web server security advice
Hello everyone,
I am running an ubuntu lamp server and slowly learning linux. I began to notice my auth log filling up with attempts on ssh to login also the same ip's have been id guess probing port 80 for weaknesses but mostly returning 404 errors.. I have root login disabled and have no use for ssh. Because I am new to running a web server and linux I have been using webmin and virtualmin to manage my system. Ive found no evidence of any success of hacking attempts as I have been reading a lot of the information posted on these forums and studying server security. I would like to block all user traffic from everyone but U.S. users as we cannot sell or service our product to anyone outside of the U.S. I know this may not be a solution to any of my problems but I feel it would narrow down alot of the potential problems I read about here. can someone help me make sense of this log entry????? 221.192.199.35 - - [07/Aug/2010:11:32:32 -0400] "GET http://www.wantsfly.com/prx2.php?has...D75DC17FCC5E57 HTTP/1.0" 200 339 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 221.192.199.35 - - [07/Aug/2010:12:13:32 -0400] "GET http://www.google.com/intl/zh-CN/ HTTP/1.1" 200 339 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 221.192.199.35 - - [07/Aug/2010:12:13:49 -0400] "CONNECT www.google.com:443 HTTP/1.0" 405 548 "-" "-" I am looking for advice on securing my web server, The more I read the more confused I become. Thank you |
Quote:
Being new to running a web server and GNU/Linux and selling products are not mutually exclusive. But there is a danger in trying to juggle all responsibilities especially if you can not (find the time to) do everything well enough. To run a business successfully a clients trust is important. And trust is lost easily. To run a business successfully you need to set priorities. So ask yourself if you want to run your business or your web server. If you chose the first then you could let a trustworthy, more knowledgeable friend run it or hire an admin. If you can't choose then you need to get with the program. Fast. Your priorities are to ensure you are in control of the server and assess which hardening is necessary. To start with the first you can get some quick wins by running GNU/Tiger and Logwatch on all your logs (I'd rather see you run 'debsums' as well but AFAIK Ubuntu doesn't install that by default). Post the output, preferably in BB code tags, or attach as plain text file. When you're posting your reply please post your full Ubuntu release version, along with a description of which things you have checked wrt compromises and what measures you took already to harden your server beyond what you listed in your OP. Please read some easy security mindset docs like bodhi.zazen's Ubuntu Security, psychocats Security on Ubuntu and the Ubuntu Documentation > Ubuntu 10.04 > Keeping Your Computer Safe. If you've got no questions move on to the Ubuntu Security Guides (up to point 6. SSH, ditch the rest, except point 11. SSL), leaving the Securing Debian Manual for last. |
Thank you Unspawn
I am running ubuntu 10.04 lts. I came to the conclusion yesterday that i would just start over so i re-installed the OS and am currently hardening the server before i worry about building the website. 1. I have currently closed webmin access with ip access control to only local host ip. 2. access control bind to only local host ip heres last nights logs, but i may be fooling myself in hopes that ive closed the open resolver. 218.8.127.151 - - [09/Aug/2010:09:49:16 -0400] "GET //contact/config.inc.php?p=phpinfo(); HTTP/1.1" 404 475 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 218.8.127.151 - - [09/Aug/2010:09:49:17 -0400] "GET //contact.php/config.inc.php?p=phpinfo(); HTTP/1.1" 404 477 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 88.46.75.27 - - [09/Aug/2010:09:57:37 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 512 "-" "-" 61.183.15.9 - - [09/Aug/2010:09:57:58 -0400] "GET http://www.wantsfly.com/prx2.php HTTP/1.0" 404 529 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" I am researching mod proxy disable, and will get that done quickly. 3. disabled root login with ssh and have set it with ip access control to only allow certain ip's. With no password authentication only using secure keys. I read a great tutorial on ssh security yesterday. I also found 1 resource that i could understand on securing bind to not act as a open resolver http://jazzymarketing.com/main/0904/...ng-bind-server, but i am having issues understanding some of the resources i find on bind itself... but i am learning and constanly working at security issues. The last thing i want is to be a hackers attack point for those of you who really know what you are doing. I am begining to read the resources you have started me with, and just ask that all of you be patient with a simpleton that wants to learn these things. Also if i havent clarified what ive done enough just let me know what you need and i will post the info. Also i have been reading through the cert docs in the stickys slowly, but i am getting there. |
ok guys while looking to disable mod proxy in httpd.conf ive found the following
1. httpd.conf is blank 2. in virtualmin apache modules i have the following options that are enabled.... proxy proxy_balancer proxy_connect proxy_http when i run the command grep -r ProxyRequests /etc/apache2/* it shows proxy request are off, but im reading that doesn't stop the issue? |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
unspawn
here's a little history on me that may help clarify some issues. We manufacture ammunition and firearms as well as various chemicals and compounds all firearm related. so many products in fact i could not keep track of to help customers understand and use these products. so we sent out for rfb's for web server services which all exceeded our budget. we are buying alot of equipment and materials and just cant afford the lowest bid of almost $4000.00 per yr. so we decided at this time to atleast build our own web server to if nothing else provide product descriptions and tutorials on our products. Never had we really wanted to sell our products online with our own webserver because we did not know enough about securing one. we already pay for hosting for our email and records to ensure that the information be well protected. There is no way that for the next year we will be able to pay for webservices, but we do need them. above you asked if i needed a dns server and honestly i dont know. I have 2 domains i want to host and the only reason i am concerned with it is because it comes installed with virtualmin/webmin/usermin. Now i use those interfaces because they have helped me better understand the config files neccessary to create a webserver. |
Quote:
httpd.conf exists but is generally empty. Available modules are in apache2/mods-available, and enabled modules are in apache2/mods-enabled. Disabling mod_proxy just requires a removal of the symlinked mod_proxy in mods-enabled. mod_security's a good tool to have for your apache server as well, preventing sql injections, xss, csrf etc. |
the output of gnu tiger is more than allowable.
# Performing check of passwd files... # Checking entries from /etc/passwd. --WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. --WARN-- [pass014w] Login (bin) is disabled, but has a valid shell. --WARN-- [pass014w] Login (couchdb) is disabled, but has a valid shell. --WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell. --WARN-- [pass014w] Login (dvhosting) is disabled, but has a valid shell. --WARN-- [pass014w] Login (games) is disabled, but has a valid shell. --WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell. --WARN-- [pass014w] Login (irc) is disabled, but has a valid shell. --WARN-- [pass016w] User kernoops has / as home directory --WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell. --WARN-- [pass014w] Login (list) is disabled, but has a valid shell. --WARN-- [pass014w] Login (lp) is disabled, but has a valid shell. --WARN-- [pass014w] Login (mail) is disabled, but has a valid shell. --WARN-- [pass014w] Login (man) is disabled, but has a valid shell. --WARN-- [pass014w] Login (news) is disabled, but has a valid shell. --WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell. --WARN-- [pass014w] Login (postgres) is disabled, but has a valid shell. --WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell. --WARN-- [pass014w] Login (root) is disabled, but has a valid shell. --WARN-- [pass014w] Login (speech-dispatcher) is disabled, but has a valid shell. --WARN-- [pass015w] Login ID sshd does not have a valid shell (/usr/sbin/nologin). --WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). --WARN-- [pass014w] Login (sys) is disabled, but has a valid shell. --WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell. --WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell. --WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r). # Performing check of user accounts... # Checking accounts from /etc/passwd. --WARN-- [acc021w] Login ID avahi-autoipd appears to be a dormant account. --WARN-- [acc021w] Login ID bind appears to be a dormant account. --WARN-- [acc021w] Login ID libuuid appears to be a dormant account. --WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible. --WARN-- [acc019w] Login ID dewey may be missing a shell initialization file /home/dewey/.shrc. --WARN-- [inet003w] The port for service sieve is also assigned to service cisco-sccp. --WARN-- [inet003w] The port for service ndtp is also assigned to service pipe_server. --WARN-- [inet003w] The port for service ndtp is also assigned to service search. --WARN-- [inet003w] The port for service postgres is also assigned to service postgresql. --WARN-- [inet003w] The port for service postgres is also assigned to service postgresql. --WARN-- [inet003w] The port for service sane is also assigned to service sane-port. --WARN-- [inet003w] The port for service webcache is also assigned to service http-alt. --WARN-- [inet003w] The port for service webcache is also assigned to service http-alt. You know i think ive spent too much time in front of this thing this week. ive popped a nerve!! |
Thanks for clarifying.
Quote:
Quote:
Quote:
As far as your warnings go, please notice the "-e" and "-E" command line switchs when running Tiger and you can run say 'tigexp inet003w' which returns: "The indicated port number is assigned to another service. This indicates either a misconfiguration in the services database, or a possible sign of an intrusion. This should be checked and corrected. If it is not apparent why it is like this, the system should be checked for other signs of intrusion." |
I dont want this thread to get into a debate as to what you should and should not attempt, even tho i am worried its starting to turn that. That is my fault.
And yes Unspawn i do appreciate every word of advise and tutorials you have posted. and you too rsciw Thank you for your time...Really i mean that!!! I started this thread because most of the information i find on the net either is outdated or dis-information. Unspawn you are right a gui control panel is an invitation for people like me to cause security risks and attack points for hackers....(atleast thats what im reading from your post) for everyone else on the net who actually knows the practical and theoretical knowledge. IMO these progies like webmin and others should be configured totally locked down rather than being wide open. I should have to work at learning to unlock the services i need. only then would i really grasp the idea of securing said services. What i am looking for is what you have already began with me .. step 1. step 2.... Yes i am asking you to hold my hand as i learn my way through this. I am a linux child needing parental guidance in my life. At no pint can you discourage me from learning this...even if i contract out hosting services I still must take responsibility for what they do with the DOJ-ATFE therefore why ask someone to do something for me that i have no basic understanding of. If your lucky enough to find a hosting service which is willing to allow the sell of firearms and ammunition through them.. much less merchant services. Regulation is the DOJ's way of keeping average people from doing what we are attempting.. and i will not fail. So back to the problem... suggested OS for running a webserver? Im pretty sure its not ubuntu 10.04 suggested documentation of choosing services needed for said webserver, and how to configure as well as secure said services as well as OS I will do the work.. i will do the research.. i will take responsibility.. but i will not continue on my own unless im left with no choice.. Ive tried that and made your server as well as others that much more vulnerable by doing so I am asking you guys to dumb it down for me! hopefully its one less trouble you will all face,, unless you are willing to host my services.. allow the DOJ access to your services to investigate my business if they see need. provide business documentation as well as fingerprint identification for you and anyone who may work on my services from your local law enforcement.. My own isp will not sign the DOJ paperwork allowing them access to their servers and they are legit.. why would i think you would.. Trust me i know ive read the 1300 page manual for brokering firearms online.. why do you think there are so few out there that do! Sorry for going off on a rant but im backed into a corner.. Thank you Unspawn for the links to making firewalls easier to understand and configure |
Quote:
Quote:
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 01:28 AM. |