Quote:
Originally Posted by SoX|OK
As far as I know, no further network service is up and running, except ssh.
|
Excellent.
* I
always forget (and then have trouble finding the post) to add that apt should use debsums and a configuration somewhat like
this (please verify if still valid).
* I hope you implement a backup scheme that saves copies of files and dirs off-site. This should include your /etc tree, your /var/.*/apt tree, the samhain database and rkhunter.{conf,dat}.
* I also forgot that all reporting should not go to root but to the mailbox of an unprivileged user who will (must) read root email.
Quote:
Originally Posted by SoX|OK
Installed Samhain, logwatch, chkrootkit & rkhunter.
|
- Chkrootkit doesn't need any configuration or additional tools (just a first run to check for errors) after which you can make a cronjob for it.
- Logwatch doesn't need much configuration either as long as you make sure the cronjob processes the logs of all services (also see
ignore.conf to avoid displaying loglines you have verified to be harmless) and make sure you set the logging level to at least "Medium".
- Rootkit Hunter requires you to install 'lsof', 'skdet' and 'unhide'. Review rkhunter.conf (since the machine got compromised before you may elect to use "suspscan" on temp dirs and Apache docroot), then run 'rkhunter --propupd' to set a baseline.
- Samhain is a continuously running process and offers features most others don't have like its own LKM for checking kernel structures, a client-server setup, integrity checking and protection of itself using process hiding, encryption and steganography. Samhain needs configuring (also see attached "samhain_post.sh" to get kernel values and config example "samhain_conf_example"
which you must not use unaltered) and might require rebuilding if you're missing features to use (see [
1,
2,
3]). Which options you choose depends on the purpose of the machine and auditing requirements and maintenance trade-offs (for instance Samhain's LKM needs to be recompiled for each kernel upgrade). I doubt you'll need advanced self-protection like process hiding or stego. Note it is vital to get file integrity verification up and running a soon as possible.
Quote:
Originally Posted by SoX|OK
I will read the man for hosts asap.
|
In this quick example:
Code:
ssh: 127.0.0.1, 192.168.1., 128.1.
"ssh" is the known
name of the service as defined in /etc/services (try 'getent services ssh'), "127.0.0.1" the single loopback address (read "127.0.0.1/24"), "192.168.1." a "192.168.1.0/32" IP range and "128.1." a "128.1.0.0/16" IP range (notice the trailing dots).
Quote:
Originally Posted by SoX|OK
Done.
|
Code:
-WARN-- [pass014w] Login ($LOGNAME) is disabled, but has a valid shell.
- This is a system account, necessary to run a service. Review if you need (to remove) the service which should remove the account.
- Possible targets for removal are: irc (there should not be IRC software or an IRC daemon on the system at this stage), games (this is a server), news (you're not running a NNTP daemon).
- Review the other system accounts for the need of a shell. For instance Apache does not need one and can use any inert binary as shell like /sbin/nologin or /bin/false.
- Set password aging and stronger password for root and all unprivileged (human) accounts.
Code:
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r).
As root run 'pwck -r' manually and review output. Output of form "user $LOGNAME: directory /some/dirname does not exist" is acceptable.
Code:
--WARN-- [acc021w] Login ID citadel appears to be a dormant account.
What is this account related to?
Code:
--WARN-- [acc006w] Login ID libuuid's home directory (/var/lib/libuuid) has group `106' write access.
Run 'getent passwd 106'.
Code:
--WARN-- [root003w] Root user has message capability turned on.
In /root/.bashrc set
.
Code:
--WARN-- [cron004w] Root crontab does not exist
Good!
Code:
--WARN-- [cron005w] Use of cron is not restricted
See manual page about /etc/cron.{deny,allow}. (Same should apply to the 'at' service.)
Code:
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world permissions. Should be 0600
All users must be able to read in /etc, but no user except root has any business reading /boot. Chmod files to 0640.
Code:
--WARN-- [boot06] The Grub bootloader does not have a password configured.
Best ignored on remote servers ;-p
Code:
--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del in runlevels 12345
Comment out the "ctrlaltdel" line in /etc/inittab and also the "powerfail"/"powerokwait" lines if you don't use an UPS. Since this is a remote server you can also choose to reduce the amount of mingetty lines to say two.
Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
Add line "umask 027" or "umask 022" depending on your needs.
Code:
--WARN-- [lin012w] The system accepts ICMP redirection messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
Code:
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Code:
--FAIL-- [lin016f] The system permits source routing from incoming packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
Code:
--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
* Attach output of
Code:
sysctl -a | egrep -ie "(ip_always_defrag|icmp_echo_ignore_broadcasts|icmp_ignore_bogus_error_responses|accept_redirects|send_redirects|accept_source_route|log_martians|rp_filter|secure_redirects|tcp_syncookies|ip_default_ttl|tcp_max_syn_backlog|tcp_syn_retries|mtu_expires|tcp_keepalive_time|icmp_echoreply_rate|tcp_fin_timeout|tcp_rfc1337|ip_no_pmtu_disc|panic|panic_on_oops)"|tr '.' '/'| awk '{print "echo", $3, "> /proc/sys/"$1}'|column -t
Code:
--WARN-- [dev003w] The directory /dev/block resides in a device directory.
Looks good to me?..
Code:
--FAIL-- [logf001f] Log file /var/log/wtmp does not exist
--FAIL-- [logf002f] Log file /var/log/btmp does not exist
Create /var/log/wtmp with owner "root" and group "utmp", access rights might be 0664.
Create /var/log/btmp with owner "root" and group "utmp", access rights might be 0640.
* If warnings are logged (IIRC SSH) then try 0644.
Code:
--ERROR-- [init001e] Don't have required command LSOF.
You should really install this indispensable tool.
Code:
--WARN-- [lin002i] The process `sshd' is listening on socket XX (TCP) on every interface.
It is recommended to configure AllowGroups/AllowUsers in sshd_config, and set tcp wrappers for SSH, and protect by firewall rule, and use fail2ban or equivalent.
Code:
--WARN-- [ssh004w] The PasswordAuthentication directive in /etc/ssh/sshd_config is set to the unapproved defult value: yes.
Apparently you still allow password auth (as fallback?). Not good.
Code:
--FAIL-- [netw020f] There is no /etc/ftpusers file.
This should be configured before running the FTP daemon.
Code:
--WARN-- [xxxxx] The following files are unowned: /var/lib/libuuid
--WARN-- [xxxxx] The following files have undefined groups ownership: /var/lib/libuuid
I don't know who it should be owned by but this should be corrected I think.
Code:
11:33> Security report completed for soxserver.
Well done. It is advisable to rerun Tiger after you have added services.
* If there is anything that is unclear: ask. If there's anything you think implementing could constitute a loss of service, do consider using a local workstation (or virtualization) for testing. Note that using a staging machine to test things before moving to production is not only safe but when synchronized it also provides you with a backup.