SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Today I've had to configure a Slackware 12.2 server that is exposed to the big, bad and dangerous world. Usually all the servers I've ever build and managed have been sitting safely behind dedicated routers and firewalls.
But not this one.
It will be running four services: ssh, http, email(POP3, IMAP and SMTP) and git-daemon on port 9418.
The following daemons will be running on the server: sshd, httpd, postfix, dovecot and git-daemon.
I'd think about installing a file integrity checker like Aide or Samhain. They don't prevent break-ins, but do help you diagnose things once they've happened. Also be absolutely sure to turn off every service that you don't absolutely, positively need. And have a look at some of the security references unSpawn has collected. There is some good reading there. Finally, give a serious look to the kinds of applications that you're serving via http. PHP apps in particular are prone to having serious security bugs.
The iptables generator, I linked in the first post, produced this for me:
Code:
#!/bin/sh
SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
INET_IFACE="eth0"
INET_ADDRESS="MYIP"
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
# Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# User specified allowed TCP git-daemon protocol
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 9418 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "
echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "
I've no clue whether this actually is "good enough". I do know though, that the above on the surface appears to do what I need: It shuts down everything that isn't specifically opened. At least that is how it appears to my untrained eye and from some simple tests.
I agree with the previous comments as they all make sense.
Quote:
Originally Posted by TL_CLD
So, where should I start?
My first reflex would be to say you should ditch HTTP for HTTPS, POP3 for POP3S, IMAP for IMAPS and GIT for GIT-over-SSH but then I'll be getting ahead of myself.
Back-to-basics it depends on where you're at in the process of building the machine. A lot of people regard security as an add-on, an afterthought, instead of a something fundamental, a built-in. Looking at the bigger picture I'd very much like to promote the idea of properly configuring and hardening a "basic" server before adding any services. It'll be easier to consciously and partially weaken a servers security posture to allow for some exceptions than it will be to add security measures later on.
What I'd do is shut down all unnecessary services (minimise exposure), add the OpenSSH config like GazL suggested, add the file integrity checker like Hangdog42 suggested, make the firewall allow only (all!) traffic from and to your management IP or range (while configuring and w/o other services you'll only need SSH), make certain syslog is logging not too tersely and use log reporting (logwatch?) to read reports. Next up should be basic server configuration and hardening. Only when you're through with that and adding services you'll have to change things according to its purpose (as in who the server will serve). For instance if you're required to allow for developer write and anonymous GIT read access then you might want to confine access to the GIT daemon port to known developers (or use GIT-over-SSH) and provide a repo browser over HTTP(S) for anonymous checkouts (iptables: "-m recent" module).
Let us know where you're at in the process, and if you have more details / suggestions except for the firewall post those as well. The more information the better.
That is all. Only the necessary daemons are active.
BTW, I'm not building this server from scratch - it's a virtuel server from linode.com. The Slackware 12.2 install was very basic, and I've only added the stuff needed for the above mentioned daemons. It is a very slim install.
SSH access is by keys only. Root login is not allowed. Only a few trusted users (~5) will have SSH access.
The website that is being hosted is very basic, with only very little user interaction in terms of PHP and stuff like that. There are no logins, and not even a contact form. It is very much a one-way website.
git-daemon is read only, so all write access to the server is done via SSH. The git-daemon is locked to /home/git/
PostgreSQL is setup to only accept local connections, and no clear text passwords.
Postfix only allows relaying from localhost. No "pop before SMTP" or other such things. Postfix on this machine is not intended to be used as an "outgoing" SMTP server. It strictly recieves email and routes them to appropriate local users, which btw. are all virtual.
IMAP/POP3 vs. IMAPS/POP3S: There are no sensitive data flowing to or from any of the email accounts (it's mostly incomming requests for information), and the users associated with each mailbox are virtual. There are no console login for any of these accounts. There might be something to gain from going SSL with the IMAP/POP3 access though. I will look into it.
Here's what I use, hopefully you'll get some tips out of it. I've never tried any of the iptables generator scripts. I use custom coded iptables rules with default policy to drop everything and then allowing only the specific ports. Also use fail2ban to block and ban offending ip.
For dovecot, I use self-generated SSL and it runs on a non-standard port. For postfix, I recommend using dnsbl lists, policy daemon, clamav and spamassassin. I also recommend sanesecurity third-party signatures for clamav.
"DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?"
I've been running it for years, it works, it's automagic and you get other folks' bad actors through a periodic sharing of identified intruders. Highly recommend it. The attackers' addresses are added to /etc/hosts.deny, as of right now that's 4,737 entries.
Country blocks. If you don't care if anybody in China or Korea sees your web server, block the entire country with IPTABLES. You get the list of addresses from http://www.countryipblocks.net (and some others), stick 'em in a file and that looks something like this
Code:
iptables -A INPUT -s 74.6.0.0/16 -j DROP
#Block cn.zone
iptables -A INPUT -s 58.14.0.0/15 -j DROP
iptables -A INPUT -s 58.16.0.0/16 -j DROP
iptables -A INPUT -s 58.17.0.0/17 -j DROP
iptables -A INPUT -s 58.17.128.0/17 -j DROP
iptables -A INPUT -s 58.18.0.0/16 -j DROP
iptables -A INPUT -s 58.19.0.0/16 -j DROP
iptables -A INPUT -s 58.20.0.0/16 -j DROP
...
Keeps all of 'em out of your pants; in the case of China and Korea, that's 2019 sites that won't be bothering you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.