LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 04-14-2012, 09:48 AM   #1
species3618
LQ Newbie
 
Registered: Feb 2012
Posts: 6

Rep: Reputation: Disabled
Need advice regarding security on Fedora 15


Hey!

I was wondering if anyone could give me some advice on how to harden and improve security on Fedora 15 which will be used to host a webserver.

I'm basically doing a report for school where our "client" has asked us to provide a risk assessment on Fedora 15 as well as solutions to security loopholes. I would be grateful if someone can point me in the right direction and give me some advice on where to look and how I should go about doing this.

Any help is really appreciated.

Thank you very much
 
Old 04-14-2012, 12:07 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by species3618 View Post
I'm basically doing a report for school where our "client" has asked us to provide a risk assessment on Fedora 15
Since you're doing this for school I'll return the question: what class material was presented to you to help you? What have you researched for and found so far? (That's two questions actually.)

Did you read the docs Fedora comes with? They're quite extensive.
Are you aware of SANS?
OWASP?
Cisecurity benchmarks?
OVAL?
Nessus?
OpenVAS?
Do you know how to list updates for CVEs? (Eight more.)
 
Old 04-14-2012, 01:09 PM   #3
species3618
LQ Newbie
 
Registered: Feb 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for the reply unSpawn, unfortunately we haven't learnt anything that you have mentioned and I'll be sure to look into those. We haven't been given much since it is a case study. It's not really an in-depth networking class, we have only learnt how to use a few tools such as wireshark and nmap and how to configure IP tables etc. I've been looking into the bug reports for Fedora 15 to see if this would help me.

Thank you for your help, much appreciated.
 
Old 04-14-2012, 02:25 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
OK. I'll try and keep it short. First thing is to question the need for using Fedora 15 instead of an Enterprise-grade distribution like Centos (unbranded RHEL), SLES, Ubuntu-LTS or whatever else. (Apart from that Fedora 16 is current and right now it seems 17 will be upon us May-ish.) Next install only what you need, when you need it. A production web server should not have unstable software, no graphical desktop environment and no compilers. This minimizes maintenance and its attack surface when exposed to the 'net. Accounts, services, network access should be restricted and hardened and enough auditing should be enabled to give you early warnings you can respond to. Security, updating, auditing, implementing preventive and reactive measures are not one-offs but continuous processes. These days compromises happen often through brute forcing SSH (allowing root to log in over the 'net, weak passwords instead of pubkey auth, no fail2ban or equivalent) but more often through web application stack exploits. Apart from laxity like leaving installation sources around, fscking with access permissions to avoid fixing problems the right way, allowing unrestricted access I'm talking about running vulnerable software versions of forum, shopping cart, statistics, photo gallery, web log and other software and or their plugins, badly coded homebrewn scripts, weak passwords allowing access to web-based management panels, etc, etc. Giving thought to compartmentalization (XEN, VMWare, Linux Containers, OpenVZ) or other server placement (DMZ), giving thought to your choice of software (security track record), updating software when updates are released, (reverse) proxying, running a web application firewall, remote testing of your setup and actually responding to reports and warnings will cost you time and effort but it will pay off. That's about as terse as it gets ;-p
 
Old 04-14-2012, 02:33 PM   #5
snowday
Senior Member
 
Registered: Feb 2009
Posts: 4,667

Rep: Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411Reputation: 1411
Fedora 15 has only 2 months of support remaining. After June 2012, it will receive no security patches or bug fixes, ever. That would be a deal-breaker for me right there.
 
Old 04-14-2012, 03:10 PM   #6
species3618
LQ Newbie
 
Registered: Feb 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Wow thank you for the information unSpawn.

All groups have been assigned different operating systems and I have been assigned Fedora 15, that is why I have to base it on this.

Thanks again.
 
Old 04-14-2012, 06:48 PM   #7
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,621

Rep: Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651
the security on fedora 15
in about 2 months ( the fedora 17 release date was pushed back ) there will be NO support for 15
and NO security updates

so install fedora 16

but fedora is a VERY VERY bad choice for a server
it's life span is ONLY 13 months
verse the 10 YEAR life span for RHEL 5 & 6 ( Red Hat Enterprise Linux )

as far as fedora is concerned you might want to READ the documentation
http://docs.fedoraproject.org/en-US/index.html

and read the Red hat documents
https://access.redhat.com/knowledge/...erprise_Linux/


but the long term security for fedora 15 is VERY BAD - in about 60 days there will never ever be any more security updates
 
Old 04-15-2012, 06:29 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Quote:
Originally Posted by species3618 View Post
All groups have been assigned different operating systems and I have been assigned Fedora 15, that is why I have to base it on this.
This is a rather curious condition of the project and one that I would be inclined to ask for clarification and guidance from the instructor as to their expectations in terms of being operating system specific. Most Linux distributions have an extremely large amount in common as they are based upon the same kernel (or at least revisions of it) and if you are running at least a 2.6 kernel have netfilter built in, use the same GNU tool set, run the same applications (e.g. Apache, MySQL, PHP), etc. What this means is that there is little inherrent difference in the OS itself, but as unSpawn pointed out, there are a few distributions that are Enterprise Grade in terms of support and backing and Fedora is not one of them. Probably the two biggest differences amongst most Linux distributions is their package management system and whether they use BSD or Unix style startup scripts (init.d vs rc.d).

Unless you are able to get some direct clarification as to whether or not their is something the instructor is looking for in terms of the OS choice, I would suggest researching the items suggested by unSpawn and building a "security policy" around those, and you could certainly mention the weaknesses associated with the choice of Fedora 15 as part of your security assessement.

I also find this comment interesting as it shows some possible insight into the instructors thinking:
Quote:
we have only learnt how to use a few tools such as wireshark and nmap and how to configure IP tables
Based upon this, it looks like the instructor may be focusing on intrusion and surveilence as nmap would be used to port scan a system and wireshark would be used to listen in on the packets. Perhaps you should include aspects dealing with detection of scanning attempts and ways to actively respond to them as well as the benefits, risks, and rewards of SSL/TLS which would mitigate packet sniffing. As far as an active response, IPTables can certainly play a part in that role, as it is a very capable, state-aware, firewall.
 
Old 04-15-2012, 06:47 AM   #9
species3618
LQ Newbie
 
Registered: Feb 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks Noway2 and everyone else, this has really helped, I don't think he wants us to do a "professional grade" security report since this is just an "add on" module to expose us all to some sort of networking (the main course is Software Engineering, last year we done basic router configurations and DHCP etc), when I see my lecturer I will be sure to ask him about the choice of operating system.

Thank you all for your input, much appreciated.
 
Old 05-09-2012, 06:59 AM   #10
species3618
LQ Newbie
 
Registered: Feb 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hey, I have some updates on this.

I actually need around 5 security bugs to show, I have found 3 that I can use but I do not know how to reproduce them, since I need to reproduce them to show the screenshots, any advice or tutorial on these would be appreciated.

1: Buffer Overflow
2: SQL Injection
3: Cross Scripting
 
Old 05-09-2012, 07:38 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm marking your thread solved as your initial question, how to harden and improve security on Fedora 15, was solved three weeks ago.


Quote:
Originally Posted by species3618 View Post
I actually need around 5 security bugs to show, I have found 3 that I can use but I do not know how to reproduce them
We're not here to do your homework for you.
And asking for help with exploits is against the LQ Rules.
Thread closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for some security advice! Alnitak Slackware 6 09-22-2010 10:36 PM
Seamonkey install - security advice yogaboy2 Linux - Software 4 07-02-2009 04:55 AM
Going for my CompTIA Security+ . Any advice? Micro420 Linux - Certification 6 02-12-2007 12:32 AM
Noob security advice Fiend Linux - Security 3 08-28-2004 08:46 PM
Advice needed on setting up security on Fedora installation gevers1 Linux - Security 1 01-21-2004 09:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration