Results 1 to 20 of 20
-
08-26-2007, 05:55 AM #1Newbie
- Join Date
- Aug 2007
- Location
- Netherlands
- Posts
- 9
What do you think of my server security?
I have recently installed and configured my webserver. Since I think security is very important I am curious for recommendations, tips, etc.
My server:
-CentOS 4.4 (installed by provider)
-Apache 2.0.52
-Php 4.3.9
-MySql 4.1.20
-No FTP
-Mod_security is running
The firewall that comes with CentOS is switched on and allows the following ports: http, ssh, smtp.
I have installed sendmail, but it is turned off by default. I need it approx. 3 times a week for 15 minutes or so and will turn it on then.
I have barely any budget so hardware firewalls etc. aren't an option.
Furthermore it's a basic server, just like my knowledge, so advanced things like IDS aren't an option.
Any tips, recommendations, etc.?
Thanks in advance.
-
08-26-2007, 06:24 AM #2Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
You may install APF and BFD.
Tighten the mod_sec rules. Disable services such as telnet, ping etc. Install Mod_Dosevasive for apache.
Run rkhunter and chkrootkit occasionally.David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android
-
08-26-2007, 07:36 AM #3Newbie
- Join Date
- Aug 2007
- Location
- Netherlands
- Posts
- 9
Thanks!
I have disabled ping and telnet.
Mod_dosevasive is hard to get and seems a bit outdated (latest release somewhere in 2003).
Rkhunter seems a good idea, so I will look at it.
-
08-26-2007, 08:49 AM #4Newbie
- Join Date
- Sep 2005
- Posts
- 18
Still long way to go
you need to do a lot of things regarding the security
the best thing to do is to higher a sysadmin█ www.alrutani.com
█ Alrutani Web Hosting
Find your self in alrutani web hosting
It's more then a host, it's a network of minds !!
-
08-26-2007, 10:33 AM #5Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android
-
08-26-2007, 11:38 AM #6Aspiring Evangelist
- Join Date
- Aug 2004
- Posts
- 417
Those tools just give a false feeling of security imho.
Don't forget to harden your partitions, guide:
http://www.securedminds.net/?p=7
-
08-26-2007, 02:07 PM #7Web Hosting Master
- Join Date
- Nov 2001
- Location
- Philadelphia, Pa
- Posts
- 948
-
08-26-2007, 08:54 PM #8Web Hosting Master
- Join Date
- May 2005
- Location
- Bay Area
- Posts
- 1,211
change ssh port and don't allow root login, maybe ACL that sort of access down via IP, you can try chrooting services for added security.
-
08-26-2007, 09:07 PM #9Web Hosting Master
- Join Date
- Jun 2006
- Location
- NYC / Memphis, TN
- Posts
- 1,454
I would still highly recommend dosevasive if this is a web server. Also as mentioned, changing the port of SSH. Turn root logins off and configure sudo. Next step would be APF and limit the traffic to the SSH port to 1MB or around. Look up sysctl.conf hardening for DDOS attacks and such.
RKhunter and Chkrootkit are excellent tools. We install them both along with TripWire on all of our servers. I would also set SSH to listen on 1 single IP address instead of * to cut down on the amount of brute force attacks.
Get BFD / Install it. Install LES: http://www.r-fx.org/les.php
Next install: http://deflate.medialayer.com/old/
Once you have each of these configured and installed you should have a good start. Just make sure to keep updated.
And next time...Install FreeBSD≈ PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
≈ PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
≈ Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915
-
08-26-2007, 11:54 PM #10Retired Moderator
- Join Date
- May 2006
- Location
- San Francisco
- Posts
- 7,325
Upgrade Apache/PHP/MYSQL to the latest versions.
-
08-27-2007, 05:27 AM #11Newbie
- Join Date
- Aug 2007
- Location
- Netherlands
- Posts
- 9
Thanks for all the tips!
I know 100% security is impossible, but I feel much more secure with these things applied.
-
08-27-2007, 06:35 AM #12Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Brighton, UK
- Posts
- 66
I assume you're aware of nmap and have port scanned yourself from a remote machine?
Something like `nmap -p1-65535 yourIP` is good to do fairly regularly.
Don't forget to do a UDP scan as well:
`nmap -sU -p1-65535 yourIP`
-
08-27-2007, 07:08 AM #13Newbie
- Join Date
- Aug 2007
- Location
- Netherlands
- Posts
- 9
@kieransimkim: Thanks for the tip!
-
08-27-2007, 12:51 PM #14WHT Addict
- Join Date
- Aug 2007
- Location
- Minneapolis
- Posts
- 111
-
08-27-2007, 05:49 PM #15Junior Guru Wannabe
- Join Date
- Aug 2007
- Posts
- 57
Don't bother nmap'ing yourself, this is just silly.
'netstat -tnlp' should be the first command you run... familiarize yourself with the output. If it changes, find out why. Also run it without the '-t', so that it includes UDP. (TCP ports are more common sources of problems). The -n is optional; it shows everything in numeric, so no DNS or UID lookups. (Slightly faster.)
'chkconfig --list' - again, familiarize yourself with this. Find out what everything does. If you don't need it (e.g. portmap), don't run it.
Use strong passwords. Make sure your users use strong passwords. Make sure software is up-to-date. Since you're running CentOS (based on RHEL), stick with the updates they provide, and stay current on those updates. Note that RedHat backports security fixes; if you have 1.0.5, and there's a security bug that affects all versions prior to 1.0.7, you may already have a patch for it; check the Security Advisories for your O/S.
Be aware of what software you install, be it PHP scripts, Perl scripts, etc. Sign up for the mailing lists.
