Find the answer to your Linux question:
Results 1 to 3 of 3
Hello, I'm a newbie to Linux. Over the past couple of months I have been messing around with CentOS and have finally got it in a usable state with Apache, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2008
    Posts
    1

    Securing CentOS


    Hello,

    I'm a newbie to Linux. Over the past couple of months I have been messing around with CentOS and have finally got it in a usable state with Apache, MySQL, PHP, SSH and FTP. I was hoping I could get some advice on keeping this system secure, as it is public facing but mostly for development work. Here's my iptables script:

    Code:
    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow Http
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    
    # Allow FTP (and passive ports)
    iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 20:21 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 50000:50050 -j ACCEPT
    
    # Allow SSH
    iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
    
    # Allow MySQL
    iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3306 -j ACCEPT
    NMAP from another PC in the network:

    Code:
    Discovered open port 80/tcp on 192.168.0.103
    Discovered open port 21/tcp on 192.168.0.103
    Discovered open port 22/tcp on 192.168.0.103
    GRC's Shields Up! reports that only port 80 is open externally, which is what I want.

    As you can see, I am keeping FTP, SSH and MySQL all within my local network. I've noticed there are a few other services that would otherwise be exposed (Something beginning with RPC, forgot the other) which are firewalled with the above rules.

    I've also uninstalled Postfix as I don't want to deal with the risk of spam.

    Can anyone comment on the above rules and whether or not they're OK?

    There are a few things which have gone through my mind but haven't been fully comprehended. Any elaboration on the following would be appreciated:

    Do I need to worry about making a "chroot jail"? I don't understand this fully but I believe the idea is you limit the PHP and FTP users to within the public html directory...


    I'm logging into SSH using the root account. Seeing as this is only within my local network, is that a big deal?

    One minor thing I'd like to know about: Can I have iptables drop any connection attempts directly to my IP outside of the local network? I'm using no-ip and would rather not have my public IP responding to requests if possible.


    Not sure what else I'm missing. Are there any gaping holes that a newbie is not likely to have addressed?


    Thanks for your help!

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by weboweb
    GRC's Shields Up! reports that only port 80 is open externally, which is what I want.
    How's that? You've got a RFC 1918 (private) IP address. Are you behind a NAT device that forwards requests to port 80 on your server?

    Quote Originally Posted by weboweb
    I've noticed there are a few other services that would otherwise be exposed (Something beginning with RPC, forgot the other) which are firewalled with the above rules.
    If you don't need those additional services, then shut them off. Use the following to help identify the services:
    # netstat -ltnup

    That will give you the daemon name (along with other info, such as the tcp or udp port it is listening on).

    Quote Originally Posted by weboweb
    I've also uninstalled Postfix as I don't want to deal with the risk of spam.
    Are you sure you don't mean sendmail? In any case, it might actually be better to leave the MTA running on your server. By default it should be listening only on localhost. Leaving it on will allow the logwatch program to send emails to your root account (which you should review daily).

    Quote Originally Posted by weboweb
    Can anyone comment on the above rules and whether or not they're OK?
    The filtering rules + your testing with nmap look ok.

    Quote Originally Posted by weboweb
    Do I need to worry about making a "chroot jail"?
    Probably not worth the effort. Set up permissions on your users' home directories properly -- remove all group and world access if possible. That way they will not be able to poke around in home directories outside of their own.

    Since you're only giving them ftp accounts, and not shell accounts, this should be enough.

    Quote Originally Posted by weboweb
    I'm logging into SSH using the root account. Seeing as this is only within my local network, is that a big deal?
    I wouldn't do it. But to each his own. I recently wrote up a basic sshd hardening howto (probably one of millions) on another forum, if you'd like to read it.

    Quote Originally Posted by weboweb
    Can I have iptables drop any connection attempts directly to my IP outside of the local network?
    I don't understand this question. You're obviously forwarding requests from some device to your web server. Can you clarify?

    Quote Originally Posted by weboweb
    Not sure what else I'm missing. Are there any gaping holes that a newbie is not likely to have addressed?
    Short answer: maintaining proper security is a process that requires planning at the outset and ongoing maintenance. Please pick up a (current) book on hardening Linux systems. There's really a lot of ground to cover.

  3. #3
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    I would also add, maybe keep apache up to date when necessary. sign up for the mailing list Apache HTTP Server Mailing Lists - The Apache HTTP Server Project so you can find out quickly if there is a newly discovered hole or anything like that. Not so much to update every time a new release is out, but to update early when its necessary, that way you aren't a victim of buffer overflows and the like.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •