Securing Linux

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

Securing Linux

Postposted on Tue Mar 31, 2009 8:25 am

Okay, so I'm about to start over on my Linux server, but this time I want to go down the hardened route to increase its security. It is currently running Apache, Samba, MySQL and OpenSSH. So, since it is accessible to the world, thought it might be a good idea to beef it up even though there is nothing on there that is could potentially ruin me. It's just a family Web site with Christmas wishlists.

I'll be using Gentoo because it is what I'm comfortable using, and they have a Gentoo Hardened branch. The bit I'm stuck on is which MAC system I should use. I've found performance comparisons, but nothing that really states "as a newcomer use this one, for the old hand use this one" or "this one is absolutely the best". It doesn't seem like there is a clear winner.

I'd like some direction if any of you have some experience, no matter how little.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Tue Mar 31, 2009 9:42 am

I have almost no experience with MAC, but do have a little experience with securing public servers.

SElinix is probably the most widely deployed MAC framework for Linux, with AppArmor a close second. If you really want to enable some sort of MAC, I'd probably go with whichever one of those two is better supported on your distro.

That said, MAC is probably overkill in your case. My approach to securing a server like yours would be to do the following:

- Configure your firewall to allow incoming connections only on ports associated with services you want to be visible from the Internet. This includes firewalling the MySQL port (I am assuming that MySQL is only being accessed by other services running on the same host). Don't allow Samba access from the Internet either.

- Disable remote SSH access for the root account, and any user accounts which do not need the ability to log in remotely. Remote CLI admin tasks can still be performed by establishing a SSH session as a non-root user, then using su or sudo to run administrative commands.

- Make sure all accounts with remote SSH login capability have strong passwords. Alternatively, you could allow logins only via RSA key pairs, and protect the private key at the remote end with a strong passphrase. (Which approach you use depends on how much you trust your users to always use a strong passphrase to protect their private keys. The Fedora Project security breach last fall resulted from a Fedora employee who had an unprotected private key file.)

- Do not expose any remote desktop services (VNC, XDMCP, etc.) directly to the Internet, even if they are password protected. If remote desktop access is desired, firewall the port associated with the service and establish a SSH port forward to access the remote desktop service when needed.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37842
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing Linux

Postposted on Tue Mar 31, 2009 3:36 pm

I'm already aware of those methods you've listed JBI and am putting them in effect.

I really want to fiddle with MAC for the experience.

It looks like SELinux and grsecurity are pretty well supported on my distro.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Tue Mar 31, 2009 4:17 pm

--
Last edited by nightmorph on Fri Sep 20, 2013 2:59 am, edited 1 time in total.
nightmorph
Gerbil First Class
 
Posts: 112
Joined: Sat Jun 10, 2006 2:36 pm

Re: Securing Linux

Postposted on Tue Mar 31, 2009 4:24 pm

I guess if the NSA likes SELinux....
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Tue Mar 31, 2009 5:11 pm

titan wrote:I guess if the NSA likes SELinux....

They don't just like it... they developed it! :wink:

Some may actually consider that to be a disadvantage; but given that it is Open Source, the potential for NSA-mandated back doors is essentially nil.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37842
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing Linux

Postposted on Tue Mar 31, 2009 5:24 pm

just brew it! wrote:
titan wrote:I guess if the NSA likes SELinux....

They don't just like it... they developed it! :wink:

Some may actually consider that to be a disadvantage; but given that it is Open Source, the potential for NSA-mandated back doors is essentially nil.

Yeah, I knew they developed it too when I read about it way back when.

I also figured if there was a backdoor we'd know about it...then again, this is the NSA with connections to the CIA, DHS, FBI, SS, MiB....

Edit: And apparently there's something going around that has infiltrated several government agencies. The US is not on that list. I'm guessing SELinux may have something to do with that. Maybe. Possibly.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Wed Apr 01, 2009 7:41 pm

Well, it's a good thing I decided to start from scratch on this machine. There was a Windows 95/FAT partition on the RAID array of the server.

I didn't have any file system support built into the kernel other than ReiserFS and the CD file system.

So, I'm thinking someone may have actually cracked into my system.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Thu Apr 02, 2009 1:32 am

--
Last edited by nightmorph on Fri Sep 20, 2013 3:21 am, edited 2 times in total.
nightmorph
Gerbil First Class
 
Posts: 112
Joined: Sat Jun 10, 2006 2:36 pm

Re: Securing Linux

Postposted on Thu Apr 02, 2009 6:16 am

Thanks for the tips, nightmorph. I'll read the OpenSSH articles in a moment.

I have my father and a friend who will be connecting to the server as well. The way I had the system set up, they were not in the wheel group, and root was only allowed without a password and from a specific machine on the network. (That introduced some real headaches when I got my Verizon service and hardware installed as nothing on the ISP provided hardware worked as anticipated.)

My father and my friend knew how to use the keys I gave them, and I told them to keep it in a safe place. My friend is a bit more tech savvy than my father, so my friend could probably handle the port knocking easily enough but not my father. So, taking that into consideration, I might just opt for running SSH on a non-standard port, which I know will only deter some automated attacks and will do nothing to prevent a more determined attacker from trying to gain access.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Thu Apr 02, 2009 7:01 am

Couple of additional things I've done on my own server:

- I run it outside the firewall that protects the rest of my LAN. That way, in the event that it ever does get compromised, it can't be used as a stepping stone to compromise the rest of my systems. (The downside of this is that you need two public IP addresses.)