Develop a few commands you run regularly, and are familiar with the output of. 'find / -user nobody' is a good one; check whatever user your web server is running as (http, apache, www, wwwrun, etc.) and run a find command for that user as well.
Run 'pstree -up' regularly, familiarize yourself with the output. If something changes, find out why.
Run 'rpm -Va' and 'rpm -qa' regularly, familiarize yourself with the output. If something changes, find out why.
Avoid entering your password in an insecure fashion, e.g. from a public WiFi hotspot over e-mail, FTP, etc. Configure SSL-encrypted (stunnel) POP and/or IMAP access. Use SSH and SCP/SFTP, encourage your users to do the same.
Avoid unusable security tools that make your life too difficult; they'll offer a false sense of security, if they aren't being configured and maintained properly.
Things like firewalls, IDS's, mod_security, etc. are all in an attempt to protect against things you don't notice. They're a poor substitute for taking the time to make sure the server is "healthy".
Your best defense is to keep a watchful eye on the server and be able to realize when something is out of place or off kilter. Some tools help you do this in a more automated fashion, like tripwire, logwatch, etc.
And while hiring a sysadmin, or purchasing extra products, can help you gain better security, it never hurts to keep a watchful eye yourself. Security is only as strong as the weakest link, and in the world of web hosting, that's usually when someone uploads a 2 year old PHP script that has multiple known security vulnerabilities; most security products will only help minimize the damage, not prevent it.
-
08-27-2007, 08:40 PM #16Web Hosting Guru
- Join Date
- Jun 2007
- Location
- Tokyo, Japan
- Posts
- 336
One thing people miss out.
No matter how many firewall/security software you install, you will get hacked if you don't keep your softwares up-to-date.
Simple as that.
Turn off ALL unnecessary daemons and keep your softwares up-to-date.Yudai Yamagishi
-
08-29-2007, 07:46 PM #17Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Brighton, UK
- Posts
- 66
Nmapping yourself is not silly - of course Netstat is also a valuable tool, but the best way to verify what a potential hacker will see when they scan your machine is to scan your machine from a remote machine outside your firewall. Firstly netstat won't take into account any firewalls you have, secondly (in my humble opinion), nmap's output is a hell of a lot easier to read, thirdly; nmap is likely to be the tool the hacker actually scans you with, so you really are seeing exactly what they will see.
Yes you should use netstat to ensure you're not leaving ports open that don't need to be left open - the attacker may be able to get past your firewall or gain a local account on your machine. That is not to say that using nmap is silly. Just that it is not the only tool you should use in your arsenal.
-
08-30-2007, 12:40 AM #18Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 703
If you do not really need FTP then disable it and use SCP. You can setup SSH to only accept Key authentication.
-
08-30-2007, 01:12 AM #19Newbie
- Join Date
- Jul 2007
- Posts
- 16
upgrade your kernel with grsecurity and configure RBAC acl for your system. Not 100% secure of course but it will be secure enough to stop worring about 99% of the known/unknown treats.
-
08-30-2007, 08:50 PM #20Junior Guru Wannabe
- Join Date
- Aug 2007
- Posts
- 57
1. "netstat won't take into account any firewalls you have"
Yes, and this is important; the firewall is an additional layer of security. If you want to use nmap to verify the firewall policy, but that's not the same goal as securing the box itself. For the purposes of security, assume the firewall doesn't exist, when examining what ports are open.
2. "nmap's output is a hell of a lot easier to read"
Unfortunately, nmap wont tell you what process is attached to a particular port, nor what IP's it is bound to. nmap provides less information; yes, this makes it easier to read, but what's more impotant... the valuable information, or easy to read?
3. "nmap is likely to be the tool the hacker actually scans you with, so you really are seeing exactly what they will see. "
This assumes you use the same arguments to nmap when scanning, as the hacker does. Are you running a TCP open() scan, a SYN scan, a FIN scan, or some other type of scan? Are you using verbose mode? Are you scanning all ports, or just the default set?
Now I'm not saying that nmap isn't a useful tool. I am, however, saying that it's going to be most useful once you've already learned the fundamentals of tools like netstat.
Or, to put it another way, are you going to spend several thousand dollars on a firewall, then try to figure out how to use nmap to see if you configured it properly?
Short version: netstat is the best starting point for securing a system. Running nmap against a system that has no firewall is silly, when netstat provides you the same core information, but with additional critical details. The specific reasons why netstat's output is more valuable than nmap are many, but casual use of nmap to scan your own server, running from localhost, is silly.
EDIT: To clarify, I'm comparing two different scenarios here... e.g. a suggestion to run nmap from a remote host against a host that does have a firewall in place is not the same as running nmap from localhost, something which is not obvious in my "Short version". The reason I'm stating it in that manner in the short version, is because this is what most people will end up doing. If you're serious about security, have a firewall, already have a basic knowledge of what you're dealing with, then yes, nmap is a useful tool.
The challenge is to provide some basic methods for someone who does not have the prerequisite knowledge to begin being effective, and using kernel modificatinos like Solar Designer's patches, the LIDS system, SELinux, etc. are prone to create 1) a false sense of security, 2) a great amount of frustration, and 3) a distraction from effective methods, like netstat. The best argument I can think of for using nmap in addition to netstat, is to detect a rootkit'd netstat. But frankly, with a good regimen, if someone gets far enough to rootkit your server and you haven't found any signs of compromise, the chance that nmap will be your revelation is slim.
I don't mean to completely dismiss the use of nmap, I just don't believe it's a good starting point for the average user. Using it for the purpose that netstat provides, specifically, is what's silly.Last edited by macker; 08-30-2007 at 09:03 PM. Reason: clarification to not seem like quite such a prick