How paranoid I should be regarding security on my linode?
I'm (kind of old) linux user, but have been always in "local" machines, so this is the first time that I'm on a server environment and now I'm more concerned about security.
I don't want to go crazy trying to do everything to get my machine hardened, but I have no idea how paranoid should I be.
To give some context, the plan for my linode (Arch Linux) is going to host some websites, an email server and occasionally some rails or php apps.
I've read this
To make a list, I believe the "checklist" should be (please feel free to add or remove stuff!):
disable root login
ssh access only through ssh keys on a non-default ssh port
use fail2ban
access to database (mysql until now) only through localhost
use vsftp to transfer files (I don't here if it's better/secure to use only "jailed sftp" accounts to give access for other people)
firewall (i believe the simpler approach is to deny from all, and give specific access to the ports I'm going to use; in this case, should I use iptables or ufw?)
how can I secure the access to phpmyadmin/webmin/postfixadmin? since I don't use them everyday; I imagined a simple approach to just give access when I need them. Maybe a mac address or ip address restricted access is more secure? (and less tedious I believe).
All that besides keeping the system up-to-date of course :P.
10 Replies
phpmyadmin/webmin/postfixadmin - avoid at all cost. Learn to manage your server the right way - via the CLI.
Outsource your email to Google Apps. Saves time, saves your Linode bandwidth, saves way more spam - saves major headaches.
If you really want PHPMyAdmin, make it only accessible from localhost. Learn to set up SSH tunnels so you can use these tools securely.
UFW, firehol, etc. are just front-ends to iptables. If you only need simple rules such as "deny all, allow SSH & HTTP", they work pretty well.
Most importantly, keep your web apps up to date. Port 80 is by far the most vulnerable port of a web server, due to outdated and/or poorly written web apps. Go over your PHP settings and make sure you don't have stupid things such as register_globals turned on.
I'll learn about ssh tunnels (I don't know what they are
As I said about postfixadmin/webmin, I don't use them everyday; so I'm not going to have an example.com/postfixadmin ready to be hacked all the time, I believe I'm going to (de)activate it through some script only sometimes.
Thanks also for the advice about iptables, I was going to go crazy about it. I think I'll take a simpler approach with ufw; closing everything, and open only the needed ports.
Finally, what do you think about denyhosts and fail2ban? they show as recommended in the security section from the library.
Anything else you want to add, please be my guest!
@pablox:
Thanks also for the advice about iptables, I was going to go crazy about it. I think I'll take a simpler approach with ufw; closing everything, and open only the needed ports.
This is pretty much what I did on my first Linode. My initial ufw rules were basically deny everything except for a single full allow rule for my personal IP address. This let me feel comfortable that while I was setting things up/testing I wouldn't have random exposures, but at the same time not continuously getting in the way when I wanted to personally test any new service I was setting up. Then, as needed, I could add extra rules for specific services when ready for prime time. Of course, for this approach to be workable you have to trust your personal IP address (mine's a cable connection and has been essentially static for years).
I'll also throw a voice out for firehol as a possible next step up from ufw if things get more complicated. At least for me I found it simpler than the alternatives I checked out (like shorewall), and I like having a simple, readable single-file script for my firewall configuration, where I can use symbolic names for stuff rather than just IP addresses. Note that its site appears dated, but I think that's mostly because it works and is stable. And it is just a layer on top of iptables in the end, but much easier to maintain a configuration.
– David
http://www.configserver.com/cp/csf.html
* Drop FTP .
Use rssh for SFTP/SCP jails.
Don't run unnecessary services.
Bind whatever services you can (not your WWW/SSH server) to 127.0.0.1/::1.
Disable password logins (* in the 2nd field in their /etc/shadow entry) for non-jailed users at least and use some form of public key authentication instead.
If you keep using passwords for some users, enable forced password expiry (man shadow, man chage) for them.
Use TLS/SSL for all administrative services and also HTTP authentication (with different credentials) for security holes like PHP{MY,PG,LDAP}admin. Also, learn what
TLS SNIDon't run all your websites under the same (www-data) UID/GID (this is the default Debian/Ubuntu setup, dunno about other distros), this includes the aforementioned php*admin stuff.
If you're using Apache, apache2-mpm-itk can help here. If your distro doesn't have it, use FastCGI with manually started PHP/whatever listeners under different UIDs, or even better, get one that does.
;) Use pwgen to generate long (24+ chars) random passwords for database connections or, even better, force them to use UNIX sockets and authenticate on UID - much web software doesn't support this though.
Every time you chmod 777 or 666, god kills a kitten.
Always use your distro's provided packages, unless your really can't.
Subscribe to security announcement mailing lists for your distro and whatever software you installed manually.
Rigorously apply security updates as they become available.
…
The list doesn't end really…
NSA has a good guide on securing Linux systems.
Lastly, replace all your snakeoil X.509 certificates with proper ones from
Cheers,
Antonio
@pablox:
Thanks to all of you for your comments =), I've never used mysql workbench so I'll give it a try.
I'll learn about ssh tunnels (I don't know what they are
:P ) and I'll use sftp jails instead of vsftp -anyway, reading the article from the linode library, doesn't look that terrible!- in fact, it looks even simpler than setup correctly a vsftpd account.As I said about postfixadmin/webmin, I don't use them everyday; so I'm not going to have an example.com/postfixadmin ready to be hacked all the time, I believe I'm going to (de)activate it through some script only sometimes.
Thanks also for the advice about iptables, I was going to go crazy about it. I think I'll take a simpler approach with ufw; closing everything, and open only the needed ports.
Finally, what do you think about denyhosts and fail2ban? they show as recommended in the security section from the library.
Anything else you want to add, please be my guest!
:D
I am fairly new to tunneling and webmin but you can do the following to keep it more secure;
write down your port number for webmin
in the webmin cpanel only allow login for the local machine and
restart webmin and see if the access has gone.
open a term and use the following command
ssh -p
If your server port is 55555 and you want to connect to webmin on the port 22222 and map that to your local machine on port localhost:2020.
ssh -p55555
Then go to your web browser and type;
I think that should work, I use a tunnel for webmin and have written a short how to install well what I went through to install it for ubuntu 10.04. tbh there tutorial is good as well. here is the one i wrote any how.
Hope this helps, hope I do not sound too condescending
> Lastly, replace all your snakeoil X.509 certificates with proper ones from
Cheers,
Antonio
Thanking you later