Need advice regarding security on Fedora 15
 

Hey!

I was wondering if anyone could give me some advice on how to harden and improve security on Fedora 15 which will be used to host a webserver.

I'm basically doing a report for school where our "client" has asked us to provide a risk assessment on Fedora 15 as well as solutions to security loopholes. I would be grateful if someone can point me in the right direction and give me some advice on where to look and how I should go about doing this.

Any help is really appreciated.

Thank you very much:)

Since you're doing this for school I'll return the question: what class material was presented to you to help you? What have you researched for and found so far? (That's two questions actually.)

Did you read the docs Fedora comes with? They're quite extensive.
Are you aware of SANS?
OWASP?
Cisecurity benchmarks?
OVAL?
Nessus?
OpenVAS?
Do you know how to list updates for CVEs? (Eight more.)

Thanks for the reply unSpawn, unfortunately we haven't learnt anything that you have mentioned and I'll be sure to look into those. We haven't been given much since it is a case study. It's not really an in-depth networking class, we have only learnt how to use a few tools such as wireshark and nmap and how to configure IP tables etc. I've been looking into the bug reports for Fedora 15 to see if this would help me.

Thank you for your help, much appreciated.

OK. I'll try and keep it short. First thing is to question the need for using Fedora 15 instead of an Enterprise-grade distribution like Centos (unbranded RHEL), SLES, Ubuntu-LTS or whatever else. (Apart from that Fedora 16 is current and right now it seems 17 will be upon us May-ish.) Next install only what you need, when you need it. A production web server should not have unstable software, no graphical desktop environment and no compilers. This minimizes maintenance and its attack surface when exposed to the 'net. Accounts, services, network access should be restricted and hardened and enough auditing should be enabled to give you early warnings you can respond to. Security, updating, auditing, implementing preventive and reactive measures are not one-offs but continuous processes. These days compromises happen often through brute forcing SSH (allowing root to log in over the 'net, weak passwords instead of pubkey auth, no fail2ban or equivalent) but more often through web application stack exploits. Apart from laxity like leaving installation sources around, fscking with access permissions to avoid fixing problems the right way, allowing unrestricted access I'm talking about running vulnerable software versions of forum, shopping cart, statistics, photo gallery, web log and other software and or their plugins, badly coded homebrewn scripts, weak passwords allowing access to web-based management panels, etc, etc. Giving thought to compartmentalization (XEN, VMWare, Linux Containers, OpenVZ) or other server placement (DMZ), giving thought to your choice of software (security track record), updating software when updates are released, (reverse) proxying, running a web application firewall, remote testing of your setup and actually responding to reports and warnings will cost you time and effort but it will pay off. That's about as terse as it gets ;-p

Fedora 15 has only 2 months of support remaining. After June 2012, it will receive no security patches or bug fixes, ever. That would be a deal-breaker for me right there. :(

Wow thank you for the information unSpawn.

All groups have been assigned different operating systems and I have been assigned Fedora 15, that is why I have to base it on this.

Thanks again.

the security on fedora 15
in about 2 months ( the fedora 17 release date was pushed back ) there will be NO support for 15
and NO security updates

so install fedora 16

but fedora is a VERY VERY bad choice for a server
it's life span is ONLY 13 months
verse the 10 YEAR life span for RHEL 5 & 6 ( Red Hat Enterprise Linux )

as far as fedora is concerned you might want to READ the documentation
http://docs.fedoraproject.org/en-US/index.html

and read the Red hat documents
https://access.redhat.com/knowledge/...erprise_Linux/


but the long term security for fedora 15 is VERY BAD - in about 60 days there will never ever be any more security updates

This is a rather curious condition of the project and one that I would be inclined to ask for clarification and guidance from the instructor as to their expectations in terms of being operating system specific. Most Linux distributions have an extremely large amount in common as they are based upon the same kernel (or at least revisions of it) and if you are running at least a 2.6 kernel have netfilter built in, use the same GNU tool set, run the same applications (e.g. Apache, MySQL, PHP), etc. What this means is that there is little inherrent difference in the OS itself, but as unSpawn pointed out, there are a few distributions that are Enterprise Grade in terms of support and backing and Fedora is not one of them. Probably the two biggest differences amongst most Linux distributions is their package management system and whether they use BSD or Unix style startup scripts (init.d vs rc.d).

Unless you are able to get some direct clarification as to whether or not their is something the instructor is looking for in terms of the OS choice, I would suggest researching the items suggested by unSpawn and building a "security policy" around those, and you could certainly mention the weaknesses associated with the choice of Fedora 15 as part of your security assessement.

I also find this comment interesting as it shows some possible insight into the instructors thinking: Based upon this, it looks like the instructor may be focusing on intrusion and surveilence as nmap would be used to port scan a system and wireshark would be used to listen in on the packets. Perhaps you should include aspects dealing with detection of scanning attempts and ways to actively respond to them as well as the benefits, risks, and rewards of SSL/TLS which would mitigate packet sniffing. As far as an active response, IPTables can certainly play a part in that role, as it is a very capable, state-aware, firewall.

Thanks Noway2 and everyone else, this has really helped, I don't think he wants us to do a "professional grade" security report since this is just an "add on" module to expose us all to some sort of networking (the main course is Software Engineering, last year we done basic router configurations and DHCP etc), when I see my lecturer I will be sure to ask him about the choice of operating system.

Thank you all for your input, much appreciated.

Hey, I have some updates on this.

I actually need around 5 security bugs to show, I have found 3 that I can use but I do not know how to reproduce them, since I need to reproduce them to show the screenshots, any advice or tutorial on these would be appreciated.

1: Buffer Overflow
2: SQL Injection
3: Cross Scripting

I'm marking your thread solved as your initial question, how to harden and improve security on Fedora 15, was solved three weeks ago.


We're not here to do your homework for you.
And asking for help with exploits is against the LQ Rules.
Thread closed.