Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > GNU Linux Zone > Servers
Reload this Page Securing CentOS
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

Servers Anything server related, Apache, MySQL, Samba, server security, sendmail, exim, etc

Reply
 
Thread Tools Display Modes
Old 05-13-2008   #1 (permalink)
weboweb
Just Joined!
 
Join Date: May 2008
Posts: 1
Securing CentOS
Hello,

I'm a newbie to Linux. Over the past couple of months I have been messing around with CentOS and have finally got it in a usable state with Apache, MySQL, PHP, SSH and FTP. I was hoping I could get some advice on keeping this system secure, as it is public facing but mostly for development work. Here's my iptables script:

Code:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow Http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow FTP (and passive ports)
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 50000:50050 -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

# Allow MySQL
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3306 -j ACCEPT
NMAP from another PC in the network:

Code:
Discovered open port 80/tcp on 192.168.0.103
Discovered open port 21/tcp on 192.168.0.103
Discovered open port 22/tcp on 192.168.0.103
GRC's Shields Up! reports that only port 80 is open externally, which is what I want.

As you can see, I am keeping FTP, SSH and MySQL all within my local network. I've noticed there are a few other services that would otherwise be exposed (Something beginning with RPC, forgot the other) which are firewalled with the above rules.

I've also uninstalled Postfix as I don't want to deal with the risk of spam.

Can anyone comment on the above rules and whether or not they're OK?

There are a few things which have gone through my mind but haven't been fully comprehended. Any elaboration on the following would be appreciated:

Do I need to worry about making a "chroot jail"? I don't understand this fully but I believe the idea is you limit the PHP and FTP users to within the public html directory...


I'm logging into SSH using the root account. Seeing as this is only within my local network, is that a big deal?

One minor thing I'd like to know about: Can I have iptables drop any connection attempts directly to my IP outside of the local network? I'm using no-ip and would rather not have my public IP responding to requests if possible.


Not sure what else I'm missing. Are there any gaping holes that a newbie is not likely to have addressed?


Thanks for your help!
weboweb is offline   Reply With Quote
Old 05-18-2008   #2 (permalink)
anomie
Linux Guru
 
anomie's Avatar
 
Join Date: Mar 2005
Location: Texas
Posts: 1,699
Quote:
Originally Posted by weboweb
GRC's Shields Up! reports that only port 80 is open externally, which is what I want.
How's that? You've got a RFC 1918 (private) IP address. Are you behind a NAT device that forwards requests to port 80 on your server?

Quote:
Originally Posted by weboweb
I've noticed there are a few other services that would otherwise be exposed (Something beginning with RPC, forgot the other) which are firewalled with the above rules.
If you don't need those additional services, then shut them off. Use the following to help identify the services:
# netstat -ltnup

That will give you the daemon name (along with other info, such as the tcp or udp port it is listening on).

Quote:
Originally Posted by weboweb
I've also uninstalled Postfix as I don't want to deal with the risk of spam.
Are you sure you don't mean sendmail? In any case, it might actually be better to leave the MTA running on your server. By default it should be listening only on localhost. Leaving it on will allow the logwatch program to send emails to your root account (which you should review daily).

Quote:
Originally Posted by weboweb
Can anyone comment on the above rules and whether or not they're OK?
The filtering rules + your testing with nmap look ok.

Quote:
Originally Posted by weboweb
Do I need to worry about making a "chroot jail"?
Probably not worth the effort. Set up permissions on your users' home directories properly -- remove all group and world access if possible. That way they will not be able to poke around in home directories outside of their own.

Since you're only giving them ftp accounts, and not shell accounts, this should be enough.

Quote:
Originally Posted by weboweb
I'm logging into SSH using the root account. Seeing as this is only within my local network, is that a big deal?
I wouldn't do it. But to each his own. I recently wrote up a basic sshd hardening howto (probably one of millions) on another forum, if you'd like to read it.

Quote:
Originally Posted by weboweb
Can I have iptables drop any connection attempts directly to my IP outside of the local network?
I don't understand this question. You're obviously forwarding requests from some device to your web server. Can you clarify?

Quote:
Originally Posted by weboweb
Not sure what else I'm missing. Are there any gaping holes that a newbie is not likely to have addressed?
Short answer: maintaining proper security is a process that requires planning at the outset and ongoing maintenance. Please pick up a (current) book on hardening Linux systems. There's really a lot of ground to cover.
__________________
FreeBSD Handbook & FAQ // CentOS wiki
anomie is offline   Reply With Quote
Old 05-18-2008   #3 (permalink)
jledhead
Linux Engineer
 
jledhead's Avatar
 
Join Date: Oct 2004
Location: North Carolina
Posts: 789
I would also add, maybe keep apache up to date when necessary. sign up for the mailing list Apache HTTP Server Mailing Lists - The Apache HTTP Server Project so you can find out quickly if there is a newly discovered hole or anything like that. Not so much to update every time a new release is out, but to update early when its necessary, that way you aren't a victim of buffer overflows and the like.
jledhead is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




All times are GMT. The time now is 07:50 PM.



Contact Us | Advertise | Archive | Top
© 2000 - 2008 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.0.0