- Just recently, I redid things such that the public-facing server is actually a VirtualBox VM, not the real server. This makes backing up the whole system (and disaster recovery, should it ever be needed) easier. It also allows me to clone the VM to try out new server configs without affecting the "live" copy of the server; the new config can easily be cut over when ready (cutting over is just a matter of changing which VM ports 22 and 80 get forwarded to).
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37842
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing Linux

Postposted on Sun Apr 05, 2009 2:30 pm

just brew it! wrote:- Disable remote SSH access for the root account, and any user accounts which do not need the ability to log in remotely. Remote CLI admin tasks can still be performed by establishing a SSH session as a non-root user, then using su or sudo to run administrative commands.

How is this any different from allowing root remote SSH logins?
Mothership: Thuban 1055T@3.7GHz, 12GB DDR3, M5A99X EVO, GTX470+Icy Vision Rev.2@840/3800, Vertex 2E 60GB
Supply ship: Sargas@2.8GHz, 12GB DDR3, M4A88TD-V EVO/USB3
Corsair: Macbook Air Ivy Bridge
Crayon Shin Chan
Minister of Gerbil Affairs
 
Posts: 2246
Joined: Fri Sep 06, 2002 11:14 am
Location: Malaysia

Re: Securing Linux

Postposted on Sun Apr 05, 2009 2:46 pm

Because the attacker will have to break two passwords instead of one: the users' and then root.
radix
Gerbil First Class
 
Posts: 103
Joined: Sun Jan 13, 2002 7:00 pm
Location: Mountain View, CA

Re: Securing Linux

Postposted on Sun Apr 05, 2009 3:38 pm

Or the attacker will have to have the remotely-accessible user's keys (and maybe password), plus root's password.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3189
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Securing Linux

Postposted on Sun Apr 05, 2009 3:52 pm

radix wrote:Because the attacker will have to break two passwords instead of one: the users' and then root.

It also means the attacker doesn't know the name of the account that has SSH access ahead of time. The problem with the root account is that it always has the same name, so the attacker doesn't have to guess the account name and crack the password; they only have to crack the password.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37842
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing Linux

Postposted on Sun Apr 05, 2009 5:27 pm

just brew it! wrote:It also means the attacker doesn't know the name of the account that has SSH access ahead of time. The problem with the root account is that it always has the same name, so the attacker doesn't have to guess the account name and crack the password; they only have to crack the password.


You can rename the root account, not so? It just has to stay as account#1 #0.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3189
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Securing Linux

Postposted on Sun Apr 05, 2009 9:45 pm

bthylafh wrote:
just brew it! wrote:It also means the attacker doesn't know the name of the account that has SSH access ahead of time. The problem with the root account is that it always has the same name, so the attacker doesn't have to guess the account name and crack the password; they only have to crack the password.


You can rename the root account, not so? It just has to stay as account#1 #0.

No, the root account cannot be renamed. It's root. The root of all that is root.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Wed Apr 08, 2009 11:48 am

As a Linux server admin, here are a few tips:

1. For OpenSSH, in /etc/ssh/sshd_config, use the AllowUsers variable to limit who can login. This is good if you have a bunch of accounts but don't want everyone to have shell access.
2. Bind MySQL's listening address to 127.0.0.1
3. Only allow access to Samba via your LAN if possible.
Intel Core i7 3770k, ASUS P8B75-M/CSM, 16GB DDR3-1600 Corsair XMS3, 2 WD RE4 500GB SATA III (RAID1), Fractal Design Define Mini
Powered by CentOS 6.5
jmcknight
Gerbil
 
Posts: 66
Joined: Tue Nov 07, 2006 12:43 am
Location: Hamilton ON, Canada

Re: Securing Linux

Postposted on Wed Apr 08, 2009 6:28 pm

jmcknight wrote:As a Linux server admin, here are a few tips:

1. For OpenSSH, in /etc/ssh/sshd_config, use the AllowUsers variable to limit who can login. This is good if you have a bunch of accounts but don't want everyone to have shell access.
2. Bind MySQL's listening address to 127.0.0.1
3. Only allow access to Samba via your LAN if possible.

That's not new to me. I've been doing that for a couple years now. Except for SSH, which I've actually only been using for the last year or so.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Wed Apr 08, 2009 6:43 pm

RSSH is quite cool too, lets you give users accounts that can only rsync/scp/sftp etc into a chrooted directory. Also lets you specify a umask too.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2276
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Securing Linux

Postposted on Wed Apr 08, 2009 9:06 pm

cheesyking wrote:RSSH is quite cool too, lets you give users accounts that can only rsync/scp/sftp etc into a chrooted directory. Also lets you specify a umask too.

I think OpenSSH does that now too...or they're working on it. At any rate, I'll take a look at RSSH as well.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing Linux

Postposted on Wed Apr 08, 2009 9:09 pm

titan wrote:No, the root account cannot be renamed. It's root. The root of all that is root.
Sure you can. It's not a great idea (since various tools and scripts are often hardcoded to use the username root rather than uid 0), but root is just a name.
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 4:39 pm
Location: Mountain View, CA

Re: Securing Linux

Postposted on Wed Apr 08, 2009 9:50 pm

bitvector wrote:
titan wrote:No, the root account cannot be renamed. It's root. The root of all that is root.
Sure you can. It's not a great idea (since various tools and scripts are often hardcoded to use the username root rather than uid 0), but root is just a name.

Yeah, I know about that. Both being able to change it, and scripts looking for "root" instead of "0". My message was this: don't even think about it.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: Exabot [Bot], Google Adsense [Bot] and 4 guests