----- Original Message ----- From: plug-discuss-request@lists.plug.phoenix.az.us To: plug-discuss@lists.plug.phoenix.az.us Sent: Friday, April 15, 2011 1:59 PM Subject: PLUG-discuss Digest, Vol 70, Issue 12 Send PLUG-discuss mailing list submissions to plug-discuss@lists.plug.phoenix.az.us To subscribe or unsubscribe via the World Wide Web, visit http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss or, via email, send a message with subject or body 'help' to plug-discuss-request@lists.plug.phoenix.az.us You can reach the person managing the list at plug-discuss-owner@lists.plug.phoenix.az.us When replying, please edit your Subject line so it is more specific than "Re: Contents of PLUG-discuss digest..." Today's Topics: 4. basic LAMP security 101 (Stephen) Message: 4 Date: Fri, 15 Apr 2011 07:20:10 -0700 From: Stephen To: Main PLUG discussion list Subject: basic LAMP security 101 Message-ID: Content-Type: text/plain; charset=ISO-8859-1 I have rebuilt my server as an Ubuntu server, and am exposing parts of same said server to the outside world. Anyone have a decent reference on security i can read, there is quite a bit out there, but its a muddy mess to know who is talking out their collective backside and who actually is giving you something useful. I do know we have some very good security geeks here and hope to borrow (beg) some pearls of wisdom. Hmm pearls of wisdom. Pre-A. I personally enjoy system encryption of my whole drive OUTSIDE of $user control. I use dm-crypt, loop, blowfish openssl, and aes. GVFS mounts drives as necessary on a luks mapping. I like ext2,3 xfs and jfs -- pick your poison. Tmpfs should be used in FSTAB and MTAB so as to keep in ram instead of being placed on a hdd. YMMV on a swap. Modern machines in my experience haven't used it so I don't configure it. a. SSH has 2 main config files I loosely watch the ssh_config, but center more on sshd_config in these areas : (note all other lines are commented out in the file) Port 22 Yes, Lisa has given ample security breach examples no matter what port is used for SSH -- SSHGuard and Fail2Ban are good ideas to help with bots. AddressFamily inet ###If you are only on an IPV4==inet then IPV6 doesn't need to run ListenAddress 100.x.xx.x ####Narrow focus to IP otherwise all will be open to listen ListenAddress 100.x.xx.x #ListenAddress :: AllowUsers HowdyDoody DenyUsers nobody guest admin root passwd test AllowGroups wheel # The default requires explicit activation of protocol 1 Protocol 2 # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 20s ####If someone hasn't connected within 15-20 secs unless there is a lot of lag to adjust for the least amount of time listening the better. PermitRootLogin no Self explanatory #StrictModes yes MaxAuthTries 6 #####Why give them 2000 tries? MaxSessions 10 #####Bandwidth and possible security issues, narrow focus. # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no AllowAgentForwarding yes AllowTcpForwarding yes X11UseLocalhost yes PrintMotd yes ######I like pretty messages. You may not... PrintLastLog yes TCPKeepAlive yes UsePrivilegeSeparation yes Compression delayed PidFile /var/run/sshd.pid MaxStartups 10 #PermitTunnel no ChrootDirectory none #####Another tool to have a honeypot if so desired or not and noone can poke around outside of $user b. Make sure that /etc/group /etc/shadow /etc/passwd are properly configured. Put your users with the max they need to do their work but not enough to hang themselves in group. In your /etc/shadow file make sure ALL accounts, including root are password hashed according to your preferences or paranoia. ;) Ex. most linux distros only use MD5, bad idea. Good example SHA512 with 65k+ iterations on each character placement; Blowfish is nice too but usually requires a custom kernel. (For this last example Arch Linux has a great tutorial in their wiki and I will post the URL as it is quite long. https://wiki.archlinux.org/index.php/SHA_password_hashes c. Check that your /etc/sysctl.conf file is properly configured. There are TONS of examples of networking restrictions/allowances, kernel tuning, process tuning, etc. Much too long to just put a blurb in for the topic. d. Of course it goes without saying, /etc/hosts /etc/hosts.allow /etc/hosts.deny should all be configured in an IPTable manner. Basically block all traffic, then open up traffic you want. If you don't specify it is fair game. e. IPTables, Blockcontrol, Mobloquer. I will show my Tables and it is easy to run on any machine. #!