LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-28-2012, 09:32 AM   #1
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Rep: Reputation: Disabled
If my web server is that restrictive, how can a hacker compromise my system?


Hi,

I am making a LAMP web server with only port 80 and 443 (and SSH but not on 22) opened up.
I used all the tips that you find when you google "Secure PHP","Secure Apache", I disabled ExecCGI etc.. I changed port for SSH, used fail2ban.
I used a program to monitor any change in my /var/www folder.
My /var/www folder doesn't have the typical directory names that bots look for.
I secured my fstab to tmpfs /dev/shm tmpfs defaults,ro 0 0.
In my PHP app, I took all measures against XSS and SQL Injections (using PDO prepared statement for both insertions and selects).
File permissions are the right ones.

But by only closing all ports except those I mentioned, how can a hacker compromise my system? How could he possibly access critical system files?

Thanks a lot in advance
 
Old 09-28-2012, 09:56 AM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
I'd suggest that this thread be moved from 'Newbie' to 'Security'; you've certainly gone beyond the basic newbie level in handling this (which is good) and you are probably looking for closer to 'advanced' advice.

Quote:
In my PHP app, I took all measures against XSS and SQL Injections...
All measures? Presumably, all measures that you knew of. Now, while I'm in no position to comment, perhaps with a little more detail someone with more relevant experience will comment on that.

Quote:
I changed port for SSH, used fail2ban.
A good start, but I'll point out that even that would be undermined by bad passwords (...assuming the use of passwords, of course...) or bad ssh config (eg, allowing the 'bad' version 1 protocol), or, if using keys, 'bad' key distribution.

Quote:
But by only closing all ports except those I mentioned, how can a hacker compromise my system?
The other obvious things that come to mind that you haven't mentioned are keeping apps up to date, watching log files for unusual occurrences, poor networking settings (which maybe your firewall script deals with and maybe it doesn't).

Have you tried running something like Bastille or Tiger?

Quote:
In my PHP app...
Does this imply a self-written piece of PHP code? The bad news is that, on average, PHP code that doesn't get 'many eyes' has a worrying bug density. The other bad news is that some PHP apps that do get many eyes are bad, too.
 
Old 09-28-2012, 11:26 AM   #3
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Quote:
All measures? Presumably, all measures that you knew of. Now, while I'm in no position to comment, perhaps with a little more detail someone with more relevant experience will comment on that.
Hi, thank you for your response. In my app, I tried to have the best practices described in many threads and articles. I use HTML purifier, always use jQuery's text() instead of html(). I always try to have a low maximum strlen() for user input.

As for SQL, I never trust data from user input or the database itself. I use prepared statements (PDO) for every single query, including SELECT's.

Quote:
A good start, but I'll point out that even that would be undermined by bad passwords (...assuming the use of passwords, of course...) or bad ssh config (eg, allowing the 'bad' version 1 protocol), or, if using keys, 'bad' key distribution.
Thanks for pointing out the version 1 issue, because I never heard of it. I check my config file and it seems to be disabled by default in the latest version.
For password, I'm using a long chain of all kinds of characters etc. I'm considering using keys eventually. For now I am only allowing SSH access from my own personal IP (using iptables), so it should be ok.


Quote:
The other obvious things that come to mind that you haven't mentioned are keeping apps up to date, watching log files for unusual occurrences, poor networking settings (which maybe your firewall script deals with and maybe it doesn't).

Have you tried running something like Bastille or Tiger?
Yes, I am currently trying to improve my log reading skills. I have identified important logs to monitor in a web server.
I don't know exactly what you mean by poor network settings. Could you give me an example?

I haven't tried Bastille or Tiger yet, I will.
I read about Samhain being a good HIDS but it has very few tutorials on the net and seems quite challenging for a non-expert.

Quote:
Does this imply a self-written piece of PHP code? The bad news is that, on average, PHP code that doesn't get 'many eyes' has a worrying bug density. The other bad news is that some PHP apps that do get many eyes are bad, too.
It is indeed written by myself. The only things I didn't code on that app are the image resizing script and the captcha.
I have read quite a lot and practiced on apps like Damn Vulnerable Web App. I identified many potential points of entry for malicious users such as user input, JS etc.. I have the feeling I narrowed down vulnerabilities as much as I could. However, I'm always a bit worried about someone using something unexpected like HEX strings..

Thanks a lot

Last edited by anthony01; 09-28-2012 at 11:31 AM.
 
Old 09-28-2012, 11:40 AM   #4
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
none of that will prevent a denial of service (DOS) attack for one, second of all there is still the possibility of an erroneous buffer overflow in the software you are using as a vector of attack. another possibility is being port scanned and discovering the port on which ssh is running. hash collisions are also a possibility, though less likely with good password policies.
 
Old 09-28-2012, 01:10 PM   #5
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Hi Frieza,

Thanks for pointing out the buffer overflow security threat. I will look into this as well as tools to minimize the effects of DDOS.

Regards
 
Old 09-28-2012, 05:25 PM   #6
KernelJay
LQ Newbie
 
Registered: Aug 2012
Posts: 15

Rep: Reputation: Disabled
Regarding buffer overflows, I recently wrote some blog posts which may be helpful for your understanding:
VERT Vuln School: Stack Buffer Overflows 101

Part 1: Introducing the Bug
Part 2: Explaining the Stack
Part 3: Exploiting the Bug

I would also like to point out that the use of mitigation technologies such as SELinux and Address Space Layout Randomization (ASLR) can be helpful in reducing attack surface.

Depending on what type of compromise you are concerned with, other techniques may also be helpful. For instance if you want to protect against site defacement it can be very helpful to virtualize your web server and simply restore it back to the original form on a regularly scheduled basis. (Using a LiveCD to host the site can also have this effect but it is a bit more of a nuisance when it comes time to update things.) If you need a more dynamic site or if you are concerned about an attacker getting access to sensitive data, I would recommend investing in an IPS or Web Application Firewall. FWIW, I think that IBM's Proventia G is one of the best on the market for this. With this type of technology you are protected against known vulnerabilities as well as attempts to exploit potentially unknown vulnerabilities. Check it out at http://www.iss.net/. Scanning technology such as what is offered by my current employer (nCircle) is also very valuable in helping identify when you may be missing system patches. (There is also capability for scanning web applications for categorical vulnerabilities to help confirm that you really have locked down the site.)

Good luck!

-Craig

Last edited by KernelJay; 09-29-2012 at 09:34 AM. Reason: Part 3 link added
 
Old 09-29-2012, 12:17 AM   #7
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Hi Craig,
Thanks for your message and your tutorial. I have read about buffer overflows and it seems to concern languages such as C and C++. But I haven't made any program in those languages.
Should I assume that these popular Linux utilities such as iptables, fail2ban, openSSH, Apache, and PHP may have buffer overflow vulnerabilities, or should I assume that the programmers have done their job well enough that I shouldn't worry about it?

My main concern is to protect the MySQL database and avoid having my website defaced by an attacker (it will be a commercial website).
When you say Web Application Firewall, are you talking about something like mod_security?

Thanks a lot

Regards
 
Old 09-29-2012, 09:32 AM   #8
KernelJay
LQ Newbie
 
Registered: Aug 2012
Posts: 15

Rep: Reputation: Disabled
Quote:
Originally Posted by anthony01 View Post
Hi Craig,
Thanks for your message and your tutorial. I have read about buffer overflows and it seems to concern languages such as C and C++. But I haven't made any program in those languages.
Should I assume that these popular Linux utilities such as iptables, fail2ban, openSSH, Apache, and PHP may have buffer overflow vulnerabilities, or should I assume that the programmers have done their job well enough that I shouldn't worry about it?

My main concern is to protect the MySQL database and avoid having my website defaced by an attacker (it will be a commercial website).
When you say Web Application Firewall, are you talking about something like mod_security?

Thanks a lot

Regards
Unfortunately you cannot really 'assume that the programmers have done their job well enough'. As evidence of this, I will refer you to CVE-2012-2386 - heap-based buffer overflow in a PHP extension, CVE-2012-2329 is a buffer overflow in apache_request_headers php function, CVE-2010-3064 is a stack-based buffer overflow in mysqlnd, as for OpenSSH, there were buffer overflows back in the day but not so recently.

