basic LAMP security 101

Attachments:
Message as email (text/plain)

Author: gm5729
Date:
To: PLUGAZ
Subject: basic LAMP security 101

----- Original Message -----
From: plug-discuss-request@lists.plug.phoenix.az.us
To: plug-discuss@lists.plug.phoenix.az.us
Sent: Friday, April 15, 2011 1:59 PM
Subject: PLUG-discuss Digest, Vol 70, Issue 12

Send PLUG-discuss mailing list submissions to
    plug-discuss@lists.plug.phoenix.az.us

To subscribe or unsubscribe via the World Wide Web, visit
    http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
or, via email, send a message with subject or body 'help' to
    plug-discuss-request@lists.plug.phoenix.az.us

You can reach the person managing the list at
    plug-discuss-owner@lists.plug.phoenix.az.us

When replying, please edit your Subject line so it is more specific
than "Re: Contents of PLUG-discuss digest..."

Today's Topics:

4. basic LAMP security 101 (Stephen)

Message: 4
Date: Fri, 15 Apr 2011 07:20:10 -0700
From: Stephen <cryptworks@gmail.com>
To: Main PLUG discussion list <plug-discuss@lists.plug.phoenix.az.us>
Subject: basic LAMP security 101
Message-ID: <BANLkTikbLm9zsuqSpPP5_=ra3btLrAWEbg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I have rebuilt my server as an Ubuntu server, and am exposing parts of
same said server to the outside world. Anyone have a decent reference
on security i can read, there is quite a bit out there, but its a
muddy mess to know who is talking out their collective backside and
who actually is giving you something useful. I do know we have some
very good security geeks here and hope to borrow (beg) some pearls of
wisdom.

Hmm pearls of wisdom.

Pre-A. I personally enjoy system encryption of my whole drive OUTSIDE
of $user control. I use dm-crypt, loop, blowfish openssl, and aes.
GVFS mounts drives as necessary on a luks mapping. I like ext2,3 xfs
and jfs -- pick your poison. Tmpfs should be used in FSTAB and MTAB so
as to keep in ram instead of being placed on a hdd. YMMV on a swap.
Modern machines in my experience haven't used it so I don't configure
it.

a. SSH has 2 main config files I loosely watch the ssh_config, but
center more on sshd_config in these areas : (note all other lines are
commented out in the file)
Port 22 Yes, Lisa has given ample security breach examples no matter
what port is used for SSH -- SSHGuard and Fail2Ban are good ideas to
help with bots.
AddressFamily inet ###If you are only on an IPV4==inet then IPV6
doesn't need to run
ListenAddress 100.x.xx.x ####Narrow focus to IP otherwise all will
be open to listen
ListenAddress 100.x.xx.x
#ListenAddress ::
AllowUsers HowdyDoody
DenyUsers nobody guest admin root passwd test
AllowGroups wheel
# The default requires explicit activation of protocol 1
Protocol 2
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 20s ####If someone hasn't connected within 15-20 secs
unless there is a lot of lag to adjust for the least amount of time
listening the better.
PermitRootLogin no Self explanatory
#StrictModes yes
MaxAuthTries 6 #####Why give them 2000 tries?
MaxSessions 10 #####Bandwidth and possible security issues, narrow focus.

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
AllowAgentForwarding yes
AllowTcpForwarding yes
X11UseLocalhost yes
PrintMotd yes ######I like pretty messages. You may not...
PrintLastLog yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
Compression delayed
PidFile /var/run/sshd.pid
MaxStartups 10
#PermitTunnel no
ChrootDirectory none #####Another tool to have a honeypot if so
desired or not and noone can poke around outside of $user

b. Make sure that /etc/group /etc/shadow /etc/passwd are properly configured.
Put your users with the max they need to do their work but not enough
to hang themselves in group. In your /etc/shadow file make sure ALL
accounts, including root are password hashed according to your
preferences or paranoia. ;) Ex. most linux distros only use MD5, bad
idea. Good example SHA512 with 65k+ iterations on each character
placement; Blowfish is nice too but usually requires a custom kernel.
(For this last example Arch Linux has a great tutorial in their wiki
and I will post the URL as it is quite long.

https://wiki.archlinux.org/index.php/SHA_password_hashes

c. Check that your /etc/sysctl.conf file is properly configured. There
are TONS of examples of networking restrictions/allowances, kernel
tuning, process tuning, etc. Much too long to just put a blurb in for
the topic.

d. Of course it goes without saying, /etc/hosts /etc/hosts.allow
/etc/hosts.deny should all be configured in an IPTable manner.
Basically block all traffic, then open up traffic you want. If you
don't specify it is fair game.

e. IPTables, Blockcontrol, Mobloquer. I will show my Tables and it is
easy to run on any machine.

