The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 22, 2019, 06:44:58 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Server Security and Paranoia  (Read 5756 times)
deregular
Expert
****
Offline Offline

Posts: 172


View Profile
« on: April 09, 2008, 08:44:16 PM »

Thought Id throw this up there as of late Ive come into a situation where I need to be very security conscious of one of my servers.

Since I guess this is a fairly important thing for some, i figured a thread listing tips and things you can do to add extra levels of security would be a good idea.

Heres just a couple of things besides the norm that Ive incorporated of late that I can think of...

- Simply Become very anal about file permissions.
- HostsDeny - running in order to block ips of bad ssh attempts.
- RKHunter - A root kit hunter, emails me the results of a test run everyday.
- RootKitChk - Another root kit hunter.
- Moving port of SSH to avoid bloated logs because of various ssh login attempts - Not done yet....
- Disable Root Login (can only ssh in with a user and then su'ing to root)
-Locked down ports that dont need to be open.
- Have all file backups run twice a week, databases everyday, crossed over with another server, that syncronises every second day for altered files. (previously I didnt backup this often)

Add your little server security tips here.
« Last Edit: April 10, 2008, 12:56:41 AM by deregular » Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #1 on: April 09, 2008, 10:25:59 PM »

close every port that is not needed, and move every port that is not required to be standard. cant move 80, but can move mysql and ftp if needed.
unfortunately the web vectors are the bigger issue, XSS and SQLinjections.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
dink
Expert
****
Offline Offline

Posts: 349


View Profile
« Reply #2 on: April 09, 2008, 11:34:43 PM »

Good post dereg.

Just in the midst of a fresh debian install and need to look closely at what you've suggested.
Logged

[quote Nutballs]
the universe has a giant fist, and its got enough whoop ass for everyone.
[/quote]
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #3 on: April 10, 2008, 06:06:06 AM »

I know how to forward a port, in the NAT table for instance.

but how do you 'close ports that arent needed?' , specifically?
Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #4 on: April 10, 2008, 07:47:00 AM »

generally, even the simplest firewall/portcontrol/ipsec systems have the ability to set a deny-all rule. then you allow only the ports you want.
not sure in linux, but i am sure its built in.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
dink
Expert
****
Offline Offline

Posts: 349


View Profile
« Reply #5 on: April 10, 2008, 08:47:00 AM »

Found some info on this jammer:
http://wiki.vpslink.com/index.php?title=HOWTO:_Quick_n%27_Dirty_IPTables-Based_Firewall

Code:
Then put the following in /etc/init.d/firewall.sh, and edit to fit your needs:

#!/bin/sh
#
## Quick n Dirty Firewall
#
## List Locations
#

WHITELIST=/usr/local/etc/whitelist.txt
BLACKLIST=/usr/local/etc/blacklist.txt

#
## Specify ports you wish to use.
#

ALLOWED="22 25 53 80 443 465 587 993"

#
## Specify where IP Tables is located
#

IPTABLES=/sbin/iptables

#
## Clear current rules
#

$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'

echo 'Allowing Localhost'
#Allow localhost.
$IPTABLES -A INPUT -t filter -s 127.0.0.1 -j ACCEPT

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
        echo "Permitting $x..."
        $IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#
## Blacklist
#

for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
        echo "Denying $x..."
        $IPTABLES -A INPUT -t filter -s $x -j DROP
done

#
## Permitted Ports
#

for port in $ALLOWED; do
        echo "Accepting port TCP $port..."
        $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

for port in $ALLOWED; do
        echo "Accepting port UDP $port..."
        $IPTABLES -A INPUT -t filter -p udp --dport $port -j ACCEPT
done


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -j DROP
$IPTABLES -A INPUT -p tcp --syn -j DROP

[edit]
Start Firewall

[root@vps /]# chmod 700 /etc/init.d/firewall.sh
[root@vps /]# /etc/init.d/firewall.sh
Logged

[quote Nutballs]
the universe has a giant fist, and its got enough whoop ass for everyone.
[/quote]
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #6 on: April 10, 2008, 10:02:12 AM »

I got hacked nasty a bunch of years ago. My solution was to go one step further: I have an IPCop box in front of all of my machines. I think I could avoid this level of protection with hardened linux and such, but my personal opinion is that if a machine is touching the public net then people will try to get at it.

Since I have retail sites and such, I am constantly barraged by boneheads trying to work their way in. I've outsourced my mail and DNS, and no services except for port 80 and 443 are available from the outside. Using a VPN, however, I can get to anything I want because I'm behind the wall.

Great post Dereg - it is important for everyone to remember that the likes of ... well ... us  ROFLMAO are out there...
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« Reply #7 on: April 10, 2008, 09:00:13 PM »

Pretty much what dreg said.
Run as few applications as possible  Wink
IMHO closing ports with a firewall that are not needed gives a sense of false security.
Logged
deregular
Expert
****
Offline Offline

Posts: 172


View Profile
« Reply #8 on: April 10, 2008, 09:16:20 PM »

@dink, yep I researched doing it that way as well. It seems lot of people use iptables to block nasty ips, denyhosts was just my preference is all, I still need to hack it up a little so that it denys ips trying to hit cpanel and not just sshd..

@perk, zigzactly, thats the reason why im locking down now, nasty turkish bastard got hold of a database on one site, then proceded to overwrite every writable file in each of the sites on the same ip. There was some real nasty scripting in his uploads, but thank god he couldnt get root access...

Watching the auth.log file everyday, kind of kicks your paranoia up a notch.
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #9 on: April 10, 2008, 09:48:24 PM »

Watching the auth.log file everyday, kind of kicks your paranoia up a notch.

oh NO LIE. I had to stop because it drives me to drink...

I have a single back door on a single Solaris box. There is only one login that works and it's nasty - no way it'll get figured out.
But the amount of brute force attempts against it everyday is retarded. Bots hit me with every combo of name & password you can think of, over and over and over again - it's just wild. I don't leave anything out there unlocked because someone *will find it* and exploit it.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« Reply #10 on: April 10, 2008, 09:52:15 PM »

The key is to keep just the script kiddies out.
machines ussually controlled by real hackers actually run better Smiley
Logged
dink
Expert
****
Offline Offline

Posts: 349


View Profile
« Reply #11 on: April 12, 2008, 08:01:35 AM »

hahahahahaha.

If you decide to go the IP tables route, be sure to leave your ssh port open.  I forgot that part.   ROFLMAO

Whadda PITA.
Logged

[quote Nutballs]
the universe has a giant fist, and its got enough whoop ass for everyone.
[/quote]
dimitry12
Rookie
**
Offline Offline

Posts: 27



View Profile
« Reply #12 on: April 12, 2008, 09:53:50 AM »

If you decide to go the IP tables route, be sure to leave your ssh port open.  I forgot that part.   ROFLMAO

 ROFLMAO yeah, that'd be the problem
Logged
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!