When I refer to a Web Application Firewall, I refer to a particular policy of IBM's IPS product line. (Full disclosure -- I was a developer on IBM's IPS dev team in the past so I am particularly familiar with that one.) I think ModSecurity is probably good as well based on Trustwave's reputation, but I honestly don't know much about them besides that they gave me a shirt at the Black Hat conference.

Be sure to keep your web server running only the services required to run the site and keep it secure. Doing other activities on the server such as web browsing or reading email should be avoided as they increase the chances of a compromise. I can't say this next one with enough emphasis, but DO SET A STRONG PASSWORD!!! I would advise having something like a 32-bit alpha+numeric+symbol based password along with a strong public/private key-pair for SSH authentication. DO NOT USE A PASSWORD USED ON OTHER SYSTEMS!

Regards,
Craig

Last edited by KernelJay; 09-29-2012 at 09:34 AM. Reason: typo
 
Old 09-29-2012, 11:52 AM   #9
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Hi Craig,

Thanks a lot for your suggestions. I read your third tutorial.
I only code in PHP and I am setting up a Ubuntu web server at the moment.

It seems that in order to fix these potential overflow vulnerabilities, I would need to go into the codes of all programs and services used on my web server, and inspect whether commands like strcpy, strcat, or sprintf are subject to those vulnerabilities, is that right?

Since I have little knowledge in C, would you suggest me to learn how to identify these vulnerabilities and fix them, or rather keep all my programs up-to-date and hoping for the best?
I don't know exactly how to act on this issue of buffer overflow, any suggestion?

Thanks a lot for your help.
 
Old 09-29-2012, 12:58 PM   #10
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 09-29-2012, 08:19 PM   #11
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by anthony01 View Post
Since I have little knowledge in C, would you suggest me to learn how to identify these vulnerabilities and fix them, or rather keep all my programs up-to-date and hoping for the best?
I don't know exactly how to act on this issue of buffer overflow, any suggestion?
Unless you have experience with the application, which will take time to develop, your best bet is likely to keep your system up to date. Consider subscribing to the mailing lists for your critical applications, like Apache, or PHP, especially if they have a security list. This will help you get the feel for the types of things that are found, how they are addressed, etc.

It sounds like you've got a pretty good handle on security with regards to your system. There are some things you can to do try to increase your posture. Consider using a HIDS system, e.g. Aide or Samhain that will tell you if system binaries have been modified. Use logwatch to get daily reports of the highlights from your system logs. Use tools like fail2ban and Apache's mod_security to clamp down on misbehaving users quickly and discourage them from attempting to toy with your system. I also think you would find vulnerability and penetration testing interesting, as well as beneficial, given your current state. I would recommend looking into OpenVAS which will look at what your exposing to the world and make an assessement of your status.
 
Old 09-29-2012, 09:10 PM   #12
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Noway2 View Post
Consider using a HIDS system, e.g. Aide or Samhain that will tell you if system binaries have been modified. Use logwatch to get daily reports of the highlights from your system logs. Use tools like fail2ban and Apache's mod_security to clamp down on misbehaving users quickly and discourage them from attempting to toy with your system. I also think you would find vulnerability and penetration testing interesting, as well as beneficial, given your current state. I would recommend looking into OpenVAS which will look at what your exposing to the world and make an assessement of your status.
Hi, thank you for your response. I think I will use Aide because it looks like there are more tutorials that cover it than there are on Samhain.

Thanks for suggesting OpenVas; I just saw a video on youtube about it and it seems quite simple to use.
The thing I'm concerned about is that seems to be quite a big package with many files here and there, so if I want to test my actual web server, could it be a hassle to erase OpenVas after I carry out the tests?

I would like to delete all programs that my web server doesn't need, primarily for security reasons.

Thanks for your help
 
Old 09-30-2012, 07:16 AM   #13
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by anthony01 View Post
I think I will use Aide because it looks like there are more tutorials that cover it than there are on Samhain.
Aide is easier to use, or at least to set up, than Samhain. Installation consists of installing the package and then initializing the database, which requires a simple command in a terminal. My recommendation would be to create a cron tast that runs the check daily and sends you the results via email. Typically, in a stable system, over the course of several days you will see changes to your log files, and a few other dynamic entries. Of course after an update or anything you will need to manually update the database. Overall it is pretty low noise and effective, but will take a few minutes of effort every so often.
Quote:
Thanks for suggesting OpenVas; I just saw a video on youtube about it and it seems quite simple to use.
The thing I'm concerned about is that seems to be quite a big package with many files here and there, so if I want to test my actual web server, could it be a hassle to erase OpenVas after I carry out the tests?
You will really need to run the OpenVAS external to and upstream of your server. The idea is to have it look at your system from an outside perspective. In this regard, you shouldn't install it on your server. Also, if someone were to gain access to your server, are you sure you would want them to be able to run it on your LAN?
Quote:
I would like to delete all programs that my web server doesn't need, primarily for security reasons.
This can be done on multiple layers. First, Apache runs as a set of modules. You can delete or disable to modules you are not using. Second, on your server you can remove packages that are not needed. For example, you can get rid of the GUI and all its associated libraries. You can remove any music players, pdf readers, and other desktop applications that most distributions install by default. You can also remove the development tools. Also get rid of non used file systems and device drivers that are not applicable to your system. Between words, everything that you don't need as these could all be tools to a would be intruder. There are several other things you can do, such as tightening down on user permissions, locking accounts on too many password failures, makingmounting volumes like temp as non-executable, logging to remote media, etc.

If you have an extra machine on your lan, consider running snort which will give you alerts regarding the traffic patterns. You can configure it to run on a stealth interface (one that is not configured) so that it won't respond to probes but will listen. If you keep it behind a firewall, it will monitor the traffic that is important because it either came through your firewall or was on your LAN.

In the end, the most important thing for you to realize is that it is the process that is most important. Use logwatch to keep track of your system daily. Monitor it for file changes, investigate reports of attempts to break in, etc. This is more critical than any tool.
 
Old 09-30-2012, 06:22 PM   #14
anthony01
LQ Newbie
 
Registered: Sep 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Noway2 View Post

You will really need to run the OpenVAS external to and upstream of your server. The idea is to have it look at your system from an outside perspective. In this regard, you shouldn't install it on your server. Also, if someone were to gain access to your server, are you sure you would want them to be able to run it on your LAN?
Since my web server is a remote server, I will probably use my personal home computer to run the test remotely. Would that be appropriate to running the test "externally and upstream of server"?
If so, I will probably have to disable tools like fail2ban just for the test.

Thanks again.

Regards
 
Old 10-01-2012, 09:46 AM   #15
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by anthony01 View Post
Since my web server is a remote server, I will probably use my personal home computer to run the test remotely. Would that be appropriate to running the test "externally and upstream of server"?
That should work fine. The idea is that you want to scan it from the "world" side of the network.
Quote:
If so, I will probably have to disable tools like fail2ban just for the test.
I would run the tests both ways. The hard part is in the setup and configuration, so running the tests twice doesn't take much more effort. The reason I would run it both ways is so that you can see the effect fail2ban, or any other security tool, which is valuable information. The reason I would run it without disabling any tools is because this is the realist scenario as faced by a would be intruder.
Quote:
Thanks again.

Regards
You quite welcome. I'm happy to try and help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Sun To Open Source Java System Web Server and Web Proxy Technologies LXer Syndicated Linux News 0 08-03-2008 08:50 PM
Need a less restrictive SMTP account (SBC just became too restrictive) jgombos Linux - Networking 2 04-26-2008 10:30 PM
Possible compromise of Debian (Knoppix) system? easy2bfree Linux - Security 2 08-13-2006 02:11 PM
Possible system compromise (slackware linux 10.2, apache 1.3.33, OpenSSL 0.9.7g) Noido Linux - Security 9 05-11-2006 04:07 PM
compromise linux system using non-root account? cynick Linux - Security 6 04-24-2006 05:32 AM


All times are GMT -5. The time now is 11:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration