Securing a VPS

stephen_wq · 03-26-2009, 10:59 PM

Hey there,
A mate has a basic VPS running debian, and as far as i can tell hes running HTTPD as root.
In fact, he says he does most things as root, which is a habit that needs to be broken for obvious reasons.
Heres the output from webmin of the running services. Im average at linux, used to gui and only know fedora command line, so lost when it comes to debian.

Code:

26604 	root 	0.6 % 	/usr/share/webmin/proc/index_cpu.cgi
28032 	mysql 	0.1 % 	/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file ...
1 	root 	0.0 % 	init [2]
13695 	postfix 	0.0 % 	tlsmgr -l -t unix -u -c
19709 	proftpd 	0.0 % 	proftpd: (accepting connections)
20113 	daemon 	0.0 % 	/usr/local/apache2/bin/httpd
20135 	daemon 	0.0 % 	/usr/local/apache2/bin/httpd
24269 	root 	0.0 % 	sshd: root@pts/0
24286 	root 	0.0 % 	-bash
26605 	root 	0.0 % 	/usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
26606 	root 	0.0 % 	/usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
27873 	root 	0.0 % 	/sbin/syslogd
27933 	root 	0.0 % 	/bin/sh /usr/bin/mysqld_safe
28033 	root 	0.0 % 	logger -p daemon.err -t mysqld_safe -i -t mysqld
29947 	root 	0.0 % 	/usr/local/apache2/bin/httpd
30286 	root 	0.0 % 	/usr/lib/postfix/master
30308 	postfix 	0.0 % 	qmgr -l -t fifo -u
30311 	root 	0.0 % 	/usr/sbin/sshd
30343 	root 	0.0 % 	/usr/sbin/cron
32343 	root 	0.0 % 	/usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

Now HTTPD is running out of /home/user/ which is actually owned by root. So somehow, i want to change the owner (chown?) of /home/user/ to user, and then run HTTPD under that username, or whatever is the best method. Unfortunately i have no idea how.

What else shouldn't be running as root? What other basic security like denyhosts would be suggested?
Thanks in advance.

gnukish · 03-26-2009, 11:22 PM

Quote:

h!!p://www.usefuljaja.com/2007/6/debian-vps-setup-page-1

follow all parts of the tutorial, and i am sure you'll be on your way to securing your VPS. report back on how you do

cheers!

robertjinx · 03-27-2009, 03:03 AM

You HTTPD is not running as root, Webmin is running as root and its normal, in rest seems everything ok, maybe create a user "apache" or "httpd" and change in the configuration of apache from daemon to "apache" or "httpd"

Good luck!

stephen_wq · 03-27-2009, 03:13 AM

@gnukish: Thanks. Following it through.
Though when i try running iptables-restore with his sample file (http://www.usefuljaja.com/assets/200...test.rules.txt), it says it failed on COMMIT (line 56)

I also need to add mysql & ftp to it, i assume i copy a line and add 3306?

@robertjinx: Thanks for clarification, i wasn't sure and he said he'd simply setup and used everything in root, and when i saw "29947 root /usr/local/apache2/bin/httpd", i assumed one of the virtual servers or something was running as root.

robertjinx · 03-27-2009, 03:43 AM

Btw what VPS are u using, Xen or OpenVZ/Virtuozzo?

If OpenVZ/Virtuozzo then you are limited to what you can do, cant have a full iptables and so on. Be sure of what you using and setup the VPS according to that.

stephen_wq · 03-28-2009, 09:55 PM

Quote:

Originally Posted by robertjinx

Btw what VPS are u using, Xen or OpenVZ/Virtuozzo?

If OpenVZ/Virtuozzo then you are limited to what you can do, cant have a full iptables and so on. Be sure of what you using and setup the VPS according to that.

Not sure what either of those are, how can i find out?

sleddog · 03-29-2009, 07:35 AM

[root@vps:~] cat /proc/user_beancounters

If you see information then it's OpenVZ/Virtuozzo. If you get a "No such file or directory" error then it isn't.

[root@vps:~] ls /proc/xen

If you get a file list then it's Xen. If you get a "No such file or directory" error then it isn't.

robertjinx · 03-29-2009, 10:16 AM

Try simple "uname -a" and will tell you want you need to know, in case of CentOS on Xen it will look something like 2.6.18-53.1.13.el5xen and in case of OpenVZ, I think vz or something.

Just put the output of uname -a in the post and i will tell u.

stephen_wq · 03-30-2009, 02:29 AM

Beancounters showed a bunch of info.

uname showed: "2.6.18-92.1.13.el5.028stab059.6 #1 SMP Fri Nov 14 16:01:01 MSK 2008 i686 GNU/Linux"

robertjinx · 03-30-2009, 02:49 AM

Its OpenVZ/Virtuozzo which means you are limited to some stuff, like some iptables parts, system configuration, kernel tunning, etc.

I think simple or normal linux security should be enough for the system, maybe just use iptable to allow a couple of ports, like ssh/http/https/mail and rest just block it.

Make sure that you do not allow root login over ssh and use locally sudo or su to login to root.

Good luck!

sleddog · 03-30-2009, 07:31 AM

Quote:

Originally Posted by robertjinx

Try simple "uname -a" and will tell you want you need to know, in case of CentOS on Xen it will look something like 2.6.18-53.1.13.el5xen and in case of OpenVZ, I think vz or something.

Just put the output of uname -a in the post and i will tell u.

2.6.18-53.1.13.el5xen certainly indicates a Xen VPS, but not all Xen VPSs have 'xen' in the kernel name

Moot point I guess, as stephen_wq looks to have an OpenVZ VPS.

Cheers.