Hi.

I have installed my linux server on the Internet witout a router/firewall between. To secure it I used iptables and it works fine. The problem is that I'am not feeling secure enough with only iptables.

Is there anything else that I can install to make my server more secure and get rid of my paranoid feelings? Or other tips.

Thanks in advanced
Krister

Do you have some services running on your computer? Ones that are forwarded thru iptables and available from the net? If no, probably there is no reason in doing something else. You can just make sure iptables drops all unrequested packets(iptables -L shows you default policies).
In case you are planning to allow someone access your system, you'll probably need to check configuration for exact service. When you'll have that need, go back here and ask us for help.

Thanks for the quick respons.

Right now I only have open for ssh and httpd in iptables.

My iptables -L:
--------------------------------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
--------------------------------------------------

Anything wrong with my IPtables?

I want to in the future open for more service, mail, smtp, dns and so on.

Thanks
Krister

Suggested policy for INPUT and FORWARD is DROP. At least it's the one I use on my router for a long time already without any impact. That adds safety(but don't assume it wil save you all problems).
About sshd: do you have it secure? You don't allow root login? Do you use fail2ban tool? Or just a list of allowed users with unique names?
About httpd: do you have dynamic content there(python, perl, php, cgi, etc.)? Did you configure them in a secure way?

I do alow root to login directly, maybe not a good idea, how can I fix it? I have not installed fail2ban, but this look promising will check it out, this is exactly why I posted this thread? Right now no other user have access to the server but that might also change.

Have installed php and perl. Mysql is only allowed localy, pyton I do not know, I don't think I added that support to apache (version 1.3.37).

I must meantion that this server I have installed to use as a test/develop server When I have figuerd everything out I will reinstall everything, hopefully.

Thanks
Krister

It doesn't seem that your firewall is doing what you want it to. Perhaps start with the security gui module to configure your filewall. Make sure it is enabled. It should just allow the ssh & http(s) ports on input. I don't think it is even enabled and the rules there if it were allow many more services such as IPP.

Also pick up a book on Securing Linux Servers. It sounds like you have a standalone server (bastian host). Besides the firewall configuration, you should do more. Make a list of binaries & services you are running. Which ones are not necessary? Don't install what you don't need. Move ssh to a high order port and use public key authentication. Disable root logins for ssh. Use AllowUsers to deny attempts from other users. Hunt for suid binaries.

This book looks pretty good because it seems to cover all these items. Not just iptables rules:
http://www.amazon.com/Building-Inter.../dp/1565928717

Securing your web server is another matter to address.

1 members found this post helpful.

Too restrictive, don't you think? Don't RUNNING the services which aren't required is a good point, but what's a point of uninstalling? If cracker won't gain root that isn't too much helpful if there are binaries of some vulnerable server available. He can bring his own anyways.
And newbie user will most probably remove something is actually needed, leaving something that isn't.

SSH pubkey auth FTW, it's enabled by default in most distributions containing sshd. "PermitRootLogin no" will fix root login issue.

Your apache httpd server version is old, consider installing a fresher one, in case your distro maintainer doesn't keep it up-to-date internally, not increasing version number(say, Debian).

PHP security is another separate story as well, it involves many things.

Thanks Web31337

I will fix root access to ssh and upgrade my apache.

I think for now I am feeling a lite bit more secure.

/Krister

Hardening a machine as in disabling services, restricting and limiting access, minimizing exposure is (or should be) good practice. Not installing what you don't need right now is also a good practice since doing that you will limit the amount of vulnerabilities found on a machine at any one point in time, you will limit risk, the amount of opportunities, for a cracker to abuse the machine once a foothold is gained and it will save maintenance time.


With all due respect but that's arguing the other way around. OK, unless you're one of those people that will blithely refuse to wear a seatbelt since you've calculated the risk of you doing the collision thing is one in a gazillion... If you mean that the practice of not installing SW doesn't keep away webserver account compromises through the application layer (as in misconfiguration, vulnerabilities like LFI, RFI, injections, et cetera: see for instance the SANS Top 20, the OWASP Vulnerability list, the WASC Threat classification and the WHID) then you're right, but that should be dealt with in other ways. Misconfiguration of web stack components simply points to lack of knowledge or misunderstanding settings. Some vulnerabilities can be avoided by not installing certain software or modules. Vulnerabilities should be dealt with by immediately installing updates when they are released, restricting access (for instance to say a /phpmyadmin path), limiting access (as in 'iptables -m recent') and running web application firewalls or intrusion detection tools like mod_security, PHP IDS, GreenSQL, running Hardened PHP if possible. One of the things people often forget is not giving enough attention to logging. Most attacks will be preceded by reconnaissance and as such watching logs (Logwatch*) can tell you well in advance about the moves the wrecking crew will make. The same goes for watching other services, seeing a huge amount of outgoing email traffic on certain hosts should trigger an investigation wrt spam practices.


Two terms for you: theoretical knowledge and practical experience. Both take time. New users should adjust their expectations accordingly. Likewise some types of users should kick themselves in the head if they keep thinking that using some web-based control panel makes them "Linux admins" overnight. It clearly does not.


As jschiwal already indicated hardening a machine starts (at installation time) by not installing what you don't need right now. After that one should install and regularly use a file integrity checker (Samhain, Osiris, Integrit, Aide) and logwatcher (Logwatch, SEC), remove unnecesary components (on a headless server you generally speaking would not want Xorg/X11, compilers), configure user, service and host access (PAM limits, account aging, cron.deny, hosts.deny, firewall to name a few) and test the setup using scanners like GNU/Tiger, OpenVAS, Nikto et cetera. After adjusting one could install the web stack, configure and repeat scanning (also see: Wapiti, W3AF, Powerfuzzer, Grendel-Scan, Grabber). For more you could check out the LQ FAQ: Security references.