I created an Amazon Machine Image from my server as a backup and was able to instantiate an entirely new compute instance from it and all of the security hardening so far performed was preserved. I'm proceeding with the iptable rules now knowing that if I lock myself out here that I can just terminate my compute instance and create another.

As a protection against locking myself out on the basis of IP address (e.g., if Time Warner Cable suddenly moves me to an entirely different subnet), I am adding two additional IPs to my ssh ACCEPT rules:
* The static IP address of one my brother's servers.
* A different Elastic IP address I have acquired through Amazon AWS. I can always create some arbitrary compute instance at Amazon and connect this IP address to it and login to the box from there. I have tested this and it appears to work. I'm checking the AWS forums for confirmation that this is a reliable technique.

I have run these commands on my server

Here is my ip_tables_save.txt document:
EDIT: I re-read the ip table how-to and realized that I had to save the rules to a file and configure my server to load them on startup. I configured my server to load them by creating a script thusly:
enter this script:
and then set perms on that file:
then reboot.

Okey Doke I think these iptables are as locked down as they need to be for now. I've tried some testing and between pubkey login, iptables and the Amazon Security Zones, I think it's going to be quite difficult for anyone to get in via SSH.

I'm now looking at the AIDE/Samhain, Tiger, fail2ban installations and wondering which to install first. Does sequence matter?

As for AIDE vs. Samhain, I'm liking samhain and the idea that we could have a separate machine as some kind of security audit hub to which other machines report. This would require an additional machine, but I imagine I could use a micro instance and get away with it. I'm still wondering exactly what samhain does: "file integrity checker" and "log file analysis" are what the website says. The instructions on the samhain site describe manual download/compile/install/configure but I'm guessing it would probably be better in the long run to use the ubuntu/debian package. Unfortunately, there is no "yule" package for server and "samhain" package for client. I've read a bit of the samhain documentation and it would appear that a client/server configuration would require some manual setup. Should I compile this manually or rely on a package install? I'm a bit concerned about doing anything manually lest I fail to update software regularly and introduce insecurities.

Cool. Just like you need it.


Yes. Consider OS installation as your "baseline", the installed data you trust. While GNU/Tiger can be installed any time I use it as both baseline and generic auditing tool notifying me of issues to address right after OS installation or after major (re-)configuration, update or SW installation changes. (For servers consider making it a habit to complement this by running remote tools like OpenVAS or Nessus etc, etc after changes.) Similarly Aide or Samhain provide integrity verification if installed right after OS installation. Snort + Guardian, Snort inline, fail2ban or equivalent provide service protection at the stage the machine is exposed to the 'net.


Look back at your past encounter. Ask yourself: what tools did you have at your disposal to verify OS integrity? When you decide to install Samhain ask yourself: how can you enhance it (Yule, Beltane)?


Samhain (the client) is a locally running daemon. It does not interact with users. An unprivileged user must be able to exploit conditions to be able to manipulate Samhain. As you can see there's been only one in the last three years for Samhain (none for Yule and one for Beltane II) and this one only affected the Secure Remote Password aspect. Samhain is actively developed and supported and new versions are released once in a while. All in all a client installation of Samhain does not need much updates: if there are no security fixes in a newer version and no enhancements you need feel free to postpone until you need a new version. While this may not be any indication to you on Centos Samhain is one of the few packages I am willing to install manually.

I installed samhain on my desktop PC and have been perusing the samhainrc file. I'm beginning to understand it.

Email is a problem here. Amazon puts each and every EC2 compute instance and elastic ip address on a policy block list -- you can't send email from these machines/IP blocks. The samhainrc allows one to specify a mail relay address but does not have a facility for specifying a username or password. I therefore need to set up some other machine -- NOT an EC2 instance -- as a mail relay which will relay mail for this EC2 machine without requiring login or password. I think this may be feasible using Amazon Simple Email Service which I was planning to set up later. I reckon the time has come to chat about mail considerations. Amazon offers instructions for setting up sendmail or postfix. Which should I choose?. I have a few considerations for mail:
* I need to send mail from PHP
* I'm concerned about the spam ratings of my outgoing mail so I want to be sure to avoid outgoing mail headers that are at odds with any return-to or from headers inserted by my MTA.
* I need samhain to be able to send mail and it's not really clear to me what mechanism samhain will use.

RE: samhain setup. Given that it's taking me forever to get this new server secured and on-line, I simply don't feel up to the whole renamed-binary-and-steganography approach. I am hoping (but not yet sure) that I will be able to specify a MySQL host/db/user/pass in samhainrc and this will allow an "append only" type situation for the machine. The samhain docs are not at all clear on what sort of permissions are required for MySQL, but this tutorial suggests that only SELECT and INSERT are required. Unless I'm mistaken, this would be slightly more secure that simply keeping the samhain database on localhost where it could also be compromised in the event of an exploit.

I've attached the default samhainrc file and hope I could get some feedback on the settings in it. I realize we are balancing security with performance in some cases. For example, It looks like a file integrity check happens every 2 hours by default. That could give a hacker as much as 2 hours to clean up after themselves.

Another question: I'm not certain under which conditions samhain will attempt to notify me. Can someone recommend a test that will trigger an alert (meaning the highest level of critical notification) ??

Seeing as how I need to sort out mail issues before I can properly set up samhain, I've turned my attention to Tiger. I'm a bit confused by your prior directions:
I've edited tigerrc and set most of the options you specified, but don't understand the lsof command you've offered or the Tiger_Running_Procs setting. unSpawn, could you please clarify? I tried running the lsof | awk command but it returns an error:
What's the objective here? I'm not familiar with awk but might be able to tease something out using grep.


Also, I was wondering if there are any flags I should be setting aside from -e or -E. I've read the tiger man file but the flag descriptions are not particularly helpful. For instance, why might I want to specify a workdir or bindir?

Also, in the tigerrc file, what the heck does this mean?

I ran tiger a couple of times on my dev box and I think I am prepared to try it on my server. Unfortunately apt wants to install sendmail:
Having done some reading about send mail and postfix, I'm inclined to install postfix. I understand that it's supposed to be easier to configure and maintain. Additionally, this page says it is the default MTA for ubuntu and part of the main repository and will therefore receive updates.

I was rather hoping to get tiger and samhain running before dealing with mail, but both packages apparently require an MTA for notifications. Granted, we're not using mail notifications for tiger, but the package would install sendmail. I'm thinking I should install the postfix before tiger and samhain. If we have concerns about the security of the mail stack, we should deal with these now.

* Reading config files with 'grep -v ^# /path/to/file|grep .|less' makes it easier to see what really remains. In your case did you notice (find intervals: 'grep -i interval samhainrc') you can set separate intervals for different tests? Spreading risk depending on how an intruder makes its move (plus Samhain not being your only line of defense). Also you might want to see if you can or can not enable the kernel check (RHEL/Centos/Fedora CAN NOT due to /dev/.*mem-excluding kernel builds), check which files you actually have (find non-existent files: 'awk -F'=' '/file=/ {print $NF}' samhainrc|xargs -iX stat -c '%N' 'X' >/dev/null') and which log files you have (find selected open files in /var: 'lsof -Pwln +D/var/|awk '/\// {print $NF}'|egrep -v "(cache|run|db|lib|spool)/"|sort -u'). Then read /usr/share/doc/samhain/manual.html/filedef.html again and propose which areas of the system you want to exclude and check once it's operational.


My apologies, it contains an error. The objective is to list processes by their full path. It should read:

"Not particularly helpful" seems out of place here as each switch is accompanied by multi-line text in plain English. "-w" is for temporary files (I prefer /dev/shm for most temporary write ops) and "-b" if you installed Tiger binaries out-of-tree. Once (configure and) installed you generally won't need more switches. One useful switch (as with more applications ranging from Apache to Nagios to Snort) is the test flag "-t" as it allows you to see pre-flight if you misconfigured something.


This rebuilds Tiger binaries like realpath, snefru, testsuid, md5, and getpermit. You don't need this.


I'd say by all means install what you're comfortable with.


One other way could be to install tiger-3.2.3.tar.gz (notice the SHA1 and sig) from the GNU/Tiger official source and use a --prefix to confine it like --prefix=/opt/tiger? Installed files should be owned and used only by root and while it's maintained and supported (and has a mailing list) GNU/Tiger updates are rare.


Not really. You'll not be running your MTA on an external interface (you're not hosting domains or providing users with email), right? (BTW note fail2ban has a Postfix section as well.) Anyway, here's "Sendmail vs Postfix" security the CVE way. Good you found the Ubuntu Postfix documentation. Should contain most of what you need.

