[SOLVED] Need advice regarding security on Fedora 15
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I was wondering if anyone could give me some advice on how to harden and improve security on Fedora 15 which will be used to host a webserver.
I'm basically doing a report for school where our "client" has asked us to provide a risk assessment on Fedora 15 as well as solutions to security loopholes. I would be grateful if someone can point me in the right direction and give me some advice on where to look and how I should go about doing this.
Thanks for the reply unSpawn, unfortunately we haven't learnt anything that you have mentioned and I'll be sure to look into those. We haven't been given much since it is a case study. It's not really an in-depth networking class, we have only learnt how to use a few tools such as wireshark and nmap and how to configure IP tables etc. I've been looking into the bug reports for Fedora 15 to see if this would help me.
OK. I'll try and keep it short. First thing is to question the need for using Fedora 15 instead of an Enterprise-grade distribution like Centos (unbranded RHEL), SLES, Ubuntu-LTS or whatever else. (Apart from that Fedora 16 is current and right now it seems 17 will be upon us May-ish.) Next install only what you need, when you need it. A production web server should not have unstable software, no graphical desktop environment and no compilers. This minimizes maintenance and its attack surface when exposed to the 'net. Accounts, services, network access should be restricted and hardened and enough auditing should be enabled to give you early warnings you can respond to. Security, updating, auditing, implementing preventive and reactive measures are not one-offs but continuous processes. These days compromises happen often through brute forcing SSH (allowing root to log in over the 'net, weak passwords instead of pubkey auth, no fail2ban or equivalent) but more often through web application stack exploits. Apart from laxity like leaving installation sources around, fscking with access permissions to avoid fixing problems the right way, allowing unrestricted access I'm talking about running vulnerable software versions of forum, shopping cart, statistics, photo gallery, web log and other software and or their plugins, badly coded homebrewn scripts, weak passwords allowing access to web-based management panels, etc, etc. Giving thought to compartmentalization (XEN, VMWare, Linux Containers, OpenVZ) or other server placement (DMZ), giving thought to your choice of software (security track record), updating software when updates are released, (reverse) proxying, running a web application firewall, remote testing of your setup and actually responding to reports and warnings will cost you time and effort but it will pay off. That's about as terse as it gets ;-p
All groups have been assigned different operating systems and I have been assigned Fedora 15, that is why I have to base it on this.
This is a rather curious condition of the project and one that I would be inclined to ask for clarification and guidance from the instructor as to their expectations in terms of being operating system specific. Most Linux distributions have an extremely large amount in common as they are based upon the same kernel (or at least revisions of it) and if you are running at least a 2.6 kernel have netfilter built in, use the same GNU tool set, run the same applications (e.g. Apache, MySQL, PHP), etc. What this means is that there is little inherrent difference in the OS itself, but as unSpawn pointed out, there are a few distributions that are Enterprise Grade in terms of support and backing and Fedora is not one of them. Probably the two biggest differences amongst most Linux distributions is their package management system and whether they use BSD or Unix style startup scripts (init.d vs rc.d).
Unless you are able to get some direct clarification as to whether or not their is something the instructor is looking for in terms of the OS choice, I would suggest researching the items suggested by unSpawn and building a "security policy" around those, and you could certainly mention the weaknesses associated with the choice of Fedora 15 as part of your security assessement.
I also find this comment interesting as it shows some possible insight into the instructors thinking:
we have only learnt how to use a few tools such as wireshark and nmap and how to configure IP tables
Based upon this, it looks like the instructor may be focusing on intrusion and surveilence as nmap would be used to port scan a system and wireshark would be used to listen in on the packets. Perhaps you should include aspects dealing with detection of scanning attempts and ways to actively respond to them as well as the benefits, risks, and rewards of SSL/TLS which would mitigate packet sniffing. As far as an active response, IPTables can certainly play a part in that role, as it is a very capable, state-aware, firewall.
Thanks Noway2 and everyone else, this has really helped, I don't think he wants us to do a "professional grade" security report since this is just an "add on" module to expose us all to some sort of networking (the main course is Software Engineering, last year we done basic router configurations and DHCP etc), when I see my lecturer I will be sure to ask him about the choice of operating system.
I actually need around 5 security bugs to show, I have found 3 that I can use but I do not know how to reproduce them, since I need to reproduce them to show the screenshots, any advice or tutorial on these would be appreciated.