Need advice regarding security on Fedora 15
Hey!
I was wondering if anyone could give me some advice on how to harden and improve security on Fedora 15 which will be used to host a webserver. I'm basically doing a report for school where our "client" has asked us to provide a risk assessment on Fedora 15 as well as solutions to security loopholes. I would be grateful if someone can point me in the right direction and give me some advice on where to look and how I should go about doing this. Any help is really appreciated. Thank you very much:) |
Quote:
Did you read the docs Fedora comes with? They're quite extensive. Are you aware of SANS? OWASP? Cisecurity benchmarks? OVAL? Nessus? OpenVAS? Do you know how to list updates for CVEs? (Eight more.) |
Thanks for the reply unSpawn, unfortunately we haven't learnt anything that you have mentioned and I'll be sure to look into those. We haven't been given much since it is a case study. It's not really an in-depth networking class, we have only learnt how to use a few tools such as wireshark and nmap and how to configure IP tables etc. I've been looking into the bug reports for Fedora 15 to see if this would help me.
Thank you for your help, much appreciated. |
OK. I'll try and keep it short. First thing is to question the need for using Fedora 15 instead of an Enterprise-grade distribution like Centos (unbranded RHEL), SLES, Ubuntu-LTS or whatever else. (Apart from that Fedora 16 is current and right now it seems 17 will be upon us May-ish.) Next install only what you need, when you need it. A production web server should not have unstable software, no graphical desktop environment and no compilers. This minimizes maintenance and its attack surface when exposed to the 'net. Accounts, services, network access should be restricted and hardened and enough auditing should be enabled to give you early warnings you can respond to. Security, updating, auditing, implementing preventive and reactive measures are not one-offs but continuous processes. These days compromises happen often through brute forcing SSH (allowing root to log in over the 'net, weak passwords instead of pubkey auth, no fail2ban or equivalent) but more often through web application stack exploits. Apart from laxity like leaving installation sources around, fscking with access permissions to avoid fixing problems the right way, allowing unrestricted access I'm talking about running vulnerable software versions of forum, shopping cart, statistics, photo gallery, web log and other software and or their plugins, badly coded homebrewn scripts, weak passwords allowing access to web-based management panels, etc, etc. Giving thought to compartmentalization (XEN, VMWare, Linux Containers, OpenVZ) or other server placement (DMZ), giving thought to your choice of software (security track record), updating software when updates are released, (reverse) proxying, running a web application firewall, remote testing of your setup and actually responding to reports and warnings will cost you time and effort but it will pay off. That's about as terse as it gets ;-p
|
Fedora 15 has only 2 months of support remaining. After June 2012, it will receive no security patches or bug fixes, ever. That would be a deal-breaker for me right there. :(
|
Wow thank you for the information unSpawn.
All groups have been assigned different operating systems and I have been assigned Fedora 15, that is why I have to base it on this. Thanks again. |
the security on fedora 15
in about 2 months ( the fedora 17 release date was pushed back ) there will be NO support for 15 and NO security updates so install fedora 16 but fedora is a VERY VERY bad choice for a server it's life span is ONLY 13 months verse the 10 YEAR life span for RHEL 5 & 6 ( Red Hat Enterprise Linux ) as far as fedora is concerned you might want to READ the documentation http://docs.fedoraproject.org/en-US/index.html and read the Red hat documents https://access.redhat.com/knowledge/...erprise_Linux/ but the long term security for fedora 15 is VERY BAD - in about 60 days there will never ever be any more security updates |
Quote:
Unless you are able to get some direct clarification as to whether or not their is something the instructor is looking for in terms of the OS choice, I would suggest researching the items suggested by unSpawn and building a "security policy" around those, and you could certainly mention the weaknesses associated with the choice of Fedora 15 as part of your security assessement. I also find this comment interesting as it shows some possible insight into the instructors thinking: Quote:
|
Thanks Noway2 and everyone else, this has really helped, I don't think he wants us to do a "professional grade" security report since this is just an "add on" module to expose us all to some sort of networking (the main course is Software Engineering, last year we done basic router configurations and DHCP etc), when I see my lecturer I will be sure to ask him about the choice of operating system.
Thank you all for your input, much appreciated. |
Hey, I have some updates on this.
I actually need around 5 security bugs to show, I have found 3 that I can use but I do not know how to reproduce them, since I need to reproduce them to show the screenshots, any advice or tutorial on these would be appreciated. 1: Buffer Overflow 2: SQL Injection 3: Cross Scripting |
I'm marking your thread solved as your initial question, how to harden and improve security on Fedora 15, was solved three weeks ago.
Quote:
And asking for help with exploits is against the LQ Rules. Thread closed. |
All times are GMT -5. The time now is 10:55 AM. |