LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-18-2013, 04:19 AM   #16
newbie14
Member
 
Registered: Sep 2011
Posts: 403

Original Poster
Rep: Reputation: Disabled

Dear Unspawn,
I saw two more modules called as mod_evasive and mod_rewrite? What are you opinion about both of it any experience trying them?
 
Old 04-18-2013, 01:01 PM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
IMHO you should keep your mod_security config as simple as possible. Only tweak things when the log file indicates users are denied access to what they should have. http://httpd.apache.org/docs/2.2/mod/ explains if you need mod_rewrite. And IIRC your web server should not see much traffic anyway so if you need to limit access I'd favor a network layer approach iptables (-m limit) over an application layer one.
 
Old 04-18-2013, 01:06 PM   #18
newbie14
Member
 
Registered: Sep 2011
Posts: 403

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
When you say log which log are you referring to the httpd log I guess or any other related logs? Yes my traffic is limited to just to 2 ports only. The rest all closed even the for ssh is closed from outside.
 
Old 04-18-2013, 04:35 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
error_log more likely. With limiting I mean '/sbin/iptables -m limit --help'.
 
Old 04-22-2013, 08:07 AM   #20
newbie14
Member
 
Registered: Sep 2011
Posts: 403

Original Poster
Rep: Reputation: Disabled
Dear Unspwan,
Ok I will look into the error_log files. Besides that when you said /sbin/iptables -m limit --help is regarding the iptables setup right. But looking deeper into iptables it just blocking the access to limited ports. For instance port 80 have to be open for web communication what else steps can be taken to further secure this port from being used for hacking purposes.
 
Old 04-22-2013, 02:08 PM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by newbie14 View Post
But looking deeper into iptables it just blocking the access to limited ports.
No, the other way around: it's limiting access, the amount of times somebody can access a port (best used in conjunction with --state).


Quote:
Originally Posted by newbie14 View Post
For instance port 80 have to be open for web communication what else steps can be taken to further secure this port from being used for hacking purposes.
Firewall, sane Apache configuration, mod_security, logs you parse for anomalies / hacking attempts / errors (you do use something like Logwatch + fail2ban, right?), local integrity verification (Samhain, AIDE, etc, etc), so then it boils down to what apps you run. For example you can't expect any benefits if you run crappy homebrewn scripts or say a version of Joomla or WordPress a year old...
 
Old 04-24-2013, 11:35 AM   #22
newbie14
Member
 
Registered: Sep 2011
Posts: 403

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Yes we do have firewall, will follow the apache configuration as per your suggestion,have installed mod_security and left as default settings. Time to time will look into logwatch log files to see if something not right. Planning to move to ossec as we find it easier to understand and gives email alerts too. Back on the app its purely php and mysql db based application. Should we do more security on the logic page itself beside sql injection protection?
 
Old 04-24-2013, 05:03 PM   #23
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by newbie14 View Post
Back on the app its purely php and mysql db based application. Should we do more security on the logic page itself beside sql injection protection?
It kind of depends what you exactly run. If you run a common off-the-shelf application like for example WordPress, Joomla or suchlike, you should follow their recommendations for securing the application and keep the application, themes, plugins et cetera up to date. If you run homebrewn scripts then you're responsible for adhering to coding standards. While there's more to implement like a database firewall and a reverse proxy the next quickest wins IMHO would be to limit access (after all you run your web server for very specific clientele only) which could be done quickly and painlessly with ipset and watch your logs for errors (fail2ban?).
 
Old 04-24-2013, 08:33 PM   #24
newbie14
Member
 
Registered: Sep 2011
Posts: 403

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
It is a homebrewn scripts. What database firewall do you suggest for Linux machines. Yes we will have limited clients but how to determine their ipset if they use different machines or mobile phones to login. Will fail2ban will be part of logwatch?
 
Old 04-25-2013, 01:46 AM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by newbie14 View Post
What database firewall do you suggest for Linux machines.
In essence none: review your PHP code instead.


Quote:
Originally Posted by newbie14 View Post
Yes we will have limited clients but how to determine their ipset if they use different machines or mobile phones to login.
White listing allows you to add any amount of IP ranges to an ipset. They will have to supply you with the necessary ranges. Obviously you could facilitate that with a page that takes the clients current IP address and returns the right range. Just be creative.


Quote:
Originally Posted by newbie14 View Post
Will fail2ban will be part of logwatch?
If configured so Logwatch output will include both /var/log/secure (or equivalent) output and fail2ban logging, yes.
 
Old 04-26-2013, 09:51 AM   #26
newbie14
Member
 
Registered: Sep 2011
Posts: 403

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
When you review the codes I dont get you on that but we have not put the db behind firewall and is never accessible from public ip only local ip as per your previous suggestions. Thank you for the idea on the ipset will look further on that. I will try to configure the logwatch and get back incase stuck here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Logwatch : A total of 1 possible successful probes were detected Metux Linux - Security 2 11-08-2012 07:26 AM
HP printer successful driver install but no printer detected dwhb Linux - Hardware 14 11-01-2012 11:40 AM
Apache exploit? Logwatch: A total of 2 possible successful probes were detected deathsfriend99 Linux - Security 1 10-24-2011 03:16 PM
LogWatch: "possible successful probes"? Quip11 Linux - Security 1 07-20-2009 04:39 PM
What's this in LogWatch: "!!!! 1 possible successful probes" ? bomix Linux - Security 1 07-29-2005 10:23 PM


All times are GMT -5. The time now is 10:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration