Hello everyone,
I am running an ubuntu lamp server and slowly learning linux. I began to notice my auth log filling up with attempts on ssh to login also the same ip's have been id guess probing port 80 for weaknesses but mostly returning 404 errors.. I have root login disabled and have no use for ssh.
Because I am new to running a web server and linux I have been using webmin and virtualmin to manage my system. Ive found no evidence of any success of hacking attempts as I have been reading a lot of the information posted on these forums and studying server security. I would like to block all user traffic from everyone but U.S. users as we cannot sell or service our product to anyone outside of the U.S. I know this may not be a solution to any of my problems but I feel it would narrow down alot of the potential problems I read about here.
can someone help me make sense of this log entry?????
221.192.199.35 - - [07/Aug/2010:11:32:32 -0400] "GET http://www.wantsfly.com/prx2.php?has...D75DC17FCC5E57 HTTP/1.0" 200 339 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
221.192.199.35 - - [07/Aug/2010:12:13:32 -0400] "GET http://www.google.com/intl/zh-CN/ HTTP/1.1" 200 339 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.192.199.35 - - [07/Aug/2010:12:13:49 -0400] "CONNECT www.google.com:443 HTTP/1.0" 405 548 "-" "-"

I am looking for advice on securing my web server, The more I read the more confused I become.

Thank you

http://www.dshield.org/ipinfo.html?ip=61.160.216.63 connected to your system successfully (the "HTTP/1.0" 200" part) and used it as a proxy. Disable mod_proxy. The failed (400) CONNECT means you didn't allow HTTPS traffic to be proxied.

Being new to running a web server and GNU/Linux and selling products are not mutually exclusive. But there is a danger in trying to juggle all responsibilities especially if you can not (find the time to) do everything well enough. To run a business successfully a clients trust is important. And trust is lost easily. To run a business successfully you need to set priorities. So ask yourself if you want to run your business or your web server. If you chose the first then you could let a trustworthy, more knowledgeable friend run it or hire an admin. If you can't choose then you need to get with the program. Fast. Your priorities are to ensure you are in control of the server and assess which hardening is necessary. To start with the first you can get some quick wins by running GNU/Tiger and Logwatch on all your logs (I'd rather see you run 'debsums' as well but AFAIK Ubuntu doesn't install that by default). Post the output, preferably in BB code tags, or attach as plain text file.

When you're posting your reply please post your full Ubuntu release version, along with a description of which things you have checked wrt compromises and what measures you took already to harden your server beyond what you listed in your OP.

Please read some easy security mindset docs like bodhi.zazen's Ubuntu Security, psychocats Security on Ubuntu and the Ubuntu Documentation > Ubuntu 10.04 > Keeping Your Computer Safe. If you've got no questions move on to the Ubuntu Security Guides (up to point 6. SSH, ditch the rest, except point 11. SSL), leaving the Securing Debian Manual for last.

Thank you Unspawn
I am running ubuntu 10.04 lts. I came to the conclusion yesterday that i would just start over so i re-installed the OS and am currently hardening the server before i worry about building the website.
1. I have currently closed webmin access with ip access control to only local host ip.
2. access control bind to only local host ip heres last nights logs, but i may be fooling myself in hopes that ive closed the open resolver.
218.8.127.151 - - [09/Aug/2010:09:49:16 -0400] "GET //contact/config.inc.php?p=phpinfo(); HTTP/1.1" 404 475 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
218.8.127.151 - - [09/Aug/2010:09:49:17 -0400] "GET //contact.php/config.inc.php?p=phpinfo(); HTTP/1.1" 404 477 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
88.46.75.27 - - [09/Aug/2010:09:57:37 -0400] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 512 "-" "-"
61.183.15.9 - - [09/Aug/2010:09:57:58 -0400] "GET http://www.wantsfly.com/prx2.php HTTP/1.0" 404 529 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
I am researching mod proxy disable, and will get that done quickly.
3. disabled root login with ssh and have set it with ip access control to only allow certain ip's. With no password authentication only using secure keys. I read a great tutorial on ssh security yesterday.
I also found 1 resource that i could understand on securing bind to not act as a open resolver http://jazzymarketing.com/main/0904/...ng-bind-server, but i am having issues understanding some of the resources i find on bind itself... but i am learning and constanly working at security issues. The last thing i want is to be a hackers attack point for those of you who really know what you are doing.
I am begining to read the resources you have started me with, and just ask that all of you be patient with a simpleton that wants to learn these things. Also if i havent clarified what ive done enough just let me know what you need and i will post the info.
Also i have been reading through the cert docs in the stickys slowly, but i am getting there.

ok guys while looking to disable mod proxy in httpd.conf ive found the following
1. httpd.conf is blank
2. in virtualmin apache modules i have the following options that are enabled....
proxy
proxy_balancer
proxy_connect
proxy_http
when i run the command
grep -r ProxyRequests /etc/apache2/*
it shows proxy request are off, but im reading that doesn't stop the issue?

OK. If you'd like to meditate for a few seconds before returning to configuring your ffresh server try this post.


Good. Either that or a httpd.conf webmin container rule.


I don't see no BIND logs?


Notice all HTTP requests have a 4?? return codes like 400 (Bad Request) or 404 (Not Found). Good!


Sure nothing bad may have happened yet but having had any root logins over the network enabled is bad. Good you disabled that.


The URI you posted is a rip-off (obviously, given the domain name) of a post I've read elsewhere. No matter, best secure BIND (using Securing an Internet Name Server (old, PDF) so you understand Securing Debian Manual: 5.7 Securing BIND and finally see Team CYMRU secure BIND Template (most recent)...) before getting into details. BTW are you sure you need to run a Domain Name Server yourself? If you do, are you sure it needs to be BIND?


How about 'locate httpd.conf' or 'find /etc /opt /svr /usr -type f -iname httpd.conf 2>/dev/null' or else list the web server package contents?


If I read http://software.virtualmin.com/lib/v...-standalone.pl (I don't use any web-based administration panels) then it reads "# On Debian and Ubuntu, enable some modules which are disabled by default" so basically it loads the actions, suexec, auth_digest, dav_svn, ssl, dav, dav_fs, fcgid, rewrite, proxy, proxy_balancer, proxy_connect and proxy_http without explicit need. Nice. If you can't determine what modules are for have a look here for proxy, proxy_balancer, proxy_connect and proxy_http nfo.


Let's check the results of you disabling what you don't need?


Patience you'll find plenty here. We all started somewhere, right?

unspawn
here's a little history on me that may help clarify some issues.
We manufacture ammunition and firearms as well as various chemicals and compounds all firearm related. so many products in fact i could not keep track of to help customers understand and use these products. so we sent out for rfb's for web server services which all exceeded our budget. we are buying alot of equipment and materials and just cant afford the lowest bid of almost $4000.00 per yr. so we decided at this time to atleast build our own web server to if nothing else provide product descriptions and tutorials on our products. Never had we really wanted to sell our products online with our own webserver because we did not know enough about securing one. we already pay for hosting for our email and records to ensure that the information be well protected. There is no way that for the next year we will be able to pay for webservices, but we do need them.
above you asked if i needed a dns server and honestly i dont know. I have 2 domains i want to host and the only reason i am concerned with it is because it comes installed with virtualmin/webmin/usermin. Now i use those interfaces because they have helped me better understand the config files neccessary to create a webserver.

in Debian/Ubuntu the apache config is in /etc/apache2/apache2.conf
httpd.conf exists but is generally empty.
Available modules are in apache2/mods-available, and enabled modules are
in apache2/mods-enabled.
Disabling mod_proxy just requires a removal of the symlinked mod_proxy in mods-enabled.

mod_security's a good tool to have for your apache server as well, preventing sql injections, xss, csrf etc.

the output of gnu tiger is more than allowable.
# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (bin) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (couchdb) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (dvhosting) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (games) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (irc) is disabled, but has a valid shell.
--WARN-- [pass016w] User kernoops has / as home directory
--WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (lp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (mail) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (man) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (news) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (postgres) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (speech-dispatcher) is disabled, but has a valid
shell.
--WARN-- [pass015w] Login ID sshd does not have a valid shell
(/usr/sbin/nologin).
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).
# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID avahi-autoipd appears to be a dormant account.
--WARN-- [acc021w] Login ID bind appears to be a dormant account.
--WARN-- [acc021w] Login ID libuuid appears to be a dormant account.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.
--WARN-- [acc019w] Login ID dewey may be missing a shell
initialization file /home/dewey/.shrc.
--WARN-- [inet003w] The port for service sieve is also assigned to service
cisco-sccp.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
pipe_server.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
search.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.
--WARN-- [inet003w] The port for service webcache is also assigned to service
http-alt.
--WARN-- [inet003w] The port for service webcache is also assigned to service
http-alt.
You know i think ive spent too much time in front of this thing this week. ive popped a nerve!!

Thanks for clarifying.
That's a common misunderstanding. Unlike one might expect from having used GUI applications in other Operation Systems that come with extensive erro checking, hand-holding and F1 / Clippy, using any web-based management panel is no substitute for theoretical knowledge and practical experience.


OK. What would you estimate it could cost you in (potential) business having your site unavailable for n hours? Or having a "hacked by culprit X" page displayed for n days without you noticing? Also what would be the cost for you in hours chasing (perceived) breaches of security? And keeping up to date? Even while basic shared hosting accounts have their weaknesses, from a business perspective, the cost for not being responsible for hardware, network, software updates et cetera may outweigh the benefits for the budding (wrt 'net aspects) business and a user new to administering servers. Look, I'm not trying to push you away from your current solution but this hosting thing may not be your companies core business so you need to shape up real fast and you need a good starting point. I suggest you set aside one desktop machine and install GNU/Linux on that. Read basic tutorials like Rute and the Securing Debian Manual while you configure and harden your base installation. Only after you have configured and tested your machine you should install your web server, database and other web stack components (no X11 / Xorg and if you can do without: no panel).


Running 'dig ns domain.name' should show the name servers (NS) responsible for domain.name. If you do not have the need to host and control (any part of) the domain name records for these domains yourself then you only need BIND in its caching name-server capacity.


As far as your warnings go, please notice the "-e" and "-E" command line switchs when running Tiger and you can run say 'tigexp inet003w' which returns:
"The indicated port number is assigned to another service. This indicates
either a misconfiguration in the services database, or a possible sign
of an intrusion. This should be checked and corrected. If it is not
apparent why it is like this, the system should be checked for other
signs of intrusion."

1 members found this post helpful.

I dont want this thread to get into a debate as to what you should and should not attempt, even tho i am worried its starting to turn that. That is my fault.
And yes Unspawn i do appreciate every word of advise and tutorials you have posted. and you too rsciw
Thank you for your time...Really i mean that!!!
I started this thread because most of the information i find on the net either is outdated or dis-information.
Unspawn you are right a gui control panel is an invitation for people like me to cause security risks and attack points for hackers....(atleast thats what im reading from your post) for everyone else on the net who actually knows the practical and theoretical knowledge.
IMO these progies like webmin and others should be configured totally locked down rather than being wide open. I should have to work at learning to unlock the services i need. only then would i really grasp the idea of securing said services.
What i am looking for is what you have already began with me ..
step 1.
step 2....
Yes i am asking you to hold my hand as i learn my way through this. I am a linux child needing parental guidance in my life.
At no pint can you discourage me from learning this...even if i contract out hosting services I still must take responsibility for what they do with the DOJ-ATFE therefore why ask someone to do something for me that i have no basic understanding of. If your lucky enough to find a hosting service which is willing to allow the sell of firearms and ammunition through them.. much less merchant services.
Regulation is the DOJ's way of keeping average people from doing what we are attempting.. and i will not fail.
So back to the problem...
suggested OS for running a webserver? Im pretty sure its not ubuntu 10.04
suggested documentation of choosing services needed for said webserver, and how to configure as well as secure said services as well as OS
I will do the work.. i will do the research.. i will take responsibility.. but i will not continue on my own unless im left with no choice.. Ive tried that and made your server as well as others that much more vulnerable by doing so I am asking you guys to dumb it down for me!
hopefully its one less trouble you will all face,, unless you are willing to host my services.. allow the DOJ access to your services to investigate my business if they see need. provide business documentation as well as fingerprint identification for you and anyone who may work on my services from your local law enforcement.. My own isp will not sign the DOJ paperwork allowing them access to their servers and they are legit.. why would i think you would.. Trust me i know ive read the 1300 page manual for brokering firearms online.. why do you think there are so few out there that do!
Sorry for going off on a rant but im backed into a corner..
Thank you Unspawn for the links to making firewalls easier to understand and configure

No it is not your fault. In this forum we like to look a bit further than answering simple 'what does X do?" type of questions because not all posters understand the implications of doing things a certain way. Likewise we don't always know the settings or implications of what the OP wants. So asking questions and checking related issues may be a good thing.


You're most welcome. What you should understand is that a thread like this might help others in time who come looking for the same information. So it's all good.


That depends on what a few things. Are there any business requirements with respect to running certain software? If there is not then I would say any recent, maintained release of an "Enterprise" distribution with long term support. What you use will be what you are most familiar with: Ubuntu LTS, SuSE Linux Enterprise Server (SLES), Red Hat Enterprise Linux (RHEL) or Centos, the freely available RHEL "clone" (though that sounds a bit denigrating) w/o the RHEL branding or commercial support.


Start with reading http://www.linuxquestions.org/questi...2/#post4058728 ?


I'm aware of quite a lot of rules and regulations but I never had to deal with those provided by the ATFE. Do you have a link to online compliance documentation related to hosting web services to read?