/bin/bash - #xxxxxx( VampirePenguin ) # This current iptable chart was put together #from what I have cleaned of others. First off was Debian, #then some items from ArchLinux. I've added some new goodies #to what I had before from Sabayon. #This config is GPL ver. 3 copylefted. # # #Drop everything first so no connections are open. #Obviously this would not be suited to do on a mission #critical device. # iptables -X iptables -F iptables -Z iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Now that we have everything closed up we can start opening # up ports and services really needed. # iptables -N open iptables -N interfaces iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j interfaces iptables -A INPUT -j open iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -P OUTPUT ACCEPT # We are now going to create a few custom chains that will result in # logging of dropped packets. This will enable us to avoid having to # enter a log command prior to every drop we wish to log. The # first will be first log drops the other will log rejects. # Do not complain if chain already exists (so restart is clean) iptables -N DROP 2> /dev/null iptables -A DROP -j LOG --log-prefix 'DROP:' iptables -A DROP -j DROP iptables -N REJECT 2> /dev/null iptables -A REJECT -j LOG --log-prefix 'REJECT:' iptables -A REJECT -j REJECT iptables -A interfaces -i lo -j ACCEPT iptables -A interfaces -i eth0 -j ACCEPT iptables -A interfaces -i wlan0 -j ACCEPT # COMmon ports: # 0 is TCPmux; SGI had vulnerability, 1 is common attack # 13 is daytime # 98 is Linuxconf # 111 is sunrpc (portmap) # 137:139, 445 is Microsoft # SNMP: 161,2 # Squid flotilla: 3128, 8000, 8008, 8080 # 1214 is Morpheus or KaZaA # 2049 is NFS # 3049 is very virulent Linux Trojan, mistakable for NFS # Common attacks: 1999, 4329, 6346 # Common Trojans 12345 65535 #COMBLOCK="0 1 13 98 111 137 138 139 161 162 445 512 513 514 515 1080 1214 1999 2049 3049 4329 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6112 6346 3128 8000 8008 8080 12345 65535" # TCP ports: # 98 is Linuxconf # 512-515 is rexec, rlogin, rsh, printer(lpd) # [very serious vulnerabilities; attacks continue daily] # 1080 is Socks proxy server # 6000 is X (NOTE X over SSH is secure and runs on TCP 22) # Block 6112 (Sun's/HP's CDE) #TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112" # UDP ports: # 161:162 is SNMP # 520=RIP, 9000 is Sangoma # 517:518 are talk and ntalk (more annoying than anything) #UDPBLOCK="161 162 520 123 517 518 1427 9000" echo -n "FW: Blocking attacks to TCP port " iptables -N sshguard iptables -A INPUT -p tcp --dport 22 -j sshguard ##### SSH #iptables -A open -p tcp --dport 22 -j ACCEPT iptables -A open -p tcp --dport 631 -j ACCEPT ####CUPS iptables -A open -p tcp --dport 995 -j ACCEPT #### Email iptables -A open -p tcp --dport 587 -j ACCEPT ####Email iptables -A open -p tcp --dport 9100 -j ACCEPT ####CUPS iptables -A open -p tcp --dport 0:1 -j DROP iptables -A open -p tcp --dport 13 -j DROP iptables -A open -p tcp --dport 25 -j DROP iptables -A open -p tcp --dport 98 -j DROP iptables -A open -p tcp --dport 111 -j DROP iptables -A open -p tcp --dport 137:138 -j DROP iptables -A open -p tcp --dport 161:162 -j DROP iptables -A open -p tcp --dport 445 -j DROP iptables -A open -p tcp --dport 512:515 -j DROP iptables -A open -p tcp --dport 1080 -j DROP iptables -A open -p tcp --dport 1214 -j DROP iptables -A open -p tcp --dport 1999 -j DROP iptables -A open -p tcp --dport 2049 -j DROP iptables -A open -p tcp --dport 3049 -j DROP iptables -A open -p tcp --dport 4329 -j DROP iptables -A open -p tcp --dport 6000:6009 -j DROP iptables -A open -p tcp --dport 6112 -j DROP iptables -A open -p tcp --dport 6346 -j DROP iptables -A open -p tcp --dport 3128 -j DROP iptables -A open -p tcp --dport 8000 -j DROP iptables -A open -p tcp --dport 8008 -j DROP iptables -A open -p tcp --dport 8080 -j DROP iptables -A open -p tcp --dport 12345 -j DROP iptables -A open -p tcp --dport 65535 -j DROP iptables -A open -p udp --dport 161:162 -j DROP iptables -A open -p udp --dport 520 -j DROP iptables -A open -p udp --dport 123 -j DROP iptables -A open -p udp --dport 517:518 -j DROP iptables -A open -p udp --dport 1427 -j DROP iptables -A open -p udp --dport 9000 -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP iptables -A INPUT -p icmp --icmp-type echo-request -i wlan0 -j DROP iptables -I INPUT -p icmp --icmp-type redirect -j DROP iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP # Opening up ftp connection tracking MODULES="ip_nat_ftp ip_conntrack_ftp" for i in $MODULES; do echo "Inserting module $i" modprobe $i done iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PLEASE DON'T copy this and paste it without having some understanding, and definitely not to a running Production machine. This is based on my experiences and needs as the occasion arose. I may have security issues I'm open too that I don't even know about. This is a learning tool. After all is said and done check permissions, groups, partitions for proper settings desired. There are some tricks to disable ctrl-alt-delete, ctrl-alt-prntscrn r-e-i-s-u-b, cut down on ttys in inittab. IF this machine is not being updated. You are forwarned that if you forget about this step and reboot your box you may lose access or more. Make good use of chattr on partitions. If someone does not know that chattr is being used to basically make even root not have access/immutable it can save poking around. Last but not least keep root active you may need it, but use sudo in your everyday dealings if you have to do administrative tasks AND NEVER EVER log in as root remotely or local. ciao.... -- --- gk http://www.panoramio.com/user/5731247 http://gm5729.blogspot.com/ Secure Gateway and Google Voice links on blogspot. Please conserve paper and print this email out ONLY if necessary. --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss