I created an Amazon Machine Image from my server as a backup and was able to instantiate an entirely new compute instance from it and all of the security hardening so far performed was preserved. I'm proceeding with the iptable rules now knowing that if I lock myself out here that I can just terminate my compute instance and create another.
As a protection against locking myself out on the basis of IP address (e.g., if Time Warner Cable suddenly moves me to an entirely different subnet), I am adding two additional IPs to my ssh ACCEPT rules: * The static IP address of one my brother's servers. * A different Elastic IP address I have acquired through Amazon AWS. I can always create some arbitrary compute instance at Amazon and connect this IP address to it and login to the box from there. I have tested this and it appears to work. I'm checking the AWS forums for confirmation that this is a reliable technique. I have run these commands on my server Code:
sudo iptables -A INPUT -i lo -j ACCEPT Here is my ip_tables_save.txt document: Code:
user@host:~$ cat ip_tables_save.txt Code:
sudo nano /etc/network/if-pre-up.d/iptablesload Code:
#!/bin/sh Code:
sudo chmod +x /etc/network/if-pre-up.d/iptablesload |
Okey Doke I think these iptables are as locked down as they need to be for now. I've tried some testing and between pubkey login, iptables and the Amazon Security Zones, I think it's going to be quite difficult for anyone to get in via SSH.
I'm now looking at the AIDE/Samhain, Tiger, fail2ban installations and wondering which to install first. Does sequence matter? As for AIDE vs. Samhain, I'm liking samhain and the idea that we could have a separate machine as some kind of security audit hub to which other machines report. This would require an additional machine, but I imagine I could use a micro instance and get away with it. I'm still wondering exactly what samhain does: "file integrity checker" and "log file analysis" are what the website says. The instructions on the samhain site describe manual download/compile/install/configure but I'm guessing it would probably be better in the long run to use the ubuntu/debian package. Unfortunately, there is no "yule" package for server and "samhain" package for client. I've read a bit of the samhain documentation and it would appear that a client/server configuration would require some manual setup. Should I compile this manually or rely on a package install? I'm a bit concerned about doing anything manually lest I fail to update software regularly and introduce insecurities. |
Quote:
Quote:
Quote:
Quote:
|
1 Attachment(s)
I installed samhain on my desktop PC and have been perusing the samhainrc file. I'm beginning to understand it.
Email is a problem here. Amazon puts each and every EC2 compute instance and elastic ip address on a policy block list -- you can't send email from these machines/IP blocks. The samhainrc allows one to specify a mail relay address but does not have a facility for specifying a username or password. I therefore need to set up some other machine -- NOT an EC2 instance -- as a mail relay which will relay mail for this EC2 machine without requiring login or password. I think this may be feasible using Amazon Simple Email Service which I was planning to set up later. I reckon the time has come to chat about mail considerations. Amazon offers instructions for setting up sendmail or postfix. Which should I choose?. I have a few considerations for mail: * I need to send mail from PHP * I'm concerned about the spam ratings of my outgoing mail so I want to be sure to avoid outgoing mail headers that are at odds with any return-to or from headers inserted by my MTA. * I need samhain to be able to send mail and it's not really clear to me what mechanism samhain will use. RE: samhain setup. Given that it's taking me forever to get this new server secured and on-line, I simply don't feel up to the whole renamed-binary-and-steganography approach. I am hoping (but not yet sure) that I will be able to specify a MySQL host/db/user/pass in samhainrc and this will allow an "append only" type situation for the machine. The samhain docs are not at all clear on what sort of permissions are required for MySQL, but this tutorial suggests that only SELECT and INSERT are required. Unless I'm mistaken, this would be slightly more secure that simply keeping the samhain database on localhost where it could also be compromised in the event of an exploit. I've attached the default samhainrc file and hope I could get some feedback on the settings in it. I realize we are balancing security with performance in some cases. For example, It looks like a file integrity check happens every 2 hours by default. That could give a hacker as much as 2 hours to clean up after themselves. |
Another question: I'm not certain under which conditions samhain will attempt to notify me. Can someone recommend a test that will trigger an alert (meaning the highest level of critical notification) ??
