Security and the newb

Hello all!

I have had my eyes on Linode for a while and today I finally decided to jump in. I really like it so far but I still have a lot to learn when it comes to Linux.

I'm more of a programmer than a sysadmin, so stuff like securing my code against database injection doesn't feel like much of a problem. I mostly know what I'm doing there and I can control what happens. What I'm more worried about is parts of the server environment that I haven't had the time to learn yet.

I have two linodes, one with a LEMP stack running the php end of things and one with a LAMP setup running mysql and phpmyadmin. Both run the latest Ubuntu distro.

What I've done so far:

Ran updates.

Disabled root access.

Installed UFW and only opened holes on port 22 and 80. (on the db server I also opened a hole for the app server via the private network)

Suhosin came with the LEMP stack script but not the LAMP one.

What I know about but haven't done yet:

Changing default port number for SSH (I couldn't get this to work, my connections on the new port were refused)

Installing Suhosin on the LAMP server.

I'd appreciate all tips and any comments on the stuff I have (and haven't) done so far. I'm aware that I could be missing something blatantly obvious.

Thanks!

22 Replies

I don't know about UFW, but you need to open a port in your firewall for SSH:

/sbin/iptables -A INPUT -m tcp -p tcp --dport xxxxx -j ACCEPT

with the xxxxx being whatever port you decided to move SSH to ("The Dynamic and/or Private Ports are those from 49152 through 65535.")

And edit /etc/ssh/sshd_config near the top of the file to have a Port line with the new port:

Port xxxxx
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
ListenAddress 173.230.xxx.xxx
ListenAddress 192.168.xxx.xxx

Protocol 2
...

Then restart SSH.

And at some point get a pub key/private key pair and move away from password login:

PubkeyAuthentication yes
PasswordAuthentication no

I use PuTTY and FileZilla for access/file transfer to my Linodes. You can create a pub key/private key that will work with SSH using PuTTYgen.

And FileZilla can use your PuTTY private key for SFTP purposes.

![](http://devjonfos.net/images/FileZilla_c … r_sftp.png">http://devjonfos.net/images/FileZillacanuseputtyprivatekeyfor_sftp.png" />

How are you running phpmyadmin? It's a very popular (and successful) attack vector.

Before you change the port number, open the new port number with UFW (replacing "{NewPort}" with your new port number):

$ sudo ufw allow {NewPort}/tcp

Then change the port. Find the line "Port 22" and change it to "Port {NewPort}". Save (Ctrl + O) and Exit (Ctrl + X):

$ sudo nano /etc/ssh/sshd_config

Restart SSH:

$ sudo /etc/init.d/ssh restart

Disable old open port:

$ sudo ufw delete allow 22/tcp

Done!

You should also consider only allowing access to certain ports by certain IP addresses. For example:

$ sudo ufw allow from {IPAddressOrRange} to any port {Port}

EDIT: Just saw post above by devjonfos. Sorry to re-post info.

Stop doing cargo-cult security, and start by moving your ssh back to port 22.

It's pretty pointless to move ssh to another port. What you should be doing is to just disable PasswordAuthentication as suggested above.

Then someone will have to wait until the heat death of the universe to guess your private key. Combine that with something like fail2ban to block IP's that fail to log into ssh for 30 mins and you're pretty good to go.

Nobody who does real security bothers with security through obscurity like that.

Isolate services. If someone compromised e.g. your webserver what could they do? Are the *.php files your webserver serves up *owned* be the webserver? That's a bad idea.

You're using PHP. Are you using the new frameworks for that language that do escaping for you? Or are you using mysql_query() manually and hoping you don't accidentally introduce a SQL injection?

Subscribe to and read security advisories for your OS.

Disable services you aren't running, and review the settings of those that are running.

Set up logging on your system, read your logs.

Etc. etc.

Install Suhosin:

sudo apt-get install php5-suhosin

As Ævar Arnfjörð Bjarmason said, it's okay to keep SSH on port 22 if you use a key pair and disable PasswordAuthentication. You might see a bunch of failed login attempts, but nobody will be able to log in unless they have your private key.

for phpmyadmin

sudo vim /etc/phpmyadmin/apache.conf

and add in the following:

Order Deny,Allow

Deny from All

Allow from [insert your ip address]

also

sudo vim /etc/phpmyadmin/config.inc.php

under server configuration section add

$cfg['ForceSSL'] = 'true';

so you don't pass passwords in plain text. Port 443 will need to be open and running ssl.

For log watching I recommend logwatch

sudo apt-get install logwatch

and then sudo vim /etc/cron.daily/00logwatch

and change the line

/usr/sbin/logwatch –output mail

to

/usr/sbin/logwatch --output mail --format html --mailto [email protected]

@Ævar Arnfjörð Bjarmason:

Stop doing cargo-cult security, and start by moving your ssh back to port 22.

[email protected]www.informit.com:~~

Feynman says, "the idea is to try to give all of the information to help others to judge the value of your contribution; not just the information that leads to judgment in one direction or another." Source: http://www.informit.com/articles/article.aspx?p=1562220

In that spirit, moving SSH from port 22 keeps the scripted attacks from polluting your log files. So, yes, it's not a security move, but an administrative move for better housekeeping of your log files.

@devjonfos:

@Ævar Arnfjörð Bjarmason:

Stop doing cargo-cult security, and start by moving your ssh back to port 22.

[email protected]www.informit.com:~~

Feynman says, "the idea is to try to give all of the information to help others to judge the value of your contribution; not just the information that leads to judgment in one direction or another." Source: http://www.informit.com/articles/article.aspx?p=1562220

In that spirit, moving SSH from port 22 keeps the scripted attacks from polluting your log files. So, yes, it's not a security move, but an administrative move for better housekeeping of your log files.

The pollution is fine if you have something to sift through it:

$ ack -c 'Failed password' /var/log/auth.log
/var/log/auth.log:1622

The benefits of running ssh on port 22 far outweigh that minor annoyance. You'll be able to ssh to your box from some random network that only allows port 22, 80, 443 and a few others.

@Ævar Arnfjörð Bjarmason:

The benefits of running ssh on port 22 far outweigh that minor annoyance
That's YOUR opinion.

I never run SSH on TCP22, way to many botscripts picking away there (and yes, I only use certs for SSH so it isn't really a security risk).

Nor do I need to waste MY bandwidth on those scriptkiddies.

I see NO benefit from running on TCP22, unless of course you like sifting thru logs and wasting clock cycles and bits (or of course if you're running a Honeypot).

@vonskippy:

@Ævar Arnfjörð Bjarmason:

The benefits of running ssh on port 22 far outweigh that minor annoyance
That's YOUR opinion.

I never run SSH on TCP22, way to many botscripts picking away there (and yes, I only use certs for SSH so it isn't really a security risk).

Nor do I need to waste MY bandwidth on those scriptkiddies.

I see NO benefit from running on TCP22, unless of course you like sifting thru logs and wasting clock cycles and bits (or of course if you're running a Honeypot).

The benefit is not having to type ssh -p ... for the rest of your life, and being the only guy at that conference that can't log into his box through the provided wifi because you're running ssh on some obscure port to solve a non-issue.

According to my quick measurements 3 failed ssh login attempts cost me around 5000 bytes. For the 1600 failed login attempts that I've had this week that works out to 8.2 MB. Which is nothing.

I don't have to sift through my ssh logs because I know that those silly script kiddies don't pose a threat to me.

I only allow logins with public keys, and even if I didn't I ban them with fail2ban after 6 failed attempts. Unless my passwords something silly like "foobar" they'd need to be pretty damn lucky to brute force the username/password pairs if I'm dropping their connections for 30 mins after 6 failed attempts.

I'll have to agree with vonskippy on this one. I'll take my chances and possibly get carpal tunnel 3 days earlier than if I had not typed "-p…" for my entire life. :)

Well, I'm not going to argue with you over what security policies you choose to implement, but for what it's worth this is exactly what I meant by cargo-cult security.

When you notice a bunch of failed login attempts on ssh you might be inclined to think that that constitutes a significant security risk, but in reality it's miniscule to the point of being nonexistent.

Moving around the ssh port and not reviewing actual security issues is the digital equivalent of parents who worry about terrorists harming their children, and then proceed to install a backyard swimming pool.

OMG - I move my SSH port, have kids AND a backyard swimming pool (and lets not even bring up the pond and the dark forest).

I'm doomed. :roll:

@vonskippy:

I'm doomed. :roll:

Way to miss the point dude. I'm not saying that moving the ssh port is harmful. But that it's the sort of meaningless security measure you should steer newbies who wish to secure their systems away from, and instead suggest things that will actually increase their security.

@Ævar Arnfjörð Bjarmason:

@vonskippy:

I'm doomed. :roll:

Way to miss the point dude.
But you have to admit, he really is doomed ;)

I'm also with vonskippy. Reducing log clutter and reducing bandwidth usage are two good reasons I can think of to keep SSH off port 22. It's a pain to type -p nnn but not that bad. I've had zero connection issues and I've been doing it since 2004.

@Ævar Arnfjörð Bjarmason:

Way to miss the point dude. I'm not saying that moving the ssh port is harmful. But that it's the sort of meaningless security measure you should steer newbies who wish to secure their systems away from, and instead suggest things that will actually increase their security.

I agree in your point where newbies have to understand that moving ssh ports is not really for securing a system but to ease up administration (reducing log clutter, bandwidth, peace of mind, etc)

OTOH I have never had any connection issues to non-standard ssh ports yet. Also, I use ~/.ssh/config to avoid typing -p ## all the time (and of course many more options in there).

Thanks for all the replies! Very much appreciated!

I turned off passwords and moved to public key authorization.

I found that the LAMP server had suhosin already after all, saved me some time.

Activated the limit function in UFW to ban IPs with multiple failed logins.

Installed logwatch, it seems to do reports via e-mail so I guess I need to open holes in the firewall for that… Would allow smtp be enough?

I still couldn't get ssh to work over a custom port but it may have something to do with the firewall on my local machine, I'll investigate it further but if I understand correctly then when using key authorization it may not be that urgent.

@vonskippy:

How are you running phpmyadmin? It's a very popular (and successful) attack vector.

Not really sure what you mean by "how" I run it? I have since (based on jlevandowski's suggestion, thanks!) changed it to run over HTTPS. I also put all of it behind an .htaccess password, I figured that you'd have to crack that password before you can see that the server is running phpmyadmin at all. Famous last words, I know, but at least it's not immediately obvious to the casual observer.

My personal preference for running phpmyadmin is restricting it to the local host then connecting via a ssh tunnel.

> Installed logwatch, it seems to do reports via e-mail so I guess I need to open holes in the firewall for that… Would allow smtp be enough?

You don't need to open a hole in the firewall for this. However you do need postfix (or similar so that mail can go out from your server).

Thanks, I got it working after I fixed some errors in the postfix config on one server.

I also restricted access to the phpmyadmin site to my own IP as well, starting to feel pretty good about it all now, let's hope it lasts. :)

Cheers!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct