security advice wanted for home server

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

security advice wanted for home server

Andy Baxter
I have an embedded device with attached usb hard disk (a Linksys NSLU2)
which I have installed debian on, with the aim of using it as a home
server over ADSL. (The idea being that it's quiet and consumes very
little power, so I'm happy leaving it switched on all the time, which I
wouldn't be with a desktop type machine.)

I'm thinking of setting it up as a web server at some point, but could
do with some basic advice about the security side of things if anyone
can help with that. One question is how likely this is to be a problem
(and would the fact that it's on an arm chip not intel reduce the
likelihood of a successful attack?); also what kind of precautions I
should take against being cracked?

My network is an ADSL modem/router with built in firewall and port
forwarding, behind which I have 2 laptops, one running linux and one
running windows xp, plus the NSLU2.

What I'm thinking of doing to secure the NSLU2 is:

- Check that the only open incoming ports are ones that I need.

- run a firewall (shorewall?). (Though is this actually going to make a
difference on such a small network where there are only the localnet and
internet zones to think about and the router already has a built in
firewall? I'm assuming that it's something I should do, but not sure
what kind of attacks a firewall on the NSLU2 would really stop, given
that only one incoming port (http) is going to be open on my router, and
I can make sure that the server doesn't have any incoming ports open
except http and ssh)

- use aide to check the system files regularly. The way I'm thinking of
doing this is to put a bootable debian image (with aide installed) on a
flash disk, then every week or so boot my laptop from this with the
slug's usb hard drive plugged into the laptop as well, and check the
system using aide that way. Then install any updates, then calculate the
checksums again and store them on the flash disk (which I would never
use for any other purpose). This is putting me off somewhat, as I was
doing something similar with another server I had a while back, and it
was a fair bit of hassle to keep it up every week. So it would be good
to know if this is overkill, or a sensible thing to do?

- work through the securing debian manual to see if there's anything
else I've missed.

andy.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Sébastien NOBILI-3
Le vendredi 27 février 09 à 10:43, andy baxter a écrit :
> I can make sure that the server doesn't have any incoming ports open  
> except http and ssh)

I would use another port than 22 for the SSH. If your machine's ports are
being scanned and it appears port 22 is open, then you'll probably have a
lot of brute-force attacks to SSH.
Personally, I redirected on my router a high port number (1234, for
example) to port number 22 of my home server. No more brute-force attacks.

Just in case you didn't think about it, restrict SSH access to certain
users, in /etc/ssh/sshd_config :
    PermitRootLogin no
    AllowUsers your_login

> andy.

Seb


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Tom Allison-2
Better to use public/private key authentication than to rely on  
passwords.

On Feb 27, 2009, at 7:41 AM, Sébastien NOBILI <[hidden email]>  
wrote:

> Le vendredi 27 février 09 à 10:43, andy baxter a écrit :
>> I can make sure that the server doesn't have any incoming ports open
>> except http and ssh)
>
> I would use another port than 22 for the SSH. If your machine's  
> ports are
> being scanned and it appears port 22 is open, then you'll probably  
> have a
> lot of brute-force attacks to SSH.
> Personally, I redirected on my router a high port number (1234, for
> example) to port number 22 of my home server. No more brute-force  
> attacks.
>
> Just in case you didn't think about it, restrict SSH access to certain
> users, in /etc/ssh/sshd_config :
>    PermitRootLogin no
>    AllowUsers your_login
>
>> andy.
>
> Seb
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Andy Baxter
In reply to this post by Sébastien NOBILI-3
Sébastien NOBILI wrote:

> Le vendredi 27 février 09 à 10:43, andy baxter a écrit :
>  
>> I can make sure that the server doesn't have any incoming ports open  
>> except http and ssh)
>>    
>
> I would use another port than 22 for the SSH. If your machine's ports are
> being scanned and it appears port 22 is open, then you'll probably have a
> lot of brute-force attacks to SSH.
>  
Is there any reason to do this given that I'm not planning to log in by
ssh from outside my local network? The only ports I'm thinking of
opening on the router's firewall are http and the port used by
bittorrent (I want to run torrentflux on the NSLU2, which is a web based
bittorrent client).
> Personally, I redirected on my router a high port number (1234, for
> example) to port number 22 of my home server. No more brute-force attacks.
>
> Just in case you didn't think about it, restrict SSH access to certain
> users, in /etc/ssh/sshd_config :
>     PermitRootLogin no
>     AllowUsers your_login
>
>  
I've done PermitRootLogin; thanks for mentioning the other one. I was
also trying:

ListenAddress 10.0.0.3

But this seemed to prevent even 10.0.0.3 from logging in, after a
'/etc/init.d/ssh restart'

Would ListenAddress 10.*.*.* (or 10.*) work?

Incidentally, at the moment, with only a base system installed, these
are the TCP/IP ports that are open:

dolphin:/etc/ssh# netstat -atu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address
State
tcp        0      0 *:ssh                   *:*
LISTEN
tcp        0      0 dolphin.localnet:ssh    10.0.0.3:58300
ESTABLISHED
tcp        0      0 dolphin.localnet:ssh    10.0.0.3:37295
ESTABLISHED
dolphin:/etc/ssh#


andy


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Dmitry Nedospasov
In reply to this post by Tom Allison-2
I would use public key and fail2ban

D.

On Feb 27, 2009, at 14:05 , Tom Allison wrote:

> Better to use public/private key authentication than to rely on  
> passwords.
>
> On Feb 27, 2009, at 7:41 AM, Sébastien NOBILI  
> <[hidden email]> wrote:
>
>> Le vendredi 27 février 09 à 10:43, andy baxter a écrit :
>>> I can make sure that the server doesn't have any incoming ports open
>>> except http and ssh)
>>
>> I would use another port than 22 for the SSH. If your machine's  
>> ports are
>> being scanned and it appears port 22 is open, then you'll probably  
>> have a
>> lot of brute-force attacks to SSH.
>> Personally, I redirected on my router a high port number (1234, for
>> example) to port number 22 of my home server. No more brute-force  
>> attacks.
>>
>> Just in case you didn't think about it, restrict SSH access to  
>> certain
>> users, in /etc/ssh/sshd_config :
>>   PermitRootLogin no
>>   AllowUsers your_login
>>
>>> andy.
>>
>> Seb
>>
>>
>> --
>> To UNSUBSCRIBE, email to [hidden email]
>> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>>
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

paulchen_panther1 (Bugzilla)
In reply to this post by Andy Baxter
On Freitag 27 Februar 2009 14:07:02 andy baxter wrote:

> Sébastien NOBILI wrote:
> > Le vendredi 27 février 09 à 10:43, andy baxter a écrit :
> >> I can make sure that the server doesn't have any incoming ports open
> >> except http and ssh)
> >
> > I would use another port than 22 for the SSH. If your machine's ports are
> > being scanned and it appears port 22 is open, then you'll probably have a
> > lot of brute-force attacks to SSH.
>
> Is there any reason to do this given that I'm not planning to log in by
> ssh from outside my local network?

No.

> > Personally, I redirected on my router a high port number (1234, for
> > example) to port number 22 of my home server. No more brute-force
> > attacks.
> >
> > Just in case you didn't think about it, restrict SSH access to certain
> > users, in /etc/ssh/sshd_config :
> >     PermitRootLogin no
> >     AllowUsers your_login
>
> I've done PermitRootLogin; thanks for mentioning the other one. I was
> also trying:
>
> ListenAddress 10.0.0.3
>
> But this seemed to prevent even 10.0.0.3 from logging in, after a
> '/etc/init.d/ssh restart'
>
> Would ListenAddress 10.*.*.* (or 10.*) work?

No. ListenAddress is not the right option. Using ListenAdress, you can tell
sshd on which of the machine's network interfaces it shall listen. The IP
address you write there is the address assigned to the interface (use ifconfig
to find out these addresses).

I'd try some iptables rules or some lines in /etc/hosts.allow and/or
/etc/hosts.deny.


Paul


--
perl -e 'print pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Gerardo Castillo Alvarado
In reply to this post by Tom Allison-2
Tom Allison escribió:
>> I would use another port than 22 for the SSH. If your machine's ports
>> are
>> being scanned and it appears port 22 is open, then you'll probably
>> have a
>> lot of brute-force attacks to SSH.
>> Personally, I redirected on my router a high port number (1234, for
>> example) to port number 22 of my home server. No more brute-force
>> attacks.
I think that in the worst case you can use port knocking instead of only
change port number.. it's an issue of easy use Versus security.. also
you can use public key and so forth


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Andy Baxter
In reply to this post by Andy Baxter
andy baxter wrote:

> [... I'm planning to ...]
>
> - use aide to check the system files regularly. The way I'm thinking
> of doing this is to put a bootable debian image (with aide installed)
> on a flash disk, then every week or so boot my laptop from this with
> the slug's usb hard drive plugged into the laptop as well, and check
> the system using aide that way. Then install any updates, then
> calculate the checksums again and store them on the flash disk (which
> I would never use for any other purpose). This is putting me off
> somewhat, as I was doing something similar with another server I had a
> while back, and it was a fair bit of hassle to keep it up every week.
> So it would be good to know if this is overkill, or a sensible thing
> to do?
>
Thanks to those who replied about ssh config. Would be good to know more
about whether it's worth setting up aide for a small home server like
this, and if the way I'm thinking of doing it is OK. My main worry isn't
someone reading my files, which aren't desperately secret, it's that I
don't want to hassle of having to reinstall after being cracked, and I
don't want to become part of someone else's botnet.

andy


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Martin Bartenberger
andy baxter schrieb:

> andy baxter wrote:
>> [... I'm planning to ...]
>>
>> - use aide to check the system files regularly. The way I'm thinking
>> of doing this is to put a bootable debian image (with aide installed)
>> on a flash disk, then every week or so boot my laptop from this with
>> the slug's usb hard drive plugged into the laptop as well, and check
>> the system using aide that way. Then install any updates, then
>> calculate the checksums again and store them on the flash disk (which
>> I would never use for any other purpose). This is putting me off
>> somewhat, as I was doing something similar with another server I had
>> a while back, and it was a fair bit of hassle to keep it up every
>> week. So it would be good to know if this is overkill, or a sensible
>> thing to do?
>>
> Thanks to those who replied about ssh config. Would be good to know
> more about whether it's worth setting up aide for a small home server
> like this, and if the way I'm thinking of doing it is OK. My main
> worry isn't someone reading my files, which aren't desperately secret,
> it's that I don't want to hassle of having to reinstall after being
> cracked, and I don't want to become part of someone else's botnet.
It depends on you. I'd think that it's enough if you watch the processes
running on your server from time to time, check it with rkhunter or
something similar and keep an eye on your logs (via logcheck for
example). You also can chroot your webserver. For me, using something
like aide would be a bit too much for a small personal server.

martin

>
> andy
>
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Andy Baxter
Sorry, forgot to send this to the list.

Martin Bartenberger wrote:

> andy baxter schrieb:
>> Thanks to those who replied about ssh config. Would be good to know
>> more about whether it's worth setting up aide for a small home server
>> like this, and if the way I'm thinking of doing it is OK. My main
>> worry isn't someone reading my files, which aren't desperately
>> secret, it's that I don't want to hassle of having to reinstall after
>> being cracked, and I don't want to become part of someone else's botnet.
> It depends on you. I'd think that it's enough if you watch the
> processes running on your server from time to time, check it with
> rkhunter or something similar and keep an eye on your logs (via
> logcheck for example). You also can chroot your webserver. For me,
> using something like aide would be a bit too much for a small personal
> server.

Thanks - I think I'll give aide a miss. Another question - I'm thinking
of putting together a cd with some files on it useful for checking the
system. Then every so often I can mount the CD on the NSLU2 and check
the system knowing that the programs I'm using are reasonably clean
(barring kernel/system library modifications etc.). The programs I'm
thinking of putting on the disc are:

- everything in /bin
- rkhunter plus config files.
- chkrootkit ditto
- top
- netstat
- less
- mc

So the question is - does this seem like a worthwhile thing to do, and
are there any other programs worth including?

andy


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: security advice wanted for home server

Andy Baxter
andy baxter wrote:

> Sorry, forgot to send this to the list.
>
> Martin Bartenberger wrote:
>> andy baxter schrieb:
>>> Thanks to those who replied about ssh config. Would be good to know
>>> more about whether it's worth setting up aide for a small home
>>> server like this, and if the way I'm thinking of doing it is OK. My
>>> main worry isn't someone reading my files, which aren't desperately
>>> secret, it's that I don't want to hassle of having to reinstall
>>> after being cracked, and I don't want to become part of someone
>>> else's botnet.
>> It depends on you. I'd think that it's enough if you watch the
>> processes running on your server from time to time, check it with
>> rkhunter or something similar and keep an eye on your logs (via
>> logcheck for example). You also can chroot your webserver. For me,
>> using something like aide would be a bit too much for a small
>> personal server.
>
> Thanks - I think I'll give aide a miss. Another question - I'm thinking
> of putting together a cd with some files on it useful for checking the
> system. Then every so often I can mount the CD on the NSLU2 and check
> the system knowing that the programs I'm using are reasonably clean
> (barring kernel/system library modifications etc.). The programs I'm
> thinking of putting on the disc are:
>
> - everything in /bin
> - rkhunter plus config files.
> - chkrootkit ditto
> - top
> - netstat
> - less
> - mc
>
> So the question is - does this seem like a worthwhile thing to do, and
> are there any other programs worth including?

Thinking about it, seeing as I'm burning a whole CD, I might as well
just backup the whole of the current system to CD and use that, so no
need for advice on which programs to include.

andy


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Logs on Debian in Apache2

OLCESE, Marcelo Oscar
Estimados, tengo un Debian  4.0 y en él corriendo un Apache2.
Por otro lado tengo una PC que chequea que el Apache este levantado y
funcionando.
El 90% de los registros del Log del Apache es de la IP de la PC que la
chequea. Hay alguna forma de evitar que registre los log de este equipo?
Se me hace muy tedioso leer los LOG todas las semanas, inclusive bajaría
mucho el tamaño de los mismos.

Muchas gracias,
Marcelo Olcese.-
(Buenos Aires, Argentina)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Logs on Debian in Apache2

Dan Ritter-2
On Wed, May 06, 2009 at 03:01:41PM -0300, OLCESE, Marcelo Oscar wrote:
> Estimados, tengo un Debian  4.0 y en él corriendo un Apache2.
> Por otro lado tengo una PC que chequea que el Apache este levantado y
> funcionando.
> El 90% de los registros del Log del Apache es de la IP de la PC que la
> chequea. Hay alguna forma de evitar que registre los log de este equipo?
> Se me hace muy tedioso leer los LOG todas las semanas, inclusive bajaría
> mucho el tamaño de los mismos.

If you're using logrotate, you can define a prerotate/endscript
action that uses grep or sed to remove the test machine's
entries.

Lo siento que no escribo espanol bueno.

-dsr-

--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.

You can't defend freedom by getting rid of it.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Logs on Debian in Apache2

dererk
In reply to this post by OLCESE, Marcelo Oscar
OLCESE, Marcelo Oscar escribió:

> Estimados, tengo un Debian  4.0 y en él corriendo un Apache2.
> Por otro lado tengo una PC que chequea que el Apache este levantado y
> funcionando.
> El 90% de los registros del Log del Apache es de la IP de la PC que la
> chequea. Hay alguna forma de evitar que registre los log de este equipo?
> Se me hace muy tedioso leer los LOG todas las semanas, inclusive
> bajaría mucho el tamaño de los mismos.
>
> Muchas gracias,
> Marcelo Olcese.-
> (Buenos Aires, Argentina)
>
Please note this list is not the most accurate to deal with this topic.
debian-users-spanish would be more appropriate in the future ;-)

Apache is highly configurable in what respects to logging, you might be
looking for this mod_env. This is an example that should go to the vhost
you're dealing with:**


SetEnvIf Remote_Addr ^X\.X\.X\.X         !real-clients
CustomLog           /path/to/your/directory/access.log  combined
env=real-clients

The X\.X\.X\.X is the IP of the other PC that is checking up your server
(don't forget the "\") and 'combined' is one of the default logging
formats rules (LogFormat).

Hope it helps.
Greetings,

Dererk

--
vlady <at> Melee: ~$ grep -ir 'power in your hands' /proc/
/proc/version: Debian GNUine Perception

BOFH excuse #356: the daemons! the daemons! the terrible daemons!.



signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Logs on Debian in Apache2

Leandro Minatel
In reply to this post by Dan Ritter-2
On Wed, May 6, 2009 at 3:23 PM, Dan Ritter <[hidden email]> wrote:

> On Wed, May 06, 2009 at 03:01:41PM -0300, OLCESE, Marcelo Oscar wrote:
>> Estimados, tengo un Debian  4.0 y en él corriendo un Apache2.
>> Por otro lado tengo una PC que chequea que el Apache este levantado y
>> funcionando.
>> El 90% de los registros del Log del Apache es de la IP de la PC que la
>> chequea. Hay alguna forma de evitar que registre los log de este equipo?
>> Se me hace muy tedioso leer los LOG todas las semanas, inclusive bajaría
>> mucho el tamaño de los mismos.
>
> If you're using logrotate, you can define a prerotate/endscript
> action that uses grep or sed to remove the test machine's
> entries.
>
> Lo siento que no escribo espanol bueno.
>
> -dsr-
>
> --
> http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
>
>

Hola Marcelo, creo que la directiva SetEnvIf puede serte util.

Consulta por aqui:  http://www.howtoforge.com/setenvif_apache2

Saludos


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]