OK I've finally got samhain installed and it seems to be sending mail to me and one other account. which is a huge relief. On the other hand, I don't feel like my postfix config is really correct yet due to delivery failures for local accounts (e.g., daemon, root@localhost, etc.).
I am now digging into the tiger output and trying to repair the issues reported to me. Code:
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. Quote:
* I'm not sure exactly how this list is generated, but it has my account and my boss' account here which are notservices but rather 'unprivileged' accounts with sudo capability. Obviously, they must stay or we lose root-level access to the box. They will stay unmolested. * which ones definitely need to go? i don't have www-data now but will once i've installed apache. i'm also guessing root must stay. irc, news, and games can be removed, right? * How does one remove these? Is it enough just to deluser --remove-home --remove-all-files them? Is that going to cause problems with other binaries/daemons/configuration? Is it preferable to somehow disable their login? * What does it mean that sshd and sync don't have a shell? Code:
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r). Code:
$ sudo pwck -r Code:
--WARN-- [acc021w] Login ID landscape appears to be a dormant account. Code:
Graph this data and manage this system at https://landscape.canonical.com/ Code:
landscape-client - The Landscape administration system client Code:
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible. Code:
--WARN-- [root003w] Root user has message capability turned on. Code:
mesg n; dmesg -n 4 Code:
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH. Code:
--WARN-- [cron004w] Root crontab does not exist Code:
--WARN-- [cron005w] Use of cron is not restricted Quote:
Code:
--WARN-- [inet003w] The port for service sieve is also assigned to service Code:
--ALERT-- [perm023a] /bin/su is setuid to `root'. Code:
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group Quote:
Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS Quote:
[code]--WARN-- [lin012w] The system accepts ICMP redirection messages Quote:
Code:
--FAIL-- [lin016f] The system permits source routing from incoming packets EDIT: I did "sudo su" and was able to complete this. duh. [code] Code:
--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets EDIT: I did "sudo su" and was able to complete this. duh. Code:
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `squeeze/sid' Do you also want the output of this command? Code:
sysctl -a | egrep -ie "(ip_always_defrag|icmp_echo_ignore_broadcasts|icmp_ignore_bogus_error_responses|accept_redirects|send_redirects|accept_source_route|log_martians|rp_filter|secure_redirects|tcp_syncookies|ip_default_ttl|tcp_max_syn_backlog|tcp_syn_retries|mtu_expires|tcp_keepalive_time|icmp_echoreply_rate|tcp_fin_timeout|tcp_rfc1337|ip_no_pmtu_disc|panic|panic_on_oops)"|tr '.' '/'| awk '{print "echo", $3, "> /proc/sys/"$1}'|column -t This is the bit I found rather worrisome: Code:
# Checking md5sums of installed files Code:
--WARN-- [dev003w] The directory /dev/block resides in a device directory. Code:
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 Code:
--WARN-- [misc026w] There is no default umask settings for user login shells Code:
--WARN-- [lin002i] The process `dhclient3' is listening on socket 68 (UDP) on Code:
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition src). Code:
--FAIL-- [netw020f] There is no /etc/ftpusers file. Code:
--WARN-- [fsys013w] cannot access /lib/udev/devices/sndstat is a dangling Code:
--ALERT-- [fsys006a] Unexpected device files found: Tiger is looking pretty handy as a security audit tool. Sadly, I know little about what it's trying to tell me. Your advice would be much appreciated. |
Quote:
Quote:
Quote:
Quote:
Quote:
Packages that are not dependencies for other packages should be removed. Quote:
Quote:
Quote:
Quote:
- Look up which user the cron daemon runs at. - echo those account names into /etc/cron.allow. Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
THANK YOU for your time on this.
Quote:
Quote:
vipw uses vi. EWWWW! Quote:
Quote:
Quote:
Code:
$ sudo ps -aux | grep cron Quote:
Code:
$ sudo getent services sieve Quote:
Quote:
Quote:
Quote:
Code:
$ sudo stat /var/log/btmp Quote:
Quote:
Quote:
Quote:
* samhain is installed and running (and has even sent a couple of notifications when I start it up). I'm wondering what I might do to trigger a notification. Obviously, I want to make sure it's properly detecting intrusions. I could also use a bit of help understanding what the startup notifications mean. * I've still got some issues with postfix. Namely, mail to root@localhost is not getting delivered. It somehow gets transmogrified into root@localhost.myplan.com and then rejected with 'local delivery is disabled'. *sigh*. * For Apache/MySQL/PHP, I expect to install using packages of course, but I'm wondering how to keep these up-to-date. You've recommended a staging machine before but I'm wondering if it might be safe to automate security updates? I seriously doubt I'll get authorization for enough hours to continuously monitor this machine and test and apply each patch individually. I'm thinking the best I can hope for is a (brief) monthly audit. Any advice welcome. |
Quote:
For Ubuntu, it seems that you need the formal sysctl interface to make the changes: 'man sysctl' for more details. |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
Code:
$ sudo find / -xdev -user daemon Code:
backup |
Quote:
Code:
$ sudo readlink -f /lib/udev/devices/sndstat Code:
$ sudo readlink -f /usr/lib/tiger/systems/Linux/issue.net Code:
$ sudo readlink -f /usr/share/doc/bash/completion-contrib Code:
$ sudo readlink -f /usr/share/man/man5/modprobe.d.5 |
I keep getting notifications from tiger's cron job that are arriving VERY erratically:
Code:
From: root@mydomain.com (Cron Daemon) * Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc. * the email subject appears to be some kind of improperly evaluated shell command * I don't know what to make of the message being sent. Have I configured something improperly? |
Code:
# Checking services from /etc/services. Code:
$ sudo cat /etc/services | grep 2010 |
Quote:
Quote:
Quote:
Quote:
Either way these symlinks aren't that problematic, just file system lint ('man fslint'). Quote:
Quote:
Quote:
Quote:
Code:
search 2010/tcp |
Quote:
Code:
# Here is every single mail log entry from "today" on the server. The server is set to UTC time which is a pain when trying to connect mail log dates to local arrival times for my incoming email, but I believe each of these 4 messages corresponds to one of these weird tiger cron jobs -- including one that just arrived as I was creating this post: Code:
Aug 4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[6684]: B8CBB72132: uid=0 from=<root> Code:
Quote:
Ultimately, I'm most keen to understand what kind of problem this is reporting and whether it needs fixing and, if so, how to fix it. I did a google search on the error string and it looks like some people are treating it as a bug. As for the wonky symlinks, it doesn't sound from your post as though you consider them to be any sort of threat. I have no desire to fix them unless they are going to interfere with my server's proper functioning. How about I just leave them alone? Ditto for the /etc/services file. Maybe I could notify a developer or package maintainer somehwere? File a bug report? Some good news: Finally worked out the postfix configuration to my liking. Also have samhain playing nice with email. Hoping to complete install of fail2ban today. |
Code:
# Performing check of PATH components... Quote:
|
I want to understand the goal for these tiger complaints:
[code] # Checking for correct umask settings for init scripts... --WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS # Checking for correct umask settings for user login shells... --WARN-- [misc026w] There is no default umask settings for user login shells in /etc/login.defs [code] It's to insure a umask of 022 for services and one of 027 for human users? |
I'm hoping to install a few more packages
* fail2ban - Because this program monitors logs, I'm thinking I should try to install FTP or SFTP first in the hope that the fail2ban package installer will automatically locate the ftp files and configure itself to watch them. * sftp - we'll need a file transfer program to maintain the website assets. I'm accustomed to installing protfpd or vsftpd but am hoping to make sure that all FTP connections are encrypted. Is that sftp? or ftp-over-ssl ? * chkrootkit - this was apparently installed with tiger but you instructed me to run it separately. Any additional configuration detail for this would be most helpful. |
I went ahead and installed fail2ban. I've checked out the config and it looks straightforward. I've tested it and it is working.
|
All times are GMT -5. The time now is 11:03 PM. |