I did indeed notice this and that is what triggered my question. Check my values:
2 hours between file checks seems like plenty of time for any successful break-in to cover their tracks. On the other hand, performing checksums on the file system more frequently sounds like a performance no-no on a busy server. Do these look like reasonable values?


What would you recommend to determine the feasibility of kernel check? It appears to have the kernel check enabler commented out by default. Is it safe to just remove the comment and turn it on? Remember that I have installed tiger using the apt package so the fact that its commented out might be telling.
Let me just say I truly appreciate the super-helpful awk commands. You're talking about paring back the samhainrc so that I don't bother checking files I don't already have, right? I notice that there are some related to apache and others related to postfix on my current machine. Seems to me I should wait until I get my web stack installed to do this sort of configuration, shouldn't I?

I realize the man page is pretty detailed, but the level of detail is only meaningful if one has sufficient understanding of the context, which I do not (yet). I have both tiger and samhain running on my desktop box and haven't received any notifications yet from samhain so I'm not sure it's doing its job. The output of tiger with nothing but a -e flag looks like it is doing precisely what it should so it's my guess (and a guess only) that the apt-get install I performed did in fact install it correctly so there are no additional flags required. On the other hand, the output of the tiger scan is also full of detail which I don't understand and I wonder if the default settings present any security or stability risk.

Not sure what you mean by "don't need this". "TigerNoBuild=Y" is the setting applied when I installed tiger via apt-get install. I'll just leave it as-is.

While I'd prefer to use some pre-built mail stack (google apps or similar hopefully) running on some external machine for incoming mail, I'm not certain that is acceptable. In fact, I was looking at a variety of pages in the Ubuntu documentation that describe how to set up postfix/pop/imap/spamassassin/clamAV/amavis-new/squirrelmail on this machine. I am NOT looking forward to it at all but using Google Apps may introduce privacy concerns and I'll need to find a way to migrate our existing mail. I've done this once before and it was a nightmare.

Ultimately, I want to use apt-get install to install tiger and samhain and they both want to install smtp which I would like to avoid as it is my understanding that postfix is a) easier to configure, b) the default for ubuntu, and c) better documented as far as I can tell. I'm thinking that I might do an apt-get install for postfix before installing tiger and samhain, but I am totally uncertain how much configuration will be required or how to test samhain. I believe that my configuration of tiger is merely so that I can run commands to audit my system's condition, but samhain must be able to alert me when security issues arise, and must therefore be able to send mail. Complicating matters further is that the amazon compute instances cannot themselves send mail so I would need to follow the instructions on how to configure postfix to send mail via Amazon SES using a perl script.

I am anxious to move forward and it's my feeling that postfix is the next step. At the very least, outgoing mail capability must be established so that samhain can do its job. Otherwise, I have no warning system in place.

Mine runs with SetFileCheckTime=14400, LoginCheckInterval=3600, ProcessCheckInterval=7200 and PortCheckInterval=3600. The amount of hashes to check also depends on your configuration. For instance excluding /usr/share and /usr/local may cause blind spots wrt attacks potentially storing files there but together with detecting other signs of mischief like the previously mentioned checks and for instance Logwatch reporting this might mitigate risks down to a (what you might view as a) reasonable level. As always it's a trade-off. (Having more than one layer may help. I'm not trying to make you dizzy but there is absolutely no rule against leveraging the specialties of and using multiple applications. For instance I run Samhain on /sbin and /bin every hour with the other checks, Monit to check process availability, log entry regexes, disk space and hashes for some applications, Aide to check other paths, SELinux and Logwatch. What I mean is that, depending on what you value protecting, you might prefer redundancy and overlap over missing out on things.)


If you kernel does not support /dev/.*mem then I wouldn't turn it on. As I've found out the hard way this will OOPS your machine real good :-]


Indeed.


Yes. Looking at common points of entry I've never seen say Apache subverted (though there are processes that mimic argv[0] to make IRC bouncers look like they're "/usr/local/bin/httpd -SSL" ;-p) but what runs in the web stack to be exploited. Apart from watching publicly accessible, writable temp and upload dirs Samhain isn't going to catch much of that like inotify+ClamAV would.


Thanks for pointing that out. I do sometimes forget I am no longer blessed with the clear view new Linux users possess...


Compress and attach GNU/Tiger log to an email to me? Would be good to have as this helps figure out where you stand wrt host hardening.


Indeed best leave it as it is.


Maybe I haven't read the docs too well but to me it seems the AWS Perl script drop-in provides your locally installed Postifx with the capacity to send email through SES as it would take care of authentication. So if you can install Postfix and test you can send email from your instances account to an external email address then IMHO you should have no trouble at all wrt sending out notifications.

Thanks for the parameters. I'll be revisiting these when I finally get Tiger running on the server. For the moment, it's postfix time. I learned yesterday that it's OK to use Google Apps for mail and I have that more or less sorted out. I just need to set up postfix to handle outgoing mail from my server. I created a separate thread for the details of that in the hope that I might reach a broader audience. It's pretty quiet in this thread and the security forum.

Yikes. I haven't the foggiest idea how to check if my kernel supports /dev/.*mem . I'm not even sure what that means.

I haven't installed it on the server yet. I've been testing things on my desktop Ubuntu box so far. As previously discussed, I have to get postfix installed first.


Working on this now. Tiger log to come after.

So that's good news about the /dev/.*mem not being enabled. I gather that's one less thing to configure/enable.

Update: After a substantial struggle and lots of dependency-hunting, my EC2 instance is now hooked into Amazon SES and I have sent one successful mail from the machine. I'm pretty nervous about the setup being reliable enough for use by the myriad applications that might want to send mail from my machine, but I'm hoping for the time being that it just might work. I'd like to know how this mail installation process might affect security. The details:
* sudo apt-get install postfix, choose "no configuration"
* Configure postfix main.cf:
a) no delivery to local mailboxes so we don't have root mailbox growing without bound
b) no mail delivery to external machines
c) route email destined for local mailboxes to fully qualified domain
d) use amazon SES for default mail transport. The details:
* edit postfix master.cf to add aws-email:
NOTE: This will route all of my mail through a perl script from amazon.
* Install Amazon scripts in /opt/third-party/amazon. IMPORTANT: One of these files, aws-credentials, contains my AWS Access Key and my AWS Secret Key. The AWS docs say to remove read permission to this file from anyone but "your" account. Given that I'm trying to provide outgoing email access to my entire machine, it seems obvious that this would preclude access to this file to many other services (e.g., postfix, samhain, tiger) that might need to send mail. Currently the file is world-readable. I suspect creating a group and giving group read access would be the right approach here, but I'm not sure which users should be added to this group. ALSO IMPORTANT: These amazon scripts (and their dependencies) were not installed using the package system and I need to determine a scheme to keep them up-to-date.
* Install Amazon script dependencies and there are numerous ones. After getting a couple of complaints about missing perl functionality, I installed a few packages somewhat blindly. Some of these helped, others did not. Are any of these unsafe or a security risk?
I subsequently learned that the README file for the Amazon SES scripts contains installation instructions. The documentation failed to mention this. The instructions in that file describe using perl and CPAN to install some perl modules *outside* the package system of my OS. I am concerned about making sure these are up to date. The perl commands themselves had some packages prerequisites:
Here are the perl/cpan commands I ran:
Also of note: When you first run CPAN commands in perl, you are asked if you want to auto-config or whether you'd like to set each individual setting. I tried individual settings at first but found myself ultimately prompted for a CPAN URL which I couldn't seem to satisfy despite trying urls from the mirror list. Ultimately I ended up running the auto-config. This worries me a bit as the CPAN install stuff a)comes from god knows where and b) is not maintained by the package system and may not have an update process. Sadly I felt compelled to do it because I need Amazon SES and they recommended it.

At this point, the amazon scripts seem to run, but the saga continues. Because of mail failures, some additional steps were required:
* add symbolic link to amazon SES.pl at /usr/lib/perl5/SES.pl
* Alter ses-send-email.pl to scrub Precedence and Auto-Submitted headers out of emails so they are not rejected by the SES gateway.
* use hard-wired (and valid) sender address for all outgoing mail to solve various problems.

As soon as I am granted 'production' access to SES, I will run a couple more tests, create a snapshot machine image of the system, and move on to configuration of tiger and samhain. At that point, I'll want to know what I can do to trigger a notification by tiger and/or samhain so that I can make sure the email setup works.

As usual, any advice or input you have would be much appreciated.

I have installed tiger on the server now. It did not want to install sendmail so I believe my choice to install postfix first was the right thing to do. It took about 2 minutes to run:
unSpawn, I have emailed you the output of this file (it contains incriminating IP addresses so I don't feel that it's safe to post here). I've attached the tigerrc to this thread.

Thanks, you'll find most of the common 'tiger -E' explanations here. Any questions just ask.