#!/bin/bash -
#xxxxxx( VampirePenguin )
# This current iptable chart was put together
#from what I have cleaned of others. First off was Debian,
#then some items from ArchLinux. I've added some new goodies
#to what I had before from Sabayon.
#This config is GPL ver. 3 copylefted.
#
#
#Drop everything first so no connections are open.
#Obviously this would not be suited to do on a mission
#critical device.
#
iptables -X
iptables -F
iptables -Z

iptables -P INPUT       DROP
iptables -P OUTPUT      DROP
iptables -P FORWARD     DROP
#Now that we have everything closed up we can start opening
# up ports and services really needed.
#
iptables -N open
iptables -N interfaces
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j interfaces
iptables -A INPUT -j open
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -P OUTPUT ACCEPT
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
iptables -N DROP   2> /dev/null
iptables -A DROP   -j LOG --log-prefix 'DROP:'
iptables -A DROP   -j DROP
iptables -N REJECT 2> /dev/null
iptables -A REJECT -j LOG --log-prefix 'REJECT:'
iptables -A REJECT -j REJECT
iptables -A interfaces -i lo -j ACCEPT
iptables -A interfaces -i eth0 -j ACCEPT
iptables -A interfaces -i wlan0 -j ACCEPT

# COMmon ports:
# 0 is TCPmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
#COMBLOCK="0 1 13 98 111 137 138 139 161 162 445 512 513 514 515 1080
1214 1999 2049 3049 4329 6000 6001 6002 6003 6004 6005 6006 6007 6008
6009 6112 6346 3128 8000 8008 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-515 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
#TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
#UDPBLOCK="161 162 520 123 517 518 1427 9000"
echo -n "FW: Blocking attacks to TCP port "
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard ##### SSH
#iptables -A open -p tcp --dport 22 -j ACCEPT
iptables -A open -p tcp --dport 631 -j ACCEPT ####CUPS
iptables -A open -p tcp --dport 995 -j ACCEPT #### Email
iptables -A open -p tcp --dport 587 -j ACCEPT ####Email
iptables -A open -p tcp --dport 9100 -j ACCEPT ####CUPS
iptables -A open -p tcp --dport 0:1 -j DROP
iptables -A open -p tcp --dport 13 -j DROP
iptables -A open -p tcp --dport 25 -j DROP
iptables -A open -p tcp --dport 98 -j DROP
iptables -A open -p tcp --dport 111 -j DROP
iptables -A open -p tcp --dport 137:138 -j DROP
iptables -A open -p tcp --dport 161:162 -j DROP
iptables -A open -p tcp --dport 445 -j DROP
iptables -A open -p tcp --dport 512:515 -j DROP
iptables -A open -p tcp --dport 1080 -j DROP
iptables -A open -p tcp --dport 1214 -j DROP
iptables -A open -p tcp --dport 1999 -j DROP
iptables -A open -p tcp --dport 2049 -j DROP
iptables -A open -p tcp --dport 3049 -j DROP
iptables -A open -p tcp --dport 4329 -j DROP
iptables -A open -p tcp --dport 6000:6009 -j DROP
iptables -A open -p tcp --dport 6112 -j DROP
iptables -A open -p tcp --dport 6346 -j DROP
iptables -A open -p tcp --dport 3128 -j DROP
iptables -A open -p tcp --dport 8000 -j DROP
iptables -A open -p tcp --dport 8008 -j DROP
iptables -A open -p tcp --dport 8080 -j DROP
iptables -A open -p tcp --dport 12345 -j DROP
iptables -A open -p tcp --dport 65535 -j DROP
iptables -A open -p udp --dport 161:162 -j DROP
iptables -A open -p udp --dport 520 -j DROP
iptables -A open -p udp --dport 123 -j DROP
iptables -A open -p udp --dport 517:518 -j DROP
iptables -A open -p udp --dport 1427 -j DROP
iptables -A open -p udp --dport 9000 -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -i wlan0 -j DROP
iptables -I INPUT -p icmp --icmp-type redirect -j DROP
iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PLEASE DON'T copy this and paste it without having some understanding,
and definitely not to a running Production machine. This is based on
my experiences and needs as the occasion arose. I may have security
issues I'm open too that I don't even know about. This is a learning
tool.

After all is said and done check permissions, groups, partitions for
proper settings desired. There are some tricks to disable
ctrl-alt-delete, ctrl-alt-prntscrn r-e-i-s-u-b, cut down on ttys in
inittab.

IF this machine is not being updated. You are forwarned that if you
forget about this step and reboot your box you may lose access or
more. Make good use of chattr on partitions. If someone does not know
that chattr is being used to basically make even root not have
access/immutable it can save poking around. Last but not least keep
root active you may need it, but use sudo in your everyday dealings if
you have to do administrative tasks AND NEVER EVER log in as root
remotely or local.

ciao....

--
---
gk
http://www.panoramio.com/user/5731247

http://gm5729.blogspot.com/
Secure Gateway and Google Voice links on blogspot.

Please conserve paper and print this email out ONLY if necessary.
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message is part of the following thread:
	the complete thread tree sorted by date
	Lisa Kachold at