

ALLOWED="22 25 53 80 443 465 587 993"

#
## Specify where IP Tables is located
#

IPTABLES=/sbin/iptables

#
## Clear current rules
#

$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'

echo 'Allowing Localhost'
#Allow localhost.
$IPTABLES -A INPUT -t filter -s 127.0.0.1 -j ACCEPT

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
        echo "Permitting $x..."
        $IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#
## Blacklist
#

for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
        echo "Applauseenying $x..."
        $IPTABLES -A INPUT -t filter -s $x -j DROP
done

#
## Permitted Ports
#

for port in $ALLOWED; do
        echo "Accepting port TCP $port..."
        $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

for port in $ALLOWED; do
        echo "Accepting port UDP $port..."
        $IPTABLES -A INPUT -t filter -p udp --dport $port -j ACCEPT
done


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -j DROP
$IPTABLES -A INPUT -p tcp --syn -j DROP

[edit]
Start Firewall

[root@vps /]# chmod 700 /etc/init.d/firewall.sh
[root@vps /]# /etc/init.d/firewall.sh

perkiset

I got hacked nasty a bunch of years ago. My solution was to go one step further: I have an IPCop box in front of all of my

mac

 hines. I think I could avoid this level of protection with hardened

linux

  and such, but my personal opinion is that if a

mac

 hine is touching the public

net

  then people will try to get at it.

Since I have retail sites and such, I am constantly barraged by boneheads trying to work their way in. I've outsourced my mail and DNS, and no services except for port 80 and 443 are available from the outside. Using a VPN, however, I can get to anything I want because I'm behind the wall.

Great post Dereg - it is important for everyone to remember that the likes of ... well ... us  Applause are out there...

nop_90

Pretty much what dreg said.
Run as few applications as possible  Applause
IMHO closing ports with a firewall that are not needed gives a sense of false security.

deregular

@dink, yep I researched doing it that way as well. It seems lot of people use iptables to block nasty ips, denyhosts was just my preference is all, I still need to hack it up a little so that it denys ips trying to hit cpanel and not just sshd..

@perk, zigzactly, thats the reason why im locking down now, nasty turkish bastard got hold of a database on one site, then proceded to overwrite every writable file in each of the sites on the same ip. There was some real nasty scripting in his uploads, but thank god he couldnt get root access...

Watching the auth.log file everyday, kind of kicks your paranoia up a notch.

perkiset

quote author=deregular link=topic=882.msg6263#msg6263 date=1207887380

Watching the auth.log file everyday, kind of kicks your paranoia up a notch.


oh NO LIE. I had to stop because it drives me to drink...

I have a single back door on a single

Solaris

  box. There is only one login that works and it's nasty - no way it'll get figured out.
But the amount of brute force attempts against it everyday is retarded. Bots hit me with every combo of name & password you can think of, over and over and over again - it's just wild. I don't leave anything out there unlocked because someone *will find it* and exploit it.

nop_90

The key is to keep just the script kiddies out.

mac

 hines ussually controlled by real hackers actually run better Applause

dink

hahahahahaha.

If you decide to go the IP tables route, be sure to leave your ssh port open.  I forgot that part.  Applause

Whadda PITA.

dimitry12

quote author=dink link=topic=882.msg6268#msg6268 date=1208012495

If you decide to go the IP tables route, be sure to leave your ssh port open.  I forgot that part.  Applause


Applause yeah, that'd be the problem


Perkiset's Place Home   Politics @ Perkiset's