Secure configuration?
I am using Gentoo, currently running sshd and qmail, but anticipate adding Apache, MySQL, and PHP in the future.
I have sshd (w/ tcpwrappers) set up with AllowUsers
, PermitRootLogin No, and only public key auth. qmail is configured with xinetd (w/ tcpwrappers) instead of tcpserver and utilities.
My hosts.allow allows only my home IP and work subnet access to sshd. It allows everyone access to SMTP. (I have DenyHosts installed, but it is rather pointless right now because I have sshd locked to IP addresses in hosts.allow.)
I am running Shorewall as a firewall. It is configured to accept Web, SMTP, and SSH traffic. (from anywhere)
I am not using grsecurity or PaX.
Questions:
1) Is this a secure configuration/am I missing anything? I am a little nervous since I haven't done all of this before and I really don't want my box to get hacked.
2) When I add Apache, I think I can not chroot it if I use the package manager to install. Is it worth hassling with this (conducting a manual install)? Assuming I follow basic security configuration instructions setting up Apache, MySQL, and PHP, and also install mod_security, how much additional risk is there in running these too?
7 Replies
Another thing, make regular backups. Assume that after compromise, you'll want to quickly delete the server and restore from backups. Beta backups (see the forum) are OK, but keep all your data backed up as well.
The stuff you're describing is much more than what I do on my servers. Don't worry about it, and have fun.
I have also heard of OSSEC so I am looking into that as well.
I guess I really just needed a little confirmation someone else that I wasn't missing something glaringly obvious.
So far my Linode is running qmail and I changed my mail server DNS to point to it instead of my old shared hosting account. I also installed Apache, MySQL and PHP but am not running them publicly yet. Pretty soon I will be able to turn off that other account entirely.
@mosdl:
Did you change the ssh port to be something random?
IMO, I don't think changing the sshd listening port is going to make him any more secure than him already using key authentication. It may cut down on the 'dumb' scans (and having to log those 'dumb' scans), but any cracker worth his salt will scan for listening ports and learn the listening port regardless of what port is listening.
Fail2ban or denyhosts is a good option.
I also monitor with Snort and Modsecurity (those may be overboard for some, but I've a professional interest in such tools and I love the challenge of learning to set up and administer such tools).
@mosdl:
Did you change the ssh port to be something random?
Actually, I did at first but found it irritating and went back to the standard port. I had to configure my PuTTY configurations to all connect to the other port, and the protocol would not be displayed by name in netstat -l, etc…
I also didn't think it was getting me any extra security because an attacker could just nmap the machine and discover the port anyway. Since I am using public key auth, I think using a non standard port was only providing me a reduction in log reports and I didn't find it worth it.
If I configure denyhosts/fail2ban or some other active blocker I think I can safely just filter those reports out of the log files anyway…
@unixfool:
I also monitor with Snort and Modsecurity (those may be overboard for some, but I've a professional interest in such tools and I love the challenge of learning to set up and administer such tools).
Actually, I was running Snort on my home Linux firewall running IPCop until I installed a wireless router that included a firewall. I never really understood what the logs were telling me, though.
The tough part of all these log files and monitoring programs is knowing what is "important" and what is just background noise that is safely being blocked by your security programs. I haven't seen a good tutorial on this yet, though…
@AtomicDog:
@mosdl:Did you change the ssh port to be something random?
I also didn't think it was getting me any extra security because an attacker could just nmap the machine and discover the port anyway. Since I am using public key auth, I think using a non standard port was only providing me a reduction in log reports and I didn't find it worth it.
Technically, you aren't getting any additional security, but security through obscurity can help. I ALWAYS change my SSH port because the problem isn't just those people who are trying to guess passwords that are problems.
What happens if there is a vulnerability that allows an attacker to bypass all authentication? Having SSH on port 22 would probably cause your system to be compromised almost immediately. You wouldn't have that same worry if it was on another port.
Also, it helps you prioritize. If I am running SSH on a different port then I have fewer attacks against SSH. It is those who find SSH on another port that I would worry about more. I would take information obtained from SSH and start blocking them at the firewall immediately. SSH attacks on ports other than 22 rank much higher on my "oh crap" list than standard port 22 attacks. If you don't run SSH on another port you are going to have a lot of noise.
@AtomicDog:
I had to configure my PuTTY configurations to all connect to the other port, and the protocol would not be displayed by name in netstat -l, etc…
You can save your connection information in PuTTY. I run SSH on a different port and I don't have to type it in every time. Just once.
Don't rely on the service information in netstat. Doing so can cause you to assume things that aren't true. I might see SSH listening in netstat when I am really running a web server on port 22. If you really want the service names to work, edit the /etc/services file and netstat will show the correct name.