|
Seeing as how I need to sort out mail issues before I can properly set up samhain, I've turned my attention to Tiger. I'm a bit confused by your prior directions:
Quote:
Code:
user@host:~$ sudo lsof -Pwln|awk '/REG.*bin {print $NF}|sort -u' Also, I was wondering if there are any flags I should be setting aside from -e or -E. I've read the tiger man file but the flag descriptions are not particularly helpful. For instance, why might I want to specify a workdir or bindir? Also, in the tigerrc file, what the heck does this mean? Code:
TigerNoBuild=Y # C files are corrupted (ouch.) |
I ran tiger a couple of times on my dev box and I think I am prepared to try it on my server. Unfortunately apt wants to install sendmail:
Code:
jason@ip-10-100-237-252:~$ sudo apt-get install tiger I was rather hoping to get tiger and samhain running before dealing with mail, but both packages apparently require an MTA for notifications. Granted, we're not using mail notifications for tiger, but the package would install sendmail. I'm thinking I should install the postfix before tiger and samhain. If we have concerns about the security of the mail stack, we should deal with these now. |
Quote:
Quote:
Code:
sudo lsof -Pwln|awk '/REG.*bin/ {print $NF}'|sort -u Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
Code:
## Interval for check (seconds) Quote:
Code:
# KernelCheckActive = True Quote:
Quote:
Quote:
Quote:
Ultimately, I want to use apt-get install to install tiger and samhain and they both want to install smtp which I would like to avoid as it is my understanding that postfix is a) easier to configure, b) the default for ubuntu, and c) better documented as far as I can tell. I'm thinking that I might do an apt-get install for postfix before installing tiger and samhain, but I am totally uncertain how much configuration will be required or how to test samhain. I believe that my configuration of tiger is merely so that I can run commands to audit my system's condition, but samhain must be able to alert me when security issues arise, and must therefore be able to send mail. Complicating matters further is that the amazon compute instances cannot themselves send mail so I would need to follow the instructions on how to configure postfix to send mail via Amazon SES using a perl script. I am anxious to move forward and it's my feeling that postfix is the next step. At the very least, outgoing mail capability must be established so that samhain can do its job. Otherwise, I have no warning system in place. |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
Quote:
|
Quote:
|
So that's good news about the /dev/.*mem not being enabled. I gather that's one less thing to configure/enable.
Update: After a substantial struggle and lots of dependency-hunting, my EC2 instance is now hooked into Amazon SES and I have sent one successful mail from the machine. I'm pretty nervous about the setup being reliable enough for use by the myriad applications that might want to send mail from my machine, but I'm hoping for the time being that it just might work. I'd like to know how this mail installation process might affect security. The details: * sudo apt-get install postfix, choose "no configuration" * Configure postfix main.cf: a) no delivery to local mailboxes so we don't have root mailbox growing without bound b) no mail delivery to external machines c) route email destined for local mailboxes to fully qualified domain d) use amazon SES for default mail transport. The details: Code:
$ sudo postconf -n Code:
aws-email unix - n n - - pipe * Install Amazon scripts in /opt/third-party/amazon. IMPORTANT: One of these files, aws-credentials, contains my AWS Access Key and my AWS Secret Key. The AWS docs say to remove read permission to this file from anyone but "your" account. Given that I'm trying to provide outgoing email access to my entire machine, it seems obvious that this would preclude access to this file to many other services (e.g., postfix, samhain, tiger) that might need to send mail. Currently the file is world-readable. I suspect creating a group and giving group read access would be the right approach here, but I'm not sure which users should be added to this group. ALSO IMPORTANT: These amazon scripts (and their dependencies) were not installed using the package system and I need to determine a scheme to keep them up-to-date. * Install Amazon script dependencies and there are numerous ones. After getting a couple of complaints about missing perl functionality, I installed a few packages somewhat blindly. Some of these helped, others did not. Are any of these unsafe or a security risk? Code:
apt-get install libnet-ssleay-perl Code:
sudo apt-get install gcc Code:
sudo perl -MCPAN -e 'install YAML' At this point, the amazon scripts seem to run, but the saga continues. Because of mail failures, some additional steps were required: * add symbolic link to amazon SES.pl at /usr/lib/perl5/SES.pl * Alter ses-send-email.pl to scrub Precedence and Auto-Submitted headers out of emails so they are not rejected by the SES gateway. * use hard-wired (and valid) sender address for all outgoing mail to solve various problems. As soon as I am granted 'production' access to SES, I will run a couple more tests, create a snapshot machine image of the system, and move on to configuration of tiger and samhain. At that point, I'll want to know what I can do to trigger a notification by tiger and/or samhain so that I can make sure the email setup works. As usual, any advice or input you have would be much appreciated. |
1 Attachment(s)
I have installed tiger on the server now. It did not want to install sendmail so I believe my choice to install postfix first was the right thing to do. It took about 2 minutes to run:
Code:
user@ip-WWW-XXX-YYY-ZZZ:~$ sudo tiger -E |
Quote:
|
All times are GMT -5. The time now is 05:11 AM. |