LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 06-12-2014, 04:43 AM   #1
jjthomas
Member
 
Registered: Jan 2004
Location: Tacoma, WA
Distribution: Slackware 14
Posts: 265
Blog Entries: 2

Rep: Reputation: 34
Slackware Server On The Internet.


I am thinking of putting a server out in the wild. I run a couple of websites, one is based on b2evolution and another based on WordPress and a couple of static websites, and of course email.

I have a UPS, Iím comfortable with Linux, both Slackware and Red Hat (Centos). Iíve been hacked a couple of times, weak password (duh) and a bad script. So I know that somewhere out there, is a hacker gunning for my server.

My thought would be to set the WWW/Email server in a virtual machine. If a hacker were to get root in the VM would they be able to gain access to the host?

Has anybody put a Slackware based server on in the Internet? Any advice?

-JJ
 
Old 06-12-2014, 06:14 AM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Yes, did that, worked.

But...

You're going to get hit (a lot) from the outside world and IP address walkers. It's a given that the bastards are going to try.

If you do a clean install on that server and pick a good root password (you do not need to password any other accounts except for any user accounts you add, such as your own account -- leave /etc/passwd and /etc/shadow alone).

I would assume you're going to be using Apache HTTP? Don't monkey with it too much, read the security section in the the HTTP documentation, implement the recommended settings (in the configuration files).

Something I did that works automagically is that I installed and run DenyHosts (http://denyhosts.sourceforge.net/:
Quote:
What is DenyHosts?

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
When you get hit with SSH attacks, they're trying to guess your password and they walk the administrative accounts (which you haven't screwed with and there is no way in the universe to guess or get into an account that has no assigned password and is blocked in /etc/shadow). What DenyHosts does is recognize the attempt and add the URL of the attacker to /etc/hosts.deny in which case that URL will be refused the next time it tries -- over the years, that list has grown to over 20,000 bad actors; they're blocked whenever they attempt to connect.

DenyHosts also will let you share URLs of folks attempting to gains access with other users around the world and merge their experience with yours.

Keeps 'em out of your pants.

You can, if you like, construct the lists as IPTABLES entries and a couple of other methods but I've been perfectly happy with the /etc/hosts.deny method (it's quicker and you don't have to restart IPTABLES periodically).

Other than that, you only need to use good practices. Good root (and your) passwords. Configure /etc/httpd/httpd.conf properly (Apache's documentation is real good for this). Make your web pages as secure as possible and, basically, leave the thing alone (out of the box, Slackware is already secure).

You can fiddle with IPTABLES and some other utilities that do essentially what DenyHosts does and it would be worth your time to look into them; as I say, my experience has been more that satisfactory with DenyHosts (never had an intrusion).

Hope this helps some.
 
6 members found this post helpful.
Old 06-12-2014, 09:26 AM   #3
enine
Senior Member
 
Registered: Nov 2003
Distribution: Slackʍɐɹǝ
Posts: 1,486
Blog Entries: 4

Rep: Reputation: 282Reputation: 282Reputation: 282
Put behind a network device first, a simple NAT router with the minimum number of ports open functions as a perimeter router so that narrows the attack vectors down to just the ports you have open.
Use another machine to (virtual or hardware) to separate the web pages from the back end data, i.e layered/tiered approach. Wordpress for example if I recall correctly uses a SQL back end database. So separating the Apache server from the database server helps to limit attack vectors and mitigate damage should the web server be compromised.
I run Owncloud which has an Apache web site, mySQL back end and a file store. I'm splitting the Apache front end onto anther box so even if they get into that box or take it down my database and files are still safe on another box. I'm thinking a small system like a Raspberry Pi or Beagleboard will suffice as just the web front end as my whole setup can be run on a Pi but just really slow.
 
Old 06-12-2014, 01:12 PM   #4
Mark Pettit
Member
 
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 15.0
Posts: 627

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
I think first option should be to disable root login from ssh. Then pick a non-obvious username, login via that and then become root as required via "su -" or sudo.

I'd be hesitant to run anything PHP-based - it's insecure by design - see this article : http://eev.ee/blog/2012/04/09/php-a-...of-bad-design/

Then run a decent firewall - any one that suits you. I prefer shorewall, but there are dozens of others as good, maybe better.

Finally - run the minimum stuff that you need. You might want to consider Nginx as your webserver - I believe it has a built-in email option. Might be simpler to setup.
 
1 members found this post helpful.
Old 06-12-2014, 01:14 PM   #5
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
I wrote this time ago:

Code:
#!/bin/sh
# block SSH hackers IPs.

[ $UID -ne 0 ] && echo "You must be root to run this" && exit 1

dir=/root/bin

mv $dir/iplist /tmp/old-iplist

grep -o 'Invalid user .* from .*' /var/log/messages \
       	| awk -F ' ' '{ print $5 }' | sort | uniq >>/tmp/new-iplist

cat /tmp/old-iplist /tmp/new-iplist | sort | uniq > $dir/iplist

# Clean empty lines
sed -i /^$/d $dir/iplist

# Clean firewall rules
/etc/rc.d/rc.firewall restart >/dev/null

while read line ; do
	iptables -I INPUT -s $line -j DROP
done < $dir/iplist

rm /tmp/old-iplist
rm /tmp/new-iplist

exit 0
I think I posted it here time ago. Add it to a cronjob.


David Banner
Scientific

Last edited by eloi; 06-12-2014 at 01:21 PM.
 
Old 06-12-2014, 02:45 PM   #6
Cesare
Member
 
Registered: Jun 2010
Posts: 65

Rep: Reputation: 113Reputation: 113
I wonder what would happen if tried to login as "hokus pokus 0.0.0.0/0" into a system where this script is running in a cron job.
 
2 members found this post helpful.
Old 06-12-2014, 02:55 PM   #7
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694
Yeah, that script is a terrible idea without further cleansing of user generated data.

Last edited by szboardstretcher; 06-12-2014 at 02:57 PM.
 
Old 06-13-2014, 01:35 AM   #8
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,558
Blog Entries: 15

Rep: Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098Reputation: 2098
Make sure you use a System, host, or network intrusion detection system setup, a good firewall script with proper ports open as needed, and follow proper security protocols and you should be good.

Snort and Samhain should be a good start as well as suricata. You should also perform attack simulations on your system to check for flaws.
 
Old 06-13-2014, 03:30 AM   #9
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
Quote:
Originally Posted by Cesare View Post
I wonder what would happen if tried to login as "hokus pokus 0.0.0.0/0" into a system where this script is running in a cron job.
So, you thought that I try to solve all with that script?

The examples of shell scripts I use to share are simple and minimal for a reason: to encourage others to write their own themselves. If you find bugs on my example, it did its job ;-).

The idea is to discourage the typical "download this friendly application that do the job just pushing a button", what usually Windows users do.
 
Old 06-13-2014, 04:05 AM   #10
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
Quote:
Originally Posted by szboardstretcher View Post
Yeah, that script is a terrible idea without further cleansing of user generated data.
If you need to let users ssh access to your server this script is obviously a terrible idea. But, in a 'web' server, if you limit ssh access to just one user (you) just adding a pair of conditionals to that script to filter your user name and the ip addresses you don't want to be blocked would be a first step.
 
Old 06-13-2014, 05:48 AM   #11
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Here's something that just works, a stanza from my rc.firewall:

Code:
# Limited SSH
iptables -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
  -m recent --set --name SSH
iptables -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
  -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp -i $IFACE_INET --dport 22 -j ACCEPT
I'm using this on a production web server running Slackware64 14.1 and hosting several mail and web domains for clients.

Cheers,

Niki
 
1 members found this post helpful.
Old 06-13-2014, 06:31 AM   #12
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
Quote:
Originally Posted by kikinovak View Post
Here's something that just works, a stanza from my rc.firewall:

Code:
# Limited SSH
iptables -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
  -m recent --set --name SSH
iptables -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
  -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp -i $IFACE_INET --dport 22 -j ACCEPT
I'm using this on a production web server running Slackware64 14.1 and hosting several mail and web domains for clients.

Cheers,

Niki
Well my iptables knowledge is basic, someone please correct me if I am wrong.

Till I know iptables commands override each other. I mean you end allowing input access through port 22 to anybody. Is that your intention?

Last edited by eloi; 06-14-2014 at 03:04 AM. Reason: grammar
 
Old 06-13-2014, 07:44 AM   #13
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
Finally,

If you really don't want to be bothered by bots trying to hack your server via ssh then set an alternative port in sshd_config file (and in your firewall).
 
Old 06-13-2014, 07:44 AM   #14
Mark Pettit
Member
 
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 15.0
Posts: 627

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Er - that effectively "switches on" network access to port 22. But after that the user STILL has to authenticate - which means there has to be such a user on the machine, with either a matching password or matching keys.
 
Old 06-13-2014, 07:51 AM   #15
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
Quote:
Originally Posted by Mark Pettit View Post
Er - that effectively "switches on" network access to port 22. But after that the user STILL has to authenticate - which means there has to be such a user on the machine, with either a matching password or matching keys.
There is the annoying side effect of your logs filled by that hacking attempts. The alternative port, like I say above, is the cleanest (and cheapest) solution.

Last edited by eloi; 06-13-2014 at 07:53 AM.
 
  


Reply

Tags
email, internet, slackware, www


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu server works on LAN but can not get to the internet or the internet to it. techyjpt Linux - Networking 20 05-08-2012 02:41 PM
[SOLVED] Sharing internet connection(wireless server internet, wired network client) vladimir1986 Linux - Networking 4 07-25-2011 10:34 AM
internet server that use a prepaid account to access the internet elgieb1 Linux - General 0 02-19-2007 11:59 PM
Slackware 10.2 Problems: Display Server/SAMBA/Lisa/Finding the internet Steven_Shelton Slackware 7 11-22-2005 01:13 AM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 05:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration