LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-18-2009, 12:47 PM   #1
OffbeatAdam
LQ Newbie
 
Registered: Jul 2006
Posts: 6

Rep: Reputation: 0
Beyond noexec on /tmp


Greetings,

I had a previous post about sshd_config, gonna post what I found there however we're in another bind at this point.

Compromised boxen, obvious answer - move off.

In a large task though, this can be difficult, as we have to move them via cpanel - no easy or fast way to do this.

We can prevent the attacks from recurring at least a little bit, by adding in some additional security. I've locked down the boxes from ACCESS, however exploits in /tmp are still very possible because of the compromises.

I need to stop this.

noexec as many already know is useless as anything more than a minor "idiot" deterrent as... doing /bin/sh /tmp/script works regardless.

I need to stop that.

I've searched and searched, but even in google the top replies are the normal secure tmp crap that does noexec and nosuid.

Anyone have any suggestions?

I realize I could use SELinux but I've never been successful in a cpanel environment with having it work, without a few days worth of work, and in the current situation I don't have the time.

Thanks ahead of time.

Thanks,

Adam
 
Old 11-18-2009, 03:05 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Hello Adam,

I know you said SELinux is a pain to get working with cPanel.

I would possible take a look at GRSecurity.

List of features
http://grsecurity.com/features.php


There is a lot of exploit protections and some /tmp protections (don't remember them all of the top of my head)


You can run GRsecurity without a policy and it will protect the kernel and the system with everything on the features list except the top RBAC list.


-Slimm
 
Old 11-18-2009, 08:52 PM   #3
OffbeatAdam
LQ Newbie
 
Registered: Jul 2006
Posts: 6

Original Poster
Rep: Reputation: 0
I've considered that. I'm currently in the works of producing my own image (at this company my time here has been short, so at this point I'm coming into the mess... most of my work has been "going forward" but the mess got out of hand).

GRS is in my build, but its not ready yet for live, I'm still tweaking it and eventually I'm making it a kick. Also working on the repo so that I can keep kernel updates there in line with CentOS.

In retrospect though, adding grs to a production server isn't intelligent at least not that I can see. I was just hoping to see if anyone knew any tricks that may be able to deter it while we move accounts to the more secure environments.

Thanks,

Adam
 
Old 11-18-2009, 10:11 PM   #4
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Hi Adam,

I am a cpanel expert, used it since version 6 I think, and manage and secure about 100 cpanel servers.

By compromised box do you mean they got root?

I do quite a few things to secure the cpanel boxes, including the use of many 3rd party and custom scripts.

I do not use SElinux, and I do not use GRsecurity, neither the patches for the kernel nor the RBAC ACL. Although I have used the patches before.

SElinux and GRsecurity are good for protecting against 0 day, or 1 day exploits, so if that's what you are looking to do, that's pretty much what you need, you also might want to look at LIDS, but like SElinux that will be a chore to setup, and it may be next to impossible as cpanel is composed of so many scripts.

If you are not looking to protect only 0 day and 1 day exploits its likely you are overlooking another area. If that is the case you can give us a run down of what you are doing, and a little more info on the attacks that did occur and how you think they happened, and we can possibly give you some security tips.

By the way are running RHE, Centos or FreeBSD?
Edit: You said CentOS already

-Abe

Last edited by abefroman; 11-18-2009 at 10:12 PM. Reason: You said CentOS already
 
Old 11-19-2009, 04:01 PM   #5
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by OffbeatAdam View Post
In retrospect though, adding grs to a production server isn't intelligent at least not that I can see.
Why would it not an intelligent desicion??
 
Old 11-24-2009, 09:52 AM   #6
OffbeatAdam
LQ Newbie
 
Registered: Jul 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by slimm609 View Post
Why would it not an intelligent desicion??
Because I have better things to do than worry about boxes that are inevitably insecure, short of reinstalling every RPM on the box, which at this point I'm far from desiring to do?

I'm 75% done with moving to new boxes that are secure.

I"m not sure I'd have been this far along if I'd spent my time worrying about installing and configuring a new kernel with a new security model that likely would face a nice distinct set of additional help desk tickets where sites don't work.
 
Old 11-24-2009, 10:02 AM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by OffbeatAdam View Post
Because I have better things to do than worry about boxes that are inevitably insecure, short of reinstalling every RPM on the box, which at this point I'm far from desiring to do?

I'm 75% done with moving to new boxes that are secure.

I"m not sure I'd have been this far along if I'd spent my time worrying about installing and configuring a new kernel with a new security model that likely would face a nice distinct set of additional help desk tickets where sites don't work.
Hate to tell you this but security is not a one time thing, even if you get a new box today that is hardened and running the latest secure packages, tomorrow (or next week, or next month) there will be an exploit out and the box will be insecure.

Your best bet is hiring someone, even if its on a contract basis, to regularly maintain and secure your boxes, especially if there are time constraints which it sounds like you have.
 
Old 11-24-2009, 11:02 AM   #8
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by OffbeatAdam View Post
Because I have better things to do than worry about boxes that are inevitably insecure, short of reinstalling every RPM on the box, which at this point I'm far from desiring to do?

I'm 75% done with moving to new boxes that are secure.
Unless you are running something like "Green Hills Intergity-OS" your boxes are not secure.

Quote:
Originally Posted by OffbeatAdam View Post
I"m not sure I'd have been this far along if I'd spent my time worrying about installing and configuring a new kernel with a new security model that likely would face a nice distinct set of additional help desk tickets where sites don't work.
So you are just going to abandon something without testing or fully researching it? If you would have tested GRsecurity in the way i listed above you would have realized there would have been very few, if any changes to the current system other than the kernel which = little to no additional help desk tickets.

As someone else stated security is not a product or a step-by-step guide. It is an ongoing task and the minute you think your machines are 100% secure and relax on them thats when you are going to get owned.

There are quite a few of us on here that know what we are talking about. Look over some of our past threads and judge for yourself.
 
Old 11-24-2009, 11:42 AM   #9
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by slimm609 View Post
Unless you are running something like "Green Hills Intergity-OS" your boxes are not secure.



So you are just going to abandon something without testing or fully researching it? If you would have tested GRsecurity in the way i listed above you would have realized there would have been very few, if any changes to the current system other than the kernel which = little to no additional help desk tickets.

As someone else stated security is not a product or a step-by-step guide. It is an ongoing task and the minute you think your machines are 100% secure and relax on them thats when you are going to get owned.

There are quite a few of us on here that know what we are talking about. Look over some of our past threads and judge for yourself.
Sounds like this guys plan for security is to just copy all his accounts to new boxes every month, or every time one of his boxes gets hacked.
 
Old 11-24-2009, 08:28 PM   #10
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Sorry, Adam, are you just an employee of the web hosting company?

I was assuming you are the owner, but then I happen to come across your myspace page.

Honestly dude, the best advice I can give you is the position you are in is above your current ability and/or training. Your company, as large as it is, should have some good resources there to help you secure the servers, keep them secure, and so you know what to if (or if you think one was compromised).

We can definitely be of some great help to you here, but you will want to work with your peers at work as well.

I would talk to your manager there, or another co-worker you are friends with there, to give you some additional training, and to help you solidify the basics when it comes to security.

You are posting about SELinux and stuff, so that show you have a desire to learn new things, and I think with the right hands-on training you will be a great security and systems administrator.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Remove noexec from tmp directory Skillz Linux - General 3 11-21-2009 01:36 AM
Can't login, says tmp directory full but tmp file is empty! Could be linked to MySQL? bethanlowder Fedora 7 09-25-2009 07:17 AM
how to securing /tmp , /var/tmp and /dev/shm hackintosh Linux - Security 7 10-17-2007 11:26 PM
noexec on /tmp but still stefaandk Linux - Security 10 03-05-2007 06:02 AM
reinstall --> /tmp & noexec issue Fuel Slackware 1 11-30-2004 10:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration