Find the answer to your Linux question:
Results 1 to 6 of 6
I recently purchased a dedicated server and I got it at a really good price, because it's a server and it's going to be running software and a database for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2008
    Posts
    6

    How to know if my server is secure?


    I recently purchased a dedicated server and I got it at a really good price, because it's a server and it's going to be running software and a database for a new business, I need it to be secure out of the box.

    I'm more familair with the OS now, and I've been able to install some packages I will need to run the server (mysql, php, apache, https, and I got a copy of webmin working on it.

    I've been searching far and wide for a help with this, and I've found a bunch of guides for people running a GUI and not really using their linux machine as a server.

    So I need to know,

    1. Are there any accounts open that should be deleted? Like guest accounts, or ftp default users, etc? How can I find a list of accounts currently created on the server? I only need 1 account, the root account, nobody else should be able to have an account on the server because I will be the only one using it.

    2. With the linux firewall, I want to basically just block all traffic to and from my machine unless it's on a port a specify. I was able to move my SSH login port from 22 to another port above 1050 as I read about people using the default port to just hack away at the root password all day, but are there other ports open that are just waiting to be attacked out of the box too? I would rather just have the whole machine on lockdown with all ports blocked except for port 80, webmin, and my ssh remote login port?

    What else should I be looking to do?
    Last edited by Binxalot; 02-11-2008 at 06:49 PM. Reason: I'm retarded and cant spell...

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    You might consider disabling root login over ssh and only using su/sudo to elevate privelages as required when working on the server. There are other users and groups on the server that should not be deleted as system processes and certain file access is managed with these users. In fact avoid running as much as possible as root - even apache should run as a dedicated user. Remember if an application running as root is compromised that application has root's access to the entire system - this is the same principal that allows so much damage to be done by viruses and malware in the Windows world. You can run the following command to see what users are on the system
    Code:
    cat /etc/passwd
    ...though I wouldn't recommend removing any yet.

    A good trick is to only have ports listening where they need to be. Consider this - if you don't actually have anything listening then a firewall is only another measure of protection, as there is nothing behind it to access

  3. #3
    Just Joined!
    Join Date
    Feb 2008
    Posts
    6
    If I disable root login over ssh will that prevent me from rebooting the system remotely? I have no physical access to the machine, and mistakes like locking myself out of the system are costly to fix.

    On the users note, I noticed that root has /bin/bash listed with it. Is this the root directory, if other accounts also have /bin/bash listed along with them does that mean they are also root level users?

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Feb 2008
    Posts
    6
    Here is a copy of my linux firewall, Can anyone tell me if it's missing something or if there are any glaring holes in it?

    I did a port scan and port 111 is open and listening, I read online that port 111 is a vulnerability because of RPC attacks using that port. Does blocking this port fix that?

    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    # Change SSL connection to port 1061
    -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 1061 --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 111 --state NEW -j REJECT
    COMMIT
    # Generated by webmin
    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed
    # Generated by webmin
    *nat
    :OUTPUT ACCEPT [0:0]

  6. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by Binxalot
    I've been searching far and wide for a help with this, and I've found a bunch of guides for people running a GUI and not really using their linux machine as a server.
    I recommend the book 'Hardening Linux' by Terpstra, Love, Reck, and Scanlon.

    Securing a Linux server properly is an involved and iterative process (that requires ongoing maintenance).

    Quote Originally Posted by Binxalot
    I was able to move my SSH login port from 22 to another port above 1050...
    It's a miracle you're able to log in via ssh any more then (if you're still logged in, do not log off). You posted your netfilter rules as:
    Code:
    ...
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    ...
    tcp port 22 is allowed in that last, but I don't see another high-numbered tcp port. Carefully update your rules to reflect the sshd port change. (And make sure sshd is really running on the port you think it's on, using netstat -ltn)

    Anyway, to get a big picture of what you'll need to do (along with a lot of useful details) I'd recommend getting that book. You can solicit ideas on web forums to help fill in the gaps, but without a fundamental understanding you'll likely overlook some important steps.

  7. #6
    Just Joined!
    Join Date
    Mar 2008
    Posts
    69
    before you get to giddy about locking your box down, i highly suggest the book 'web application hackers handbook'

    although mostly dealing with the things you will be putting on your server and programming with it like php and mysql, it does touch on how hackers work.

    And it will give you information about both free and paid sources of applications that can help probe your site for hacker openings as well as help you test defenses and logging of the attacks.

    just a recommendation..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •