Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IMHO you should keep your mod_security config as simple as possible. Only tweak things when the log file indicates users are denied access to what they should have. http://httpd.apache.org/docs/2.2/mod/ explains if you need mod_rewrite. And IIRC your web server should not see much traffic anyway so if you need to limit access I'd favor a network layer approach iptables (-m limit) over an application layer one.
Dear Unspawn,
When you say log which log are you referring to the httpd log I guess or any other related logs? Yes my traffic is limited to just to 2 ports only. The rest all closed even the for ssh is closed from outside.
Dear Unspwan,
Ok I will look into the error_log files. Besides that when you said /sbin/iptables -m limit --help is regarding the iptables setup right. But looking deeper into iptables it just blocking the access to limited ports. For instance port 80 have to be open for web communication what else steps can be taken to further secure this port from being used for hacking purposes.
But looking deeper into iptables it just blocking the access to limited ports.
No, the other way around: it's limiting access, the amount of times somebody can access a port (best used in conjunction with --state).
Quote:
Originally Posted by newbie14
For instance port 80 have to be open for web communication what else steps can be taken to further secure this port from being used for hacking purposes.
Firewall, sane Apache configuration, mod_security, logs you parse for anomalies / hacking attempts / errors (you do use something like Logwatch + fail2ban, right?), local integrity verification (Samhain, AIDE, etc, etc), so then it boils down to what apps you run. For example you can't expect any benefits if you run crappy homebrewn scripts or say a version of Joomla or WordPress a year old...
Dear Unspawn,
Yes we do have firewall, will follow the apache configuration as per your suggestion,have installed mod_security and left as default settings. Time to time will look into logwatch log files to see if something not right. Planning to move to ossec as we find it easier to understand and gives email alerts too. Back on the app its purely php and mysql db based application. Should we do more security on the logic page itself beside sql injection protection?
Back on the app its purely php and mysql db based application. Should we do more security on the logic page itself beside sql injection protection?
It kind of depends what you exactly run. If you run a common off-the-shelf application like for example WordPress, Joomla or suchlike, you should follow their recommendations for securing the application and keep the application, themes, plugins et cetera up to date. If you run homebrewn scripts then you're responsible for adhering to coding standards. While there's more to implement like a database firewall and a reverse proxy the next quickest wins IMHO would be to limit access (after all you run your web server for very specific clientele only) which could be done quickly and painlessly with ipset and watch your logs for errors (fail2ban?).
Dear Unspawn,
It is a homebrewn scripts. What database firewall do you suggest for Linux machines. Yes we will have limited clients but how to determine their ipset if they use different machines or mobile phones to login. Will fail2ban will be part of logwatch?
What database firewall do you suggest for Linux machines.
In essence none: review your PHP code instead.
Quote:
Originally Posted by newbie14
Yes we will have limited clients but how to determine their ipset if they use different machines or mobile phones to login.
White listing allows you to add any amount of IP ranges to an ipset. They will have to supply you with the necessary ranges. Obviously you could facilitate that with a page that takes the clients current IP address and returns the right range. Just be creative.
Quote:
Originally Posted by newbie14
Will fail2ban will be part of logwatch?
If configured so Logwatch output will include both /var/log/secure (or equivalent) output and fail2ban logging, yes.
Dear Unspawn,
When you review the codes I dont get you on that but we have not put the db behind firewall and is never accessible from public ip only local ip as per your previous suggestions. Thank you for the idea on the ipset will look further on that. I will try to configure the logwatch and get back incase stuck here.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.