securing server

classic Classic list List threaded Threaded
37 messages Options
12
Reply | Threaded
Open this post in threaded view
|

securing server

Jean-Paul Lacquement
Hi,

I plan to secure my Debian stable (or testing if you say it's better) server.


I already did the followings:
- installed chkrootkit
- installed fail2ban (for ssh and proftpd)
- allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2


The followings daemon are installed :
- proftpd
- apache2
- ssh

Would you please list me which packages to install and which rules to apply ?

Many thanks,
Jean-Paul


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Yves-Alexis Perez-2
On Wed, May 07, 2008 at 09:09:02AM +0000, Jean-Paul Lacquement wrote:
> Hi,
>
> I plan to secure my Debian stable (or testing if you say it's better) server.
[…]
> Would you please list me which packages to install and which rules to apply ?

http://www.debian.org/doc/manuals/securing-debian-howto/

(first hit on google(secure debian);)
--
Yves-Alexis


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Bernd Eckenfels
In reply to this post by Jean-Paul Lacquement
In article <[hidden email]> you wrote:
> I already did the followings:
> - installed chkrootkit
> - installed fail2ban (for ssh and proftpd)

Beware of DOS.

> - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2

If you have multiple administrators, you should not do that.

> Would you please list me which packages to install and which rules to apply ?

There are some hardening packages to look for. Beside that you should review
all running processes and turn those off which you dont need (X11 related,
rpc, hotplug stuff, etc)

Besides that, what applications you plan to run?

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

weakish jiang
In reply to this post by Jean-Paul Lacquement
Just too many things.

For example,

Use update-rc.d or sysv-rc-conf to disable unwanted daemons

Edit /etc/security/limits.conf

logcheck

use integrit/aide/tripwire

configrue firewall (via shorewall or iptables directly)

etc.

You may consider chroot.


It's a good idea to read through securing debian howto

http://www.debian.org/doc/manuals/securing-debian-howto/


On Wed, 2008-05-07 at 11:09 +0200, Jean-Paul Lacquement wrote:

> Hi,
>
> I plan to secure my Debian stable (or testing if you say it's better) server.
>
>
> I already did the followings:
> - installed chkrootkit
> - installed fail2ban (for ssh and proftpd)
> - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
>
>
> The followings daemon are installed :
> - proftpd
> - apache2
> - ssh
>
> Would you please list me which packages to install and which rules to apply ?
>
> Many thanks,
> Jean-Paul
>
>

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: securing server

Brent Clark-3
In reply to this post by Jean-Paul Lacquement
Jean-Paul Lacquement wrote:

> Hi,
>
> I plan to secure my Debian stable (or testing if you say it's better) server.
>
>
> I already did the followings:
> - installed chkrootkit
> - installed fail2ban (for ssh and proftpd)
> - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
>
>
> The followings daemon are installed :
> - proftpd
> - apache2
> - ssh
>
> Would you please list me which packages to install and which rules to apply ?
>
> Many thanks,
> Jean-Paul

Hi

Just remember less (installed  software) means  more security. So go for
the minimalist installation achievable.

You may also want to look at software like

rkhunter
aide
logwatch
logcheck
checksecurity
tiger
unhide

Modsecurity for apache (1&2)

If you using SNMP, natuarally V3 would be a good idea

If you using ftp, cant you opt for ssh rather, you can even use chroot
for ssh.

I always use testing. And have had great success. (Recently, I was able
to achieve PCI compliancy)

O, for ssh password as some ASCII too example.

tryAnd_H4ckTh1s5

I dont see the need to iptables rules, but in case you do have the need,
rather look at xtables.
http://jengelh.medozas.de/projects/xtables/

All the best
Brent Clark



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Jean-Paul Lacquement
In reply to this post by Yves-Alexis Perez-2
Yes, I already have a look at those links. I asked this list because
this web page may not cover every threats.
Many thanks.

Jean-Paul

2008/5/7 Yves-Alexis Perez <[hidden email]>:

> On Wed, May 07, 2008 at 09:09:02AM +0000, Jean-Paul Lacquement wrote:
>  > Hi,
>  >
>  > I plan to secure my Debian stable (or testing if you say it's better) server.
>  […]
>
> > Would you please list me which packages to install and which rules to apply ?
>
>
> http://www.debian.org/doc/manuals/securing-debian-howto/
>
>  (first hit on google(secure debian);)
>  --
>  Yves-Alexis
>
>
>  --
>
>
> To UNSUBSCRIBE, email to [hidden email]
>  with a subject of "unsubscribe". Trouble? Contact [hidden email]
>
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Abdul bijur Vallarkodath
just my two pence.

*  Change the ports of most ports like ssh, ftp, smtp, imap etc. from the default ones to some other ones.
It would be nice if you could mention what are you trying to shut out and against what are u trying to secure.

Thanks,
Abdul


On 5/7/08, Jean-Paul Lacquement <[hidden email]> wrote:
Yes, I already have a look at those links. I asked this list because
this web page may not cover every threats.
Many thanks.

Jean-Paul

2008/5/7 Yves-Alexis Perez <[hidden email]>:

> On Wed, May 07, 2008 at 09:09:02AM +0000, Jean-Paul Lacquement wrote:
>  > Hi,
>  >
>  > I plan to secure my Debian stable (or testing if you say it's better) server.
>  […]
>
> > Would you please list me which packages to install and which rules to apply ?
>
>
> http://www.debian.org/doc/manuals/securing-debian-howto/
>
>  (first hit on google(secure debian);)
>  --
>  Yves-Alexis
>
>
>  --
>
>
> To UNSUBSCRIBE, email to [hidden email]
>  with a subject of "unsubscribe". Trouble? Contact [hidden email]
>
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]




--
Thanks,
Abdul Bijur V
Reply | Threaded
Open this post in threaded view
|

Re: securing server

martin f krafft
In reply to this post by weakish jiang
also sprach weakish <[hidden email]> [2008.05.07.1028 +0100]:
> Use update-rc.d or sysv-rc-conf to disable unwanted daemons

disable by making them all K00 links

> logcheck

hardly a security measure.

> use integrit/aide/tripwire

only useful with read-only media

> You may consider chroot.

no security benefit

> It's a good idea to read through securing debian howto

yes!

--
 .''`.   martin f. krafft <[hidden email]>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
 
"the pure and simple truth is rarely pure and never simple."
                                                      -- oscar wilde

digital_signature_gpg.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: securing server

Steve Petruzzello
In reply to this post by Abdul bijur Vallarkodath
Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([hidden email]) a écrit :

>    just my two pence.

and my two centimes.

>    *  Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
>    default ones to some other ones.

>From my poor understanding of security related issues, I guess this is
totally useless since any (good) port scanner will defeat this without
any problem. Remember, security by obscurity is a bad idea.

--
Steve


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Jean-Paul Lacquement
In reply to this post by Bernd Eckenfels
>  > I already did the followings:
>  > - installed chkrootkit
>  > - installed fail2ban (for ssh and proftpd)
>
>  Beware of DOS.
>
>
>  > - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
>
>  If you have multiple administrators, you should not do that.

I am the only one.
>
>
>  > Would you please list me which packages to install and which rules to apply ?
>
>  There are some hardening packages to look for. Beside that you should review
>  all running processes and turn those off which you dont need (X11 related,
>  rpc, hotplug stuff, etc)

Ok. I'll disable them

>
>  Besides that, what applications you plan to run?

This server will only run proftpd, ssh, apache, nagios(via http), samba and cups

>
>  Gruss
>  Bernd

Jean-Paul


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Oliver Antwerpen
In reply to this post by Abdul bijur Vallarkodath

Steve schrieb:

> Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([hidden email]) a écrit :
>
>  
>>    just my two pence.
>>    
>
> and my two centimes.
>
>  
>>    *  Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
>>    default ones to some other ones.
>>    
>
> >From my poor understanding of security related issues, I guess this is
> totally useless since any (good) port scanner will defeat this without
> any problem. Remember, security by obscurity is a bad idea.
>
>
>  

Used solely you are right, but used in addition to usual other securing
mechanisms it can help against zero-day attacks, which only shoot
exploits to well-known ports.



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Arture Le Coiffeur
In reply to this post by Steve Petruzzello
On Wednesday, 2008-05-07 at 12:47:37 +0200, Steve wrote:
> Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([hidden email]) a écrit :

> >    just my two pence.

> and my two centimes.

> >    *  Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
> >    default ones to some other ones.

> >From my poor understanding of security related issues, I guess this is
> totally useless since any (good) port scanner will defeat this without
> any problem. Remember, security by obscurity is a bad idea.

"Security by Obscurity" refers to the attempt to protect a (usually
bad) crypto-algorithm by hiding it from review. This is called "Evasive
Maneuvers". The usual black hat scans will only look for services on
the standard ports as long as they find sufficient vulnerable machines
using those standard ports.

It will add a little security because the non-standard ports will only be
detected by an unsual scan, i.e. looking for SSH on ports 1..65535. This
takes so much longer than testing just port 22 that it will only be used
by somebody explicitly targeting the system in question.

Thus a whole class of attackers is eliminated. This means a
significantly smaller attack surface.

The more users a systems has, though, the more you will have that are
not capable of dealing with changed ports. Or who have software that
can't deal with changed ports...

Lupe Christoph
--
| The whole aim of practical politics is to keep the populace alarmed    |
| (and hence clamorous to be led to safety) by menacing it with an       |
| endless series of hobgoblins, all of them imaginary.                   |
| H. L. Mencken, "In Defense of Women", 1918                             |


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

julien-39
In reply to this post by Jean-Paul Lacquement
Le Wed, 7 May 2008 13:03:03 +0200,
"Jean-Paul Lacquement" <[hidden email]> a écrit :

> >  > I already did the followings:
> >  > - installed chkrootkit
> >  > - installed fail2ban (for ssh and proftpd)
> >
> >  Beware of DOS.
> >
> >
> >  > - allow only one user (not root) via /etc/ssh/sshd_config, only
> >  > ssh v2
> >
> >  If you have multiple administrators, you should not do that.
>
> I am the only one.
> >
> >
> >  > Would you please list me which packages to install and which
> >  > rules to apply ?
> >
> >  There are some hardening packages to look for. Beside that you
> > should review all running processes and turn those off which you
> > dont need (X11 related, rpc, hotplug stuff, etc)
>
> Ok. I'll disable them
>
> >
> >  Besides that, what applications you plan to run?
>
> This server will only run proftpd, ssh, apache, nagios(via http),
> samba and cups

Nagios via https could be a good idea. Same for apache, if you can. You
can set RewriteRules that will redirect http connections to https.

For security of ssh, if you plan to access the server via a limited
number of machines, you can consider using port knocking.

>
> >
> >  Gruss
> >  Bernd
>
> Jean-Paul
>
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Abdul bijur Vallarkodath
In reply to this post by Steve Petruzzello
haha.  not really!  if u have really managed an online server u'd have seen tons of attacks and login attempts on your default ports by bots looking around for weaker systems.

This is hence especially helpful, I myself have seen these bot attacks reduce to almost zero once i had changed the port numbers of various services on my system. Now, you are talking about someone sitting and concentrating on your machine, thats a diff story all together. isn't it? you are smart, you should have known all this.

Abdul


On Wed, May 7, 2008 at 6:47 PM, Steve <[hidden email]> wrote:
Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([hidden email]) a écrit :

>    just my two pence.

and my two centimes.

>    *  Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
>    default ones to some other ones.

>From my poor understanding of security related issues, I guess this is
totally useless since any (good) port scanner will defeat this without
any problem. Remember, security by obscurity is a bad idea.

--
Steve


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]




--
Thanks,
Abdul Bijur V
Reply | Threaded
Open this post in threaded view
|

Re: securing server

Holger Wesser-2
In reply to this post by Jean-Paul Lacquement
Jean-Paul Lacquement schrieb:
> Would you please list me which packages to install and which rules to apply ?

The Center of Internetsecurity has several documents of how to secure
different operating systems:

http://www.cisecurity.org/

Hope this helps.

Regards,
Holger


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Bernd Eckenfels
In reply to this post by Steve Petruzzello
In article <20080507104737.GA28127@localdomain> you wrote:
>>    *  Change the ports of most ports like ssh, ftp, smtp, imap etc. from the
>>    default ones to some other ones.
>
>>From my poor understanding of security related issues, I guess this is
> totally useless since any (good) port scanner will defeat this without
> any problem. Remember, security by obscurity is a bad idea.

It helps to keep the noise in the logs low.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Stephen Vaughan
In reply to this post by Jean-Paul Lacquement
If your running apache I'd suggest installing modsecurity.

As for the other services, disable password authentication on ssh (start using ssh keypairs), force ssh2

proftpd has a couple of tweaks, remove the banner, implement connection limits

inetd is always worth shutting down unless you really need it

do an nmap on the box locally and see what else is running, install an iptables firewall that will block all ports by default and only open what you need, disable the different icmp types, particularly the timestamp one.

On Wed, May 7, 2008 at 7:09 PM, Jean-Paul Lacquement <[hidden email]> wrote:
Hi,

I plan to secure my Debian stable (or testing if you say it's better) server.


I already did the followings:
- installed chkrootkit
- installed fail2ban (for ssh and proftpd)
- allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2


The followings daemon are installed :
- proftpd
- apache2
- ssh

Would you please list me which packages to install and which rules to apply ?

Many thanks,
Jean-Paul


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]




--
Best Regards,
Stephen
Reply | Threaded
Open this post in threaded view
|

Re: securing server

Steve Petruzzello
In reply to this post by Abdul bijur Vallarkodath
Le 07-05-2008, à 19:39:57 +0800, Abdul Bijur Vallarkodath ([hidden email]) a écrit :

>    haha.  not really!  if u have really managed an online server u'd have
>    seen tons of attacks and login attempts on your default ports by bots
>    looking around for weaker systems.

Yes I have also seen that very often.

>    This is hence especially helpful, I myself have seen these bot attacks
>    reduce to almost zero once i had changed the port numbers of various
>    services on my system.

        Sure, but that doesn't mean you're more secure, just that you have
        less scans (which can be achieved by some well-thought iptables rules).

> Now, you are talking about someone sitting and
>    concentrating on your machine, thats a diff story all together. isn't it?

Yep, you're right. If someone really wants to attack you, changing
the default ports number will just postpone the moment the attacks will
really start.

>    you are smart, you should have known all this.

Just tried to pinpoint an issue.

Best regards

--
Steve


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Harry Jackson-3
In reply to this post by Abdul bijur Vallarkodath
Just install xinted and use the "only_from" option.

H

On Wed, 2008-05-07 at 19:39 +0800, Abdul Bijur Vallarkodath wrote:

> haha.  not really!  if u have really managed an online server u'd have
> seen tons of attacks and login attempts on your default ports by bots
> looking around for weaker systems.
>
> This is hence especially helpful, I myself have seen these bot attacks
> reduce to almost zero once i had changed the port numbers of various
> services on my system. Now, you are talking about someone sitting and
> concentrating on your machine, thats a diff story all together. isn't
> it? you are smart, you should have known all this.
>
> Abdul
>
>
> On Wed, May 7, 2008 at 6:47 PM, Steve <[hidden email]> wrote:
>         Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath
>         ([hidden email]) a écrit :
>        
>         >    just my two pence.
>        
>         and my two centimes.
>        
>         >    *  Change the ports of most ports like ssh, ftp, smtp,
>         imap etc. from the
>         >    default ones to some other ones.
>        
>        
>         >From my poor understanding of security related issues, I
>         guess this is
>         totally useless since any (good) port scanner will defeat this
>         without
>         any problem. Remember, security by obscurity is a bad idea.
>        
>         --
>         Steve
>        
>        
>         --
>        
>         To UNSUBSCRIBE, email to
>         [hidden email]
>         with a subject of "unsubscribe". Trouble? Contact
>         [hidden email]
>        
>        
>
>
>
> --
> Thanks,
> Abdul Bijur V


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: securing server

Alex Mestiashvili
In reply to this post by Jean-Paul Lacquement
Jean-Paul Lacquement wrote:

> Hi,
>
> I plan to secure my Debian stable (or testing if you say it's better) server.
>
>
> I already did the followings:
> - installed chkrootkit
> - installed fail2ban (for ssh and proftpd)
> - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2
>
>
> The followings daemon are installed :
> - proftpd
> - apache2
> - ssh
>
> Would you please list me which packages to install and which rules to apply ?
>
> Many thanks,
> Jean-Paul
>
>
>  
+ to all , imho is good idea to use some kernel patches like grsecurity
http://grsecurity.org/